reconnaissance

SecurityTrails Blog · Mar 28 · SecurityTrails team

SecurityTrails Subdomain Finder Tools: The Fastest Way to Discover Subdomains in Your DNS Recon

For 99% of the times you’re performing intel gathering steps during infosec research or penetration testing, DNS reconnaissance is a primary course of action.

One of the most common things a pentester will try to do is to find out as much detail about your subdomains as he can, as subdomains can often reveal critical parts of your software applications and server infrastructure.

Exploring the DNS zone information can be pretty easy, as most companies still don’t pay enough attention to DNS server traffic.

That’s why today we’re showing you how to discover subdomains for any domain on the Internet in just seconds, with our built-in subdomain finder tool.

The effectiveness of the following methods may vary depending on how good the end servers are configured in terms of security hardening.

Brute force attack

It’s one of the oldest and most classic ways to test hostname combinations in remote host discovery tasks.

But using brute force for subdomain reconnaissance is also the slowest way. It’s a time-consuming task because a remote attacker must wait until the script tests all the probable combinations of hostnames that may exist.

Dictionary attack

On the other hand, we have subdomain dictionary attacks. This type of attack is used by launching queries against your DNS server hostnames ordered by a dictionary wordlist.

While it’s not as effective as the brute force attack, it manages to find the most common subdomain names used by companies in their websites.

Sometimes it’s natural to see a combination of both techniques (dictionary wordlist + brute force attack) when you need to identify complete and accurate results.

DNS zone transfer

This is another popular method used by security researchers when they try to list the subdomains of a site. In this specific type of attack, the remote attackers will try to fully dump your DNS zone records.

If your DNS server is not protected against unauthorized DNS zone transfers they can get the full list of DNS records, including subdomains.

Now that you know the most common ways to get the full list of subdomains for any given domain, let’s see three alternative ways to fetch the subdomain data you need, in just seconds, and using only your browser.

How to use SecurityTrails as a subdomain finder utility

SecurityTrails main intel gathering tool is the one-stop domain tool when you need to perform quick and isolated domain and DNS cybersecurity tests.

Let’s see how to use our subdomain scanner. Follow the next steps:

  • Go to the SecurityTrails website
  • Enter your domain name
  • Locate the ‘Subdomains’ option in the left menu

From here you’ll able to find DNS host records from our subdomain database in mere seconds, and no data crossing between tools is needed — we have it all, as you can see below:

Amazon.com DNS records

In this case, we discovered more than 3K subdomains from amazon.com; a subdomain enumeration of this size would take you hours while using old terminal-based tools.

Using this interface, you can click on each host to check the subdomain IP address, and that will lead you to additional details about the IP block.

When querying our intelligent DNS scanner, the passive subdomain lookup feature will show you the results filtered by Domain name, Alexa Rank, Hosting provider and Mail provider.

In order to filter the results from our subdomain scanner, you can apply the Filter option at the top of the screen, shown here:

Amazon-com subdomains

In this case, we’re searching subdomains that contain ‘dev’ word, which can often be used to find web development and testing areas that may be unprotected, or that can lead to critical details about server or software infrastructure.

Using a passive DNS API to find subdomains online

Our Passive DNS API is another great way to get subdomains from a URL in just seconds.

  • First things first: if you don’t have one, grab your free API account.
  • Browse our API Reference to see how to Integrate our API endpoints with your favourite programming language.
  • Start finding subdomains manually or automatically from your own apps.

Here’s a quick example using Python:

import requests
url = "https://api.securitytrails.com/v1/domain/amazon.com/subdomains"
querystring = {"apikey":"YOUR.API.KEY.HERE"}
response = requests.request("GET", url, params=querystring)
print(response.text)

And another example, this time using Ruby:

require  'uri'
require  'net/http'
url =  URI("https://api.securitytrails.com/v1/domain/amazon.com/subdomains?apikey=YOUR.API.KEY.HERE")
http =  Net::HTTP.new(url.host, url.port)
http.use_ssl =  true
request =  Net::HTTP::Get.new(url)
response = http.request(request)
puts response.read_body

This is the expected output in raw text (we’re showing only a small part of the 3.5K subdomains Amazon.com has):

{
"subdomains": [
"005357416626.signin.aws",
"034033148515.signin.aws",
"062546578934.signin.aws",
"0832234.signin.aws",
"083537039312.signin.aws",
"115718442021.signin.aws",
"137630119901.signin.aws",
"154-173",
"154-174",
"154-208",
"154-210",
"154-230",
"154-251",
"154-4",
"154-58",
"154-70",
"154-86",
"154-9",
"206-140",
"206-141",
"207-171-168-25",
"246479001350.signin.aws",
"264460025258.signin.aws",
"382146031153.signin.aws",
"3pers-email",

SurfaceBrowser™ Subdomain Reconnaissance features

SurfaceBrowser™ passive subdomain reconnaissance features allow you to find subdomains from a powerful and unified DNS and domain interface.

After you login into your SurfaceBrowser™ panel, you’ll be able to retrieve all existing subdomains from any domain name or company in the world.

Following the amazon.com example, when you land in the dashboard you will see the most important information blocks ordered by:

  • Total number of Subdomains (3.534 in this case)
  • Summary by Hosting Company
  • Summary by IP
  • Summary by Open Ports

Amazon.com summary

The results are displayed (below the summary blocks) showing subdomain name, assigned IP address, as well as hosting provider and open ports found for that host:

Amazon.com subdomain results

Now you know how to find subdomains of a domain in just seconds, from a single interface that allows you to pivot between IP block information, associated domains, SSL certificate information, and much more.

Final thoughts

Finding subdomains is a crucial task when you perform any type of cyber security investigation. Whether you’re an infosec researcher, you work for a security agency or you’re a simple bug bounty chaser, it’s vital to have the right tools to get the complete subdomain data-set in just seconds.

While applications on the surface can show specific information to the public, exploring all existing subdomain enables you to discover different, lesser-known applications, databases, sources, paths, signatures, tests and development-restricted areas that may lead to finding server and application vulnerabilities.

Don’t wait any longer. Start using SecurityTrails today, or grab a free API account to help you during your daily DNS reconnaissance tasks.