Table of contents.Finding subdomains manually would take an eternity. Fortunately, we don’t have to — and today we’ll explore the top 7 subdomain scanning tools to boost effectiveness in your daily subdomain reconnaissance tasks. Finding subdomains: popular methods in modern infosecSubdomain scanner utilities let you explore the full domain infrastructure of any company in the world. But what are today’s most popular uses of these subdomain enumeration toolkits? Let’s find out. DNS auditEvery week we see media news related to, and yet, performing a scheduled is something most companies never do. Which is odd, because unning a DNS audit is one of the most effective ways to find and update and find unused subdomains, expired SSL certificates or exposed legacy software.This information can be used to harden your systems and applications, as well as update your server and network infrastructure documentation.
Domain intelligenceoften use subdomain discovery toolkits in their infosec investigations, which frequently involve a number of techniques. These subdomain enumeration tools help to discover forgotten public areas that might be exposing sensitive information about your apps, users or technologies.
Vulnerability scanningAn extensive list of domain names along with their subdomains can yield remarkable findings about any online company.Private areas, development versions and unprotected applications can often be found while auditing the full list of subdomains of any domain name.Later, these areas can be massively scanned against common known vulnerabilities, as we previously covered in our article on the. How subdomain scanners workLet’s analyze the most popular methods subdomain scanners and used to find subdomains. Querying search enginesare often used to find the subdomains of any domain name. This involves a simple command such as:site:cloudflare.com -wwwThis can return the full list of Google indexed subdomains.
While this subdomain query is not in real time, as it comes from the latest GoogleBot crawl, it’s often really useful for finding all subdomains that are not protected by robots.txt configurations or subdomains not using noindex meta tags.A lot of terminal and web-based subdomain scanner engines rely on this type of built-in query language from search engines such as Google or Bing. Performing brute force discoverySome discovery tools use brute force and recursive brute forcing techniques in order to generate subdomain lists, most of the time combined with word-lists.Sit down, grab a coffee, and start testing a bunch of words to see which subdomain is alive. While it’s not the quickest way to find subdomains, it can be one of the most accurate.Tools that use this type of method (along with others) include Amass, Fierce and DNScan.
![]()
Second level Non-existent domain (NXD) traffic includes traffic to the top-level Domain Name Servers where either the second-level domain name being queried does not exist or the domain name does exist but does not properly have its DNS settings configured.
![]()
Running DNS zone transfersA DNS zone transfer is another way to fully replicate a remote DNS zone. This is useful for revealing all the configured subdomains within the DNS server.This technique works only when the DNS zone is not protected or limited by the system administrators for AXFR requests. While most DNS servers are patched against this type of DNS request, it’s worth a try to combine it with brute force based exploration. Fetching SSL/TLS public informationSSL/TLS certificates are not only useful for encrypting the data sent and received between browsers and servers, it’s also useful for infosec research.The Subject Alternate Name (SAN) of SSL/TLS certificates can be used to extract domains and subdomain names. This method, combined with python or bash scripting, can help you find subdomains quickly and easily.y The best terminal-based subdomain scanner tools to find subdomains AMASSWritten by Jeff Foley, is one of our favorite tools when it comes to subdomain discovery. It’s one of the most powerful terminal-based commands there is for gathering and accumulating large amounts of subdomain data.Amass uses a variety of subdomain mapping techniques including scrapping, recursive brute force, reverse NDS sweeping, and machine learning to get the full list of subdomains.
It also includes for faster passive subdomain reconnaissance.Installing Amass is easy by using the, or by using snap on Kali Linux and other popular Linux distros, simply by typing:snap install amassOnce you get it running, you can start playing. Follow us on Twitter to receive updates!
SubBruteis one of the fastest brute-forcing subdomain discovery tools we’ve ever tested. One of its coolest features is the ability to conceal the origin of the subdomain scanning itself, by using open resolvers as proxy to DNS rate-limits.It can also work as a DNS spider that recursively crawls enumerated DNS records, making it a complete DNS terminal-based toolkit.SubBrute’s syntax is simple, as you see below./subbrute.py cloudflare.com -o cloudflare.namesOutput example:SubBrute supports filtering DNS records.
For example, if you need to get only TXT records from any given domain name, you can use the –type option./subbrute.py -s google.names google.com -type TXTAnother great thing about SubBrute is the fact that it can be integrated into your own python scripts by using the subbrute.run function. For example: import subbrutefor d in subbrute.run('yahoo.com'):print dFor advanced usage, simply run:./subbrute -h Knockis another Python subdomain scanner tool helping infosec researchers with the intel-gathering process. It works by performing a full DNS zone transfer, and if that fails, it can run a query against the VirusTotal subdomain database.It’s a simple program that does a great job when you need to find subdomains.Its only dependency is the python-dnspython package that can be found on all major Linux distributions. SummaryWhile the old terminal-based tools are still useful for generating live subdomain databases, there are faster and more efficient ways to find subdomains using passive OSINT sources.Passive DNS, domain and IP intelligence databases like the one we’ve built at SecurityTrails are now the #1 source of data when it comes to subdomain mapping and subdomain scanning tasks.Are you a security researcher or bug bounty addict? Do you want to learn how to find subdomains instantly, without any delay?with our sales team today to discover our powerful, efficient all-in-one passive reconnaissance platform.
Comments are closed.
|
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |