Finding subdomains manually would take an eternity. Fortunately, we don’t have to — and today we’ll explore the top 7 subdomain scanning tools to boost effectiveness in your daily subdomain reconnaissance tasks.
Finding subdomains: popular methods in modern infosec
Subdomain scanner utilities let you explore the full domain infrastructure of any company in the world. But what are today’s most popular uses of these subdomain enumeration toolkits? Let’s find out.
Every week we see media news related to DNS attacks, and yet, performing a scheduled DNS audit is something most companies never do. Which is odd, because unning a DNS audit is one of the most effective ways to find and update stale DNS records and find unused subdomains, expired SSL certificates or exposed legacy software.
This information can be used to harden your systems and applications, as well as update your server and network infrastructure documentation.
Red teams often use subdomain discovery toolkits in their infosec investigations, which frequently involve a number of OSINT techniques. These subdomain enumeration tools help to discover forgotten public areas that might be exposing sensitive information about your apps, users or technologies.
An extensive list of domain names along with their subdomains can yield remarkable findings about any online company.Private areas, development versions and unprotected applications can often be found while auditing the full list of subdomains of any domain name.
Later, these areas can be massively scanned against common known vulnerabilities, as we previously covered in our article on the Top 13 Online Vulnerability Scanning Tools.
How subdomain scanners work
Let’s analyze the most popular methods subdomain scanners and domain tools used to find subdomains.
Querying search engines
Google hacking techniques are often used to find the subdomains of any domain name. This involves a simple command such as:
This can return the full list of Google indexed subdomains. While this subdomain query is not in real time, as it comes from the latest GoogleBot crawl, it’s often really useful for finding all subdomains that are not protected by robots.txt configurations or subdomains not using noindex meta tags.
A lot of terminal and web-based subdomain scanner engines rely on this type of built-in query language from search engines such as Google or Bing.
Performing brute force discovery
Some discovery tools use brute force and recursive brute forcing techniques in order to generate subdomain lists, most of the time combined with word-lists.
Sit down, grab a coffee, and start testing a bunch of words to see which subdomain is alive. While it’s not the quickest way to find subdomains, it can be one of the most accurate.
Tools that use this type of method (along with others) include Amass, Fierce and DNScan.
Running DNS zone transfers
A DNS zone transfer is another way to fully replicate a remote DNS zone. This is useful for revealing all the configured subdomains within the DNS server.
This technique works only when the DNS zone is not protected or limited by the system administrators for AXFR requests. While most DNS servers are patched against this type of DNS request, it’s worth a try to combine it with brute force based exploration.
Fetching SSL/TLS public information
SSL/TLS certificates are not only useful for encrypting the data sent and received between browsers and servers, it’s also useful for infosec research.
The Subject Alternate Name (SAN) of SSL/TLS certificates can be used to extract domains and subdomain names. This method, combined with python or bash scripting, can help you find subdomains quickly and easily.y
The best terminal-based subdomain scanner tools to find subdomains
Written by Jeff Foley, Amass is one of our favorite tools when it comes to subdomain discovery. It’s one of the most powerful terminal-based commands there is for gathering and accumulating large amounts of subdomain data.
Amass uses a variety of subdomain mapping techniques including scrapping, recursive brute force, reverse NDS sweeping, and machine learning to get the full list of subdomains. It also includes full integration with the SecurityTrails API for faster passive subdomain reconnaissance.
Installing Amass is easy by using the precompiled packages, or by using snap on Kali Linux and other popular Linux distros, simply by typing:
snap install amass
Once you get it running, you can start playing. Let’s see how you can use it to find subdomains easily.
A basic subdomain scanning can be performing by running:
amass -d domain.com
[email@example.com ~]# amass -d securitytrails.com app.securitytrails.com api.securitytrails.com docs.securitytrails.com Average DNS queries performed: 55/sec, DNS names remaining: 1 OWASP Amass v2.9.9 https://github.com/OWASP/Amass -------------------------------------------------------------------- 3 names discovered - cert: 2, scrape: 1 -------------------------------------------------------------------- ASN: 14618 - AMAZON-AES - Amazon.com, Inc., US 18.104.22.168/12 2 Subdomain Name(s) 22.214.171.124/13 2 Subdomain Name(s) 126.96.36.199/12 4 Subdomain Name(s) [firstname.lastname@example.org ~]
You can also scan multiple domains with a single command:
amass -d adobe.com,microsoft.com -d securitytrails.com
Other advanced scans can be found by running
Follow us on Twitter to receive updates!Follow @SecurityTrails
SubBrute is one of the fastest brute-forcing subdomain discovery tools we’ve ever tested. One of its coolest features is the ability to conceal the origin of the subdomain scanning itself, by using open resolvers as proxy to DNS rate-limits.
It can also work as a DNS spider that recursively crawls enumerated DNS records, making it a complete DNS terminal-based toolkit.
SubBrute’s syntax is simple, as you see below:
./subbrute.py cloudflare.com -o cloudflare.names
SubBrute supports filtering DNS records. For example, if you need to get only TXT records from any given domain name, you can use the –type option:
./subbrute.py -s google.names google.com --type TXT
Another great thing about SubBrute is the fact that it can be integrated into your own python scripts by using the subbrute.run() function. For example:
import subbrute for d in subbrute.run("yahoo.com"): print d
For advanced usage, simply run:
Knock is another Python subdomain scanner tool helping infosec researchers with the intel-gathering process. It works by performing a full DNS zone transfer, and if that fails, it can run a query against the VirusTotal subdomain database.
