There are many subdomain finder tools out there on GitHub, if you search for subdomain finder you will find a backlog of repositories on GitHub all offering subdomain finder and enumerating tools.
Last updated
Was this helpful?
is a python tool designed to enumerate subdomains of websites using . It helps penetration testers and bug hunters collect and for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. This very nice tool is hosted on github, though when I last checked there were some complain about it failing with some of it's engine mentioned above.
How to set sublist3r
git clone https://github.com/about3la/Sublist3r.git
Then where you have cloned the repository python3 setup.py install Then you can just run it like usual linux commands sublist3r -d nmmapper.com
Dnscan is a python wordlist-based DNS subdomain scanner.The script will first try to perform a zone transfer using each of the target domain's nameservers. If this fails, it will lookup TXT and MX records for the domain, and then perform a recursive subudomain scan using the supplied wordlist.
The tool is wordlist based, which means it will use it's internal wordlist to attempt to check if the subdomain truely exists. Some of the wordlist it contains include
subdomains-1000.txt
subdomains-10000.txt
subdomains-500.txt
subdomains-uk-1000.txt
subdomains-uk-500.txt
subdomains.txt
How to install and use Anubis
sudo apt-get install python3-pip python-dev libssl-dev libffi-dev
When it comes to installing anubis you have over two powerful choices to choose from
Pip3
Snap
To install with pip3 you will do something like this
pip3 install anubis-netsec
To install with snap
snap install anubis
That's all you need to install anubis pretty easy compared with others and after the installation you can use it like this;
anubis -t nmmapper.com
The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques
Techniques used by Amass
DNS: Basic enumeration, Brute forcing(optional)...
Scraping: Ask, Baidu, Bing, DNSDumpster, DNSTable, Exalead, Google...
APIs
Web Archives
Install Amass
To install amass you must have snap install on your system
sudo snap install amass
Add the Snap bin directory to your PATH:
export PATH=$PATH:/snap/bin
amass enum -d nmmapper.com
This nmap's script attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.
nmap --script dns-brute
Lepus is a utility for identifying and collecting subdomains for a given domain. Subdomain discovery is a crucial part during the reconnaissance phase. It uses four (4) modes
Services (Collecting subdomains from the below services)
Dictionary mode for identifying domains (optional)
Permutations on discovered subdomains (optional)
Reverse DNS lookups on identified public IPs (optional)
Features of Lepus
Dictionary Mode
Permutations Mode
Reverse Mode
The fastest and cross-platform subdomain enumerator, don't waste your time. It's cross-platform makes it ideal for all users no matter the platform. Features of Findomain
Subdomains monitoring: put data to Discord, Slack or Telegram webhooks
Multi-thread support for API querying
Parallel support for subdomains resolution
DNS over TLS support
Specific IPv4 or IPv6 query support.
Discover subdomains without brute-force
Discover only resolved subdomains
This tool has been at https://www.nmmapper.com
As you can see it entirely depends on the above files to perform it's subdomain scanning. Also this tool is you can test it out.
Anubis is a subdomain enumeration and . Anubis collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Anubis also has a sister project, , which serves as a centralized repository of subdomains.
This is relatively easy and powerfull to use even error prone compared to others
If you want to use the famous with anubis then you will need to have nmap installed on your system. And for linux folks you will need to also install the following
Anubis has also been so you can test this online version.
Certificates: Active pulls(optional), , CertSpotter, Crtsh, Entrust, GoogleCT
Amass is also
Wildcard records are listed as "A" and "AAAA" for IPv4 and IPv6 respectively. This tool can be really dangerous and it brute forces dns this can crush the server so please use it with care. This script can also be used to and since nmap is available on kali linux then yes nmap can do . You can just run this script like this
We have also
: Performs several checks on identified domains for potential subdomain-takeover vulnerabilities. The module is enabled with --takeover and is executed after all others. If such a vulnerability is identified, the results are printed in the output and in a .csv file in the respective project folder under the directory with the results.
This is a tool to enumerate subdomains using the Certificate Transparency logs stored by . It should return any subdomain who has ever been issued a SSL certificate by a public CA.
It is good to note that this tool requires an API unless you are going to use of it. The library uses censys but it does not require apis. It is good to note that this tool, may not bring all subdomains as the one which uses api
