Kali linux most used subdomain finder

There are many subdomain finder tools out there on GitHub, if you search for subdomain finder you will find a backlog of repositories on GitHub all offering subdomain finder and enumerating tools.


Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. This very nice tool is hosted on github, though when I last checked there were some complain about it failing with some of it's engine mentioned above.

Sublist3r scanning https://www.nmmapper.com

How to set sublist3r

git clone https://github.com/about3la/Sublist3r.git

Then where you have cloned the repository python3 setup.py install Then you can just run it like usual linux commands sublist3r -d nmmapper.com

This tool has been hosted online at https://www.nmmapper.com


Dnscan is a python wordlist-based DNS subdomain scanner.The script will first try to perform a zone transfer using each of the target domain's nameservers. If this fails, it will lookup TXT and MX records for the domain, and then perform a recursive subudomain scan using the supplied wordlist.

Dnscan using it's internal wordlist to scan https://www.nmmapper.com

The tool is wordlist based, which means it will use it's internal wordlist to attempt to check if the subdomain truely exists. Some of the wordlist it contains include

  • subdomains-1000.txt

  • subdomains-10000.txt

  • subdomains-500.txt

  • subdomains-uk-1000.txt

  • subdomains-uk-500.txt

  • subdomains.txt

As you can see it entirely depends on the above files to perform it's subdomain scanning. Also this tool is hosted online, you can test it out.

Anubis is a subdomain enumeration and information gathering tool. Anubis collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Anubis also has a sister project, AnubisDB, which serves as a centralized repository of subdomains.

This Anubis is relatively easy and powerfull to use even error prone compared to others

Anubis as seen scanning for https://www.nmmapper.com

How to install and use Anubis

If you want to use the famous nmap with anubis then you will need to have nmap installed on your system. And for linux folks you will need to also install the following

sudo apt-get install python3-pip python-dev libssl-dev libffi-dev

When it comes to installing anubis you have over two powerful choices to choose from

  • Pip3

  • Snap

To install with pip3 you will do something like this

pip3 install anubis-netsec

To install with snap

snap install anubis

That's all you need to install anubis pretty easy compared with others and after the installation you can use it like this;

anubis -t nmmapper.com

Anubis has also been hosted online so you can test this online version.


The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques

Techniques used by Amass

  • DNS: Basic enumeration, Brute forcing(optional)...

  • Scraping: Ask, Baidu, Bing, DNSDumpster, DNSTable, Exalead, Google...

  • Certificates: Active pulls(optional), Censys, CertSpotter, Crtsh, Entrust, GoogleCT

  • APIs

  • Web Archives

Install Amass

To install amass you must have snap install on your system

sudo snap install amass

Add the Snap bin directory to your PATH:

export PATH=$PATH:/snap/bin

amass enum -d nmmapper.com

amass scanning https://www.nmmapper.com

Amass is also hosted online

This nmap's script attempts to enumerate DNS hostnames by brute force guessing of common subdomains. With the dns-brute.srv argument, dns-brute will also try to enumerate common DNS SRV records.

Wildcard records are listed as "A" and "AAAA" for IPv4 and IPv6 respectively. This tool can be really dangerous and it brute forces dns this can crush the server so please use it with care. This script can also be used to enumerate subdomains, and since nmap is available on kali linux then yes nmap can do subdomain finder. You can just run this script like this

nmap --script dns-brute

scanning https://www.nmmapper.com with nmap's dns-brute

We have also hosted this tool online

Lepus is a utility for identifying and collecting subdomains for a given domain. Subdomain discovery is a crucial part during the reconnaissance phase. It uses four (4) modes

  • Services (Collecting subdomains from the below services)

  • Dictionary mode for identifying domains (optional)

  • Permutations on discovered subdomains (optional)

  • Reverse DNS lookups on identified public IPs (optional)

Features of Lepus

  • Dictionary Mode

  • Permutations Mode

  • Reverse Mode

  • Portscan

  • Subdomain takeover: Performs several checks on identified domains for potential subdomain-takeover vulnerabilities. The module is enabled with --takeover and is executed after all others. If such a vulnerability is identified, the results are printed in the output and in a .csv file in the respective project folder under the directory with the results.

This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA.

It is good to note that this tool requires an API unless you are going to use censys non api library of it. The library uses censys but it does not require apis. It is good to note that this tool, may not bring all subdomains as the one which uses api

The fastest and cross-platform subdomain enumerator, don't waste your time. It's cross-platform makes it ideal for all users no matter the platform. Features of Findomain

  • Subdomains monitoring: put data to Discord, Slack or Telegram webhooks

  • Multi-thread support for API querying

  • Parallel support for subdomains resolution

  • DNS over TLS support

  • Specific IPv4 or IPv6 query support.

  • Discover subdomains without brute-force

  • Discover only resolved subdomains