Hey guys, it’s me @dheerajydv19 and in today’s blog, we will be learning about how to find subdomains for large-scale reconnaissance.
We have already discussed some of the tools in one of my recently published blogs, so I won’t be repeating those tools, you can read that blog using the link below.
https://hacklido.com/blog/276-subdomain-enumeration-the-simplest-guide
The tools we will be using are -
- Subfinder
- Amass
- TheHarvester
- Sublist3r
- Aquatone
- SubBrute
- Recon-ng
Some other web-based tools are DNSDumpster and nmmapper and a few we have already discussed in the last blog.
Subfinder-
It is an awesome tool for subdomain enumeration by the project discovery team.
Installation -
Cloning the GitHub repo using the below command.
git clone https://github.com/projectdiscovery/subfinder
Moving to the main folder.
cd subfinder
Checking if the installation has been done correctly by parsing the help command.
subfinder -h
If the help module is displayed correctly, congo you have done the installation successfully.
Note - You can install subfinder using go by giving the below command but it requires go1.18 to install successfully. I personally love git so I always prefer that for installing the tools wherever I can.
Usage -
For finding subdomains of a single domain, use the command -
subfinder -d mydomain.com
For scanning a list of domains -
subfinder -dL /path/to/domain/list.txt -o /path/to/output.txt
For example, if I have all the domains in a file named domains.txt, which is located at Desktop, the command would be -
subfinder -dL ~/Desktop/domains.txt -o ~/Desktop/subdomains.txt
Check out https://github.com/projectdiscovery/subfinder#usage for understanding all the usage commands.
Amass -
It is an awesome tool for in-depth attack mapping and subdomain enumeration.
Installation -
For installing it via apt give the below command to your Linux terminal.
sudo apt install amass
For checking if it’s installed successfully, enter amass in your Linux terminal.
Note - You can install it by downloading it from GitHub too, but that’s little trick work, so prefer installation via apt.
Usage -
For basic subdomain enumeration
amass enum -d example.com
For recursive subdomain enumeration
amass enum -d example.com -norecursive
Enumerate subdomains with additional data sources
amass enum -d example.com -active -brute -passive
Enumerate subdomains and write output to a file
amass enum -d example.com -o output.txt
You can read the manual guide for amass at the below link -
https://github.com/OWASP/Amass/blob/master/doc/user_guide.md
theharvester -
Installation -
You can simply install it in a single command by using apt, enter the below command in your linux terminal.
sudo apt install theharvester
Alnternatively, you can also install it from github repo which is given below.
https://github.com/laramies/theHarvester
For checking if the installation is done correctly, parse theHarvester in your Linux terminal.
Usage -
- Enumerate subdomains from multiple sources
theHarvester -d example.com -l 500 -b all
- Basic subdomain enumeration
theHarvester -d example.com -l 500 -b google
- Enumerate subdomains and write output to a file
theHarvester -d example.com -l 500 -b all -f output.txt
Note - It has a lot of modules for subdomain enumeration, some of them require while others work perfectly, so if you want to get the best from it, prefer setting up all the API and then start using it.
Sublist3r
Installation -
You can simply install it in a single command by using apt and entering the below command in your Linux terminal.
sudo apt install sublist3r
Alnternatively, you can also install it from the GitHub repo which is given below.
https://github.com/aboul3la/Sublist3r
Usage -
- Basic subdomain enumeration
python sublist3r.py -d example.com
- Enumerate subdomains from a specified DNS server
python sublist3r.py -d example.com -s 8.8.8.8
Note - I personally tried using sublist3r yesterday and it was giving some error due to virus total, so if you can solve that issue, go ahead otherwise prefer using any other tool.
You guys can try using the remaining three tools yourself, they are a little outdated and I personally also don’t use those tools, so I am not writing about those in this blog.
There are many other tools for subdomain enumeration, so try some and decide for yourself which you want to use according to your needs and requirements. I personally love subfinder so must give it a try to that. If you guys have one more blog on this topic about what’s next after subdomains, then let me know on Twitter, so tell me here in the comments.
That’s it for today’s blog.
Follow me on Twitter: https://twitter.com/Dheerajydv19
