Before jumping into a subdomain finder, we need to understand what a subdomain is. Subdomains are a part of the main domain name. They are usually used for separating different sections of a website. You would already have seen thousands of subdomains of different websites at this point. Here’s a quick example to help you understand what a subdomain is.
Facebook’s main website loads up at facebook.com but It also has a mobile version that loads up when you visit m.facebook.com. Here “m” is the subdomain of facebook.com (root domain). Similarly, there can be any subdomain. www is also a subdomain but It’s a special type of subdomain which the Hosting companies or Domain registrars create automatically. Other subdomains can be shop.website.com, photos.website.com, etc.
Subdomain Finder Websites
You can find thousands of subdomain finder websites on a single Google search but the catch is that they have limitations in place. This limitation only allows you to search for a limited number of times before you will be asked to purchase credits to search for more websites. Subdomain finder websites are very easy to use as compared to other methods (discussed below) but this limit is consumed very quickly.
In this post, We will share some of the best subdomain finder websites. These websites are free to use but as mentioned above, some of them could have a limit.
Google is the best search engine and has crawled billions of webpages. There is even no limitation in place because Google is free to use. To find subdomains with Google, you need to use Google dorks. A Google dork is a query which forces Google to only show specific kind of results. For finding subdomains of a website, we can use the below Google dork. Simply copy/paste the dork in Google search and you’ll see only the subdomains of the website.
You can play around with Google dorks and can customize them to work for you. You can specify to remove specific subdomains that are being shown again and again.
The other free website which we are going to talk about is VirusTotal. VirusTotal checks for viruses on files uploaded by the users. It also has an online scan engine that scans websites for viruses. It keeps all the records in Its database. That is the reason It includes so many subdomains. Go to virustotal.com, click on Search button, enter the website and press Enter.
Now click on Relations tab, scroll down Subdomains section and you’ll see the subdomains of your entered website.
The interesting thing about VirusTotal is that It does not have any limit.
Other Subdomain finder Websites
There are many other websites like these. To keep this tutorial short, below is the list of them for you to explore on your own.
Subdomain Finder Scripts
Just like subdomain finder websites, there are hundreds of subdomain finder scripts. The best part is that almost all of them are free and doesn’t have any limit. One thing to note here is that the majority of the scripts mentioned below combines multiple methods (like Google, Shodan, Censys, etc.) to find subdomains and then filter out the duplicates before presenting you the subdomains.
As the name suggests, subfinder is a subdomain finder that uses passive online sources. Subfinder is written in Golang and requires go1.13+ to work successfully. To use it, make sure that you have the latest or at least the required version of Golang installed on your computer. You can verify that by typing
go version in the terminal.
There are multiple ways to install subfinder. The easiest is to download a pre-built binary for your OS from here, Extract the downloaded file and add it in your Path variable so you can use it from anywhere without actually going into the directory every time.
Once It is installed, You need to configure It by providing your API Keys of different services like Shodan, VirusTotal, etc. You can find the instructions for this on the subfinder’s repository on Github. Once everything is done, you can type the following command to find subdomains.
subfinder -d domain.com
Subfinder is similar to Sublist3r but is quite fast as compared to Sublist3r.
Other Subdomain Finder scripts
Similar to subfinder, there are many other scripts available for finding subdomains.
Sublist3r is built in Python. Sublist3r is older than Subfinder but isn’t as fast as subfinder. In case you don’t have Go installed on your computer or don’t want to install It, you can check out Sublist3r.
Another python base script is KnockPy. KnockPy is designed to enumerate subdomains based on a wordlist. Is also supports integration with VirusTotal so you can add your VirusTotal API key to also include the results from VirusTotal.
There are some scripts (including the ones discussed above) that also provide the Brute force functionality. You provide them with a wordlist of your choice and they will brute force all the words on the domain to see If It resolves or not. This method has Its own advantages and disadvantages. SubBrute, Amass, Gobuster are quite famous for these tasks.
Why to find subdomains?
If you’re reading this post then chances are that you already know why you need to find subdomains. In case you have no idea, then
- Subdomains can be helpful to you if you’re a bug bounty hunter as more subdomains mean bigger attack surface
- Finding subdomains is a very important step in the information gathering phase during penetration testing
- You’re a website owner and want to make sure that your website doesn’t have any insecure subdomains
- System administrators can find useful information, monitor DNS and certificate changes of the subdomains
The purpose of this tutorial is to help you in finding subdomains. Different use cases are mentioned in the above section. You are responsible for your actions. If you don’t have permission for any specific task, don’t do it.
If you believe we have missed any tool which needs to be mentioned, let us know by commenting on this post.
Leave a Reply