It’s a simple program that does a great job when you need to find subdomains.
Its only dependency is the python-dnspython package that can be found on all major Linux distributions. Once you have that sorted out, using it becomes a really simple task.
For this test we configured our VirusTotal API key within this file:
Then we ran the setup:
python setup.py install
Finally, we ran the scan against a target, for example:
The same scan will also provide other useful details such as IP address, response status, domain name and remote detected server hostname.
You can also launch scans using external wordlists with the
knockpy domain.com -w wordlist.txt
Advanced scans and other options can be found by running
DNSRecon is one of the most well-known domain reconnaissance scripts. As with almost every other one on this list, it’s written in Python.
It works by checking all NS records for AXFR zone transfers, and can be very useful in DNS enumeration for almost any type of records, including MX, SOA, NS, TXT, SPF and SRV.
It also supports wildcard resolution checking andbrute force-based discovery for A and AAAA type-records with wordlists. But its powers don’t end there—it can also query Google dorks to fetch indexed subdomains by GoogleBot.
After downloading the DNSRecon package, you’ll need to install a few required packages with pip:
pip install -r requirements.txt
Then you are ready to test it: :
./dnsrecon.py -d securitytrails.com
As shown, DNSRecon scanning against securitytrails.com was able to fetch all types of DNS records such as SOA, NS, MX, A, TXT and it even tried to enumerate SRV records.
While the simple -d option can help with your dns discovery, you can also find subdomains by using a dictionary file with the -D option:
[root@securitytrails dnsrecon]# ./dnsrecon.py -d cloudflare.com -D wordlist.txt [*] Performing General Enumeration of Domain: cloudflare.com
Sublist3r is another Python-based tool that can be used as a massive subdomain scanner. It’s widely used by bug bounty hunters, as well as blue and red teams across the globe for subdomain data collection.
By querying search engines such as Bing, Yahoo, Google, Baidu and other 3rd party sources like Netcraft or VirusTotal subdomain database, it can be one of the most effective and fastest tools around when you want to find subdomains.
And if that’s not enough, you may be surprised to learn that Sublist3r also supports brute-force attacks with wordlists.
Sublist3r minimum requirements are Python2 or Python3 versions.
Python 2 recommended version: 2.7.x
Python 3 recommended version: 3.4.x
To get started, you’ll need to clone the Git repo, then run the installation for some of the dependencies with pip:
pip install -r requirements.txt
That’s it. Now you can perform subdomain scanning tasks:
./sublist3r.py -d securitytrails.com
This subdomain scanner also includes a cool feature that only scans subdomains that have certain ports open. For example:
python sublist3r.py -d wikipedia.com.com -p 80,443
This request will perform a subdomain enumeration and filter only those hosts with 80 and 443 ports open.
AltDNS is a subdomain discovery tool based on work with alterations and permutations.
By setting your own wordlist (or using the default wordlist at default altdns/words.tx) of possible sensitive areas (let’s say dev, staging, test, server, etc.), as well as using a list of confirmed subdomains, you can run the script to generate both altered or mutated results that may be present in the domain name.
It includes a dataset of 200+ subdomains that can be used to churn out valid subdomains.
After cloning the git project, dependencies can be resolved quickly by using pip:
pip install -r requirements.txt
Then you are ready to start using AltDNS:
./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
Note: subdomains.txt is the actual subdomain list you know already exists, and words.txt is AltDNS’s own wordlist.
You can expect the output to look like this:
SecurityTrails Subdomain Scanner
Updated every 24 hours, our built-in passive DNS subdomain scanner allows you to find subdomains in seconds.
By querying our passive DNS API from our main website, or by using our intelligent Security API, you can fetch all existing subdomains from any website.
Follow these steps:
- Browse the SecurityTrails free app at securitytrails.com
- Enter any domain name, e.g:
- Start seeing results
As you can see, our passive DNS API lets you grab all existing subdomains practically in real time, as this database is updated every 24 hours.
This allows for a very accurate DNS record database, and you can avoid hours, even days, of the time-consuming brute-force techniques we described earlier.
Once you have the results, you can sort information by domain name, Alexa rank, hosting or email provider.
If you need to dig into the associated IP addresses, that can also be done quite easily—by clicking each subdomain IP address, which will lead you to extract more related information such as other subdomains hosted on that IP, IP neighbors, etc.
SurfaceBrowser™, our passive all-in-one OSINT tool, lets you find subdomains in an instant, while combining the intel with related attack discovery points from the targeted domain or company.
See for yourself. Watch how SurfaceBrowser™ can help you generate custom subdomain lists for deep analysis:
While the old terminal-based tools are still useful for generating live subdomain databases, there are faster and more efficient ways to find subdomains using passive OSINT sources.
Passive DNS, domain and IP intelligence databases like the one we’ve built at SecurityTrails are now the #1 source of data when it comes to subdomain mapping and subdomain scanning tasks.
Are you a security researcher or bug bounty addict? Do you want to learn how to find subdomains instantly, without any delay?
Book a SurfaceBrowser™ demo with our sales team today to discover our powerful, efficient all-in-one passive reconnaissance platform.
Sign up for our newsletter!