# Kali linux most used subdomain finder ## [Sublist3r](https://www.nmmapper.com/sys/tools/subdomainfinder/) [Sublist3r](https://github.com/aboul3la/Sublist3r) is a python tool designed to enumerate subdomains of websites using [OSINT](https://www.nmmapper.com/kalitools/theharvester/email-harvester-tool/online/). It helps penetration testers and bug hunters collect and [gather subdomains](https://www.nmmapper.com/sys/tools/subdomainfinder/) for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS.\ \ This very nice tool is hosted on github, though when I last checked there were some complain about it failing with some of it's engine mentioned above. ![Sublist3r scanning https://www.nmmapper.com](https://2887589296-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lv4pWYJd2GwQQEZVvSJ%2F-LvOd7N-uP9ShtRxA78c%2F-LvOdC9WkfBRiGNRo2Z-%2FSublist3r.png?alt=media\&token=f24df7d0-1eb8-4d51-8e4a-f98c03f067e3) **How to set sublist3r** `git clone https://github.com/about3la/Sublist3r.git` Then where you have cloned the repository `python3 setup.py install` Then you can just run it like usual linux commands sublist3r `-d nmmapper.com` This tool has been [hosted online](https://www.nmmapper.com/sys/tools/subdomainfinder/) at ## [Dnscan](https://www.nmmapper.com/sys/tools/subdomainfinder/) Dnscan is a python wordlist-based DNS subdomain scanner.The script will first try to perform a zone transfer using each of the target domain's nameservers. If this fails, it will lookup TXT and MX records for the domain, and then perform a recursive subudomain scan using the supplied wordlist. ![Dnscan using it's internal wordlist to scan https://www.nmmapper.com](https://2887589296-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lv4pWYJd2GwQQEZVvSJ%2F-LvOgpt8vwtHgDxLT_pP%2F-LvOjQ2e7DMI1vXFimWR%2Fdnsscan.png?alt=media\&token=e83a86db-9b49-4ffc-8b8f-435fa02b25f5) The tool is wordlist based, which means it will use it's internal wordlist to attempt to check if the subdomain truely exists. Some of the wordlist it contains include * subdomains-1000.txt * subdomains-10000.txt * subdomains-500.txt * subdomains-uk-1000.txt * subdomains-uk-500.txt * subdomains.txt As you can see it entirely depends on the above files to perform it's subdomain scanning. Also this tool is [hosted online,](https://www.nmmapper.com/sys/tools/subdomainfinder/) you can test it out. ## [Anubis Subdomain Enumerator](https://www.nmmapper.com/sys/tools/subdomainfinder/) Anubis is a subdomain enumeration and [information gathering tool](https://www.nmmapper.com/kalitools/theharvester/email-harvester-tool/online/). Anubis collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Anubis also has a sister project, [AnubisDB](https://github.com/jonluca/Anubis-DB), which serves as a centralized repository of subdomains. This [Anubis](https://www.nmmapper.com/sys/tools/subdomainfinder/) is relatively easy and powerfull to use even error prone compared to others ![Anubis as seen scanning for https://www.nmmapper.com](https://2887589296-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lv4pWYJd2GwQQEZVvSJ%2F-LvOo_Qo9ofRvUAhZ5S1%2F-LvOofTxMm9Y46atUKQm%2Fanubis.png?alt=media\&token=15ad89df-214f-4031-8fe2-eed9a7ec28ef) **How to install and use Anubis** If you want to use the famous [nmap](https://www.nmmapper.com/st/networkmapper/nmap/online-port-scanning/) with anubis then you will need to have nmap installed on your system.\ And for linux folks you will need to also install the following `sudo apt-get install python3-pip python-dev libssl-dev libffi-dev` When it comes to installing anubis you have over two powerful choices to choose from * `Pip3` * Snap To install with pip3 you will do something like this `pip3 install anubis-netsec` To install with snap `snap install anubis` That's all you need to install anubis pretty easy compared with others and after the installation you can use it like this; `anubis -t nmmapper.com` Anubis has also been [hosted online](https://www.nmmapper.com/sys/tools/subdomainfinder/) so you can test this online version. ## [Amass](https://www.nmmapper.com/sys/tools/subdomainfinder/) The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques **Techniques used by Amass** * **DNS:** Basic enumeration, Brute forcing(optional)... * **Scraping**: Ask, Baidu, Bing, DNSDumpster, DNSTable, Exalead, Google... * **Certificates**: Active pulls(optional), [Censys](https://www.nmmapper.com/sys/tools/subdomainfinder/), CertSpotter, Crtsh, Entrust, GoogleCT * **APIs** * **Web Archives** **Install Amass** To install amass you must have snap install on your system `sudo snap install amass` Add the Snap bin directory to your PATH: `export PATH=$PATH:/snap/bin` `amass enum -d nmmapper.com` ![amass scanning https://www.nmmapper.com](https://2887589296-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lv4pWYJd2GwQQEZVvSJ%2F-LvOpXMgYWio7LEMhK9T%2F-LvP-mrSfNBLEMjyBOpb%2Famass.png?alt=media\&token=0b5dcff3-d207-4f0c-b97a-17508e18189d) **Amass is also** [**hosted online**](https://www.nmmapper.com/sys/tools/subdomainfinder/) ## [**Nmap(dns-brute.nse)**](https://nmap.org/nsedoc/scripts/dns-brute.html) This nmap's script attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records. Wildcard records are listed as "*A" and "*AAAA" for IPv4 and IPv6 respectively.\ This tool can be really dangerous and it brute forces dns this can crush the server so please use it with care.\ \ This script can also be used to [enumerate subdomains,](https://www.nmmapper.com/sys/tools/subdomainfinder/) and since nmap is available on kali linux then yes nmap can do [subdomain finder](https://www.nmmapper.com/sys/tools/subdomainfinder/). You can just run this script like this `nmap --script dns-brute` ![scanning https://www.nmmapper.com with nmap's dns-brute](https://2887589296-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Lv4pWYJd2GwQQEZVvSJ%2F-LvP9v77pKlQcew4NTAx%2F-LvPCIcLoPoV-v0QfatI%2Fnmap.png?alt=media\&token=d78ab02b-4bb6-4ebe-9cb1-39379f7c845a) \ We have also [hosted this tool online](https://www.nmmapper.com/sys/tools/subdomainfinder/) ## [Lepus Subdomain finder](https://www.nmmapper.com/sys/tools/subdomainfinder/) Lepus is a utility for identifying and collecting subdomains for a given domain. Subdomain discovery is a crucial part during the reconnaissance phase. It uses four (4) modes * Services (Collecting subdomains from the below services) * Dictionary mode for identifying domains (optional) * Permutations on discovered subdomains (optional) * Reverse DNS lookups on identified public IPs (optional) **Features of Lepus** * Dictionary Mode * Permutations Mode * Reverse Mode * [Portscan](https://www.nmmapper.com/st/networkmapper/nmap/online-port-scanning/) * [Subdomain takeover](https://www.nmmapper.com/sys/tools/subdomainfinder/): Performs several checks on identified domains for potential subdomain-takeover vulnerabilities. The module is enabled with --takeover and is executed after all others. If such a vulnerability is identified, the results are printed in the output and in a .csv file in the respective project folder under the directory with the results. ## [Censys subdomain finder](https://www.nmmapper.com/sys/tools/subdomainfinder/) This is a tool to enumerate subdomains using the Certificate Transparency logs stored by [Censys](https://censys.io). It should return any subdomain who has ever been issued a SSL certificate by a public CA. It is good to note that this tool requires an API unless you are going to use [censys non api library](https://github.com/wangoloj/censys-subdomain-finder-non-api) of it. The library uses censys but it does not require apis.\ It is good to note that this tool, may not bring all subdomains as the one which uses api
## [Findomain subdomain finder](https://www.nmmapper.com/sys/tools/subdomainfinder/) The fastest and cross-platform subdomain enumerator, don't waste your time. It's cross-platform makes it ideal for all users no matter the platform.\ \ **Features of Findomain**
* **S**ubdomains monitoring: put data to Discord, Slack or Telegram webhooks * Multi-thread support for API querying * Parallel support for subdomains resolution * DNS over TLS support * Specific IPv4 or IPv6 query support. * Discover subdomains without brute-force * Discover only resolved subdomains ##