Top 5 Subdomain Enumeration Tools [Web Application Pentest] | GoLinuxCloud (2024)

Hello Learners, in this article we will learn the different tools used for Subdomain Enumeration of a Web Application Pentest. The Subdomain Enumeration process has evolved a lot in recent years and finding subdomains manually will take forever , thankfully we don't have to since we can use the tools below to easily enumerate the subdomains.

How do Subdomain Enumeration Tools work ?

There are 5 methods which most of the Subdomain Enumeration tools use:

  • Google Dorks
  • Brute Forcing
  • Third party services
  • SSL/TLS Certificates
  • DNS Zone Transfers

Method-1: Google Dorks

Search Engines like Google and Bing support various operators to make search Queries which are known as Google Dorks.

Site:google.com

This will return the full list of Google Indexed Subdomains , This list basically comes from a Googlebot crawl. This is very useful for finding subdomains which are not protected by the robots.txt configuration.

Bing also supports some operators just like Google , for example the site operator.

Site:yahoo.com

Method-2: Brute Forcing

Some subdomain enumeration tools use brute-force and recursive brute-force most of the time with a good wordlist.

So , you can just grab some snacks and the scanners will test all the words in the wordlist to see which subdomains are alive. It’s not very fast but it’s actually the most accurate.

Some tools which use this method are : Amass , SubBrute , Puredns and Fierce.

Method-3: Third party services

There are a lot of third party services which collects massive DNS data , so these subdomain enumeration tools can add their API’s as sources and the tools will find the subdomains from each of the service.

Some of the third party services are : VirusTotal , CloudFlare, WaybackMachine .

Method-4: SSL Certificates

SSL/TLS Certificates contain information about domain names . subdomain names and email addresses. This practically makes them a treasure for all the hackers.

The best way to look up certificates of a domain is using the below 2 URLs

Method-5: DNS Zone Transfer

DNS Zone Transfer is a process through which a DNS Server passes a copy of a part of it’s DNS database to another server. The portion which got replicated is known as zone.This technique only works when the DNS zone is not protected from AXFR requests. Most of the servers are fixed with type of request but still its a method being used by the subdomain enumeration tools till date.

With that in mind , let's get started to learn the best tools for Subdomain-Enumeration.

Top 5Subdomain Enumeration Tools

1. Amass

Amass is an intelligent subdomain-enumeration tool used for Subdomain enumeration and information gathering. Amass, an open source tool, finds subdomains through DNS Enumeration , Network mapping , Certificates and Archives.There are various modules inbuilt in Amass which do the work starting from Gathering information to displaying the results in graphs.

1.1 Amass Core Modules

amass intel - Gathering Informationamass enum - DNS Enumeration and mappingamass viz - Visual resultsamass track - Track differences between outputsamass db - Stores all the found results and display the results in various formats

1.2 Installation of Amass

OWASP Amass can be installed on Linux OS by the following command :

go get -v github.com/OWASP/Amass/v3/…

For Mac OS,

brew tap caffix/amassbrew install amass

For Kali,

sudo apt install amass

Check whether amass is properly installed or not

amass -hamass -version

1.3 Amass Usage

1. Basic command to enumerate the target:

amass enum -d <URL>

2. Mention the ports to scan while enumeration

amass enum -d <URL> -p 443,80,8080

3. Passive Recon

amass enum -passive -d <URL> -src

4. Search based on ASN

amass intel -asn <ASN ID’s>

5.Find ASN ID’s through Organisation name

amass intel -org ‘Org Name’

2. Assetfinder

Assetfinder is one of the fastest subdomain enumeration tools available in the market . It's an open source tool written in Go by Tomnomnom which uses the following resources to find subdomains.

  • crt.sh
  • certspotter
  • hackertarget
  • threatcrowd
  • wayback machine
  • dns.bufferover.run
  • facebook
  • virustotal
  • Findsubdomains

2.1 Installing Assetfinder

1.Check if Go-lang is installed. If it isn’t installed then make sure to install it.

 go --version

2.You can download Assetfinder by running the following command:

go install github.com/tomnomnom/assetfinder@latest

3.You can also install Assetfinder by downloading the binaries directly from the following link

https://github.com/tomnomnom/assetfinder/releases

4.Check if assetfinder runs fine on your system

assetfinder --help

2.2 Assetfinder Usage

1.Find domains and subdomains of a specific domain

 assetfinder todoist.com

2.Find only the subdomains of a domain

assetfinder –subs-only todoist.com

3. Subfinder

Subfinder is an open source subdomain enumeration tool that finds subdomains using passive reconnaissance. Subfinder uses a simple modular architecture and is optimised for speed. It purely built for Passive reconnaissance and it does that very well.

The following resources are used to find the subdomains:

  • Binaryedge
  • C99
  • Certspotter
  • Chingz
  • Censys
  • Chaos
  • DnsDB
  • Fofa
  • Github
  • Intelx
  • PassiveTotal
  • Robtex
  • Shodan
  • Security trails
  • Spyse
  • Virustotal
  • Threatbook
  • Zoomeye

3.1 Installation of Subfinder

1.Subfinder requires go 1.17 to be installed on the OS. So make sure to check if you have go installed.

go --version

2.You can then download Subfinder using the following command :

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

3.You can also install Subfinder by downloading the latest release for your respective OS directly from the following link and moving the release to your path:

https://github.com/projectdiscovery/subfinder/releases/tag/v2.4.9

4.Check if subfinder is running fine on your system.

subfinder -version

3.3 Subfinder Usage

1.Find subdomains of a target domain

subfinder -d todoist.com

2.To store the output in a file

subfinder -d todoist.com -o results.txt

3.Shows only subdomains silently and saves the result in a file

subfinder -silent -d todoist.com -o results.txt

4. Sublist3r

Sublist3r is a python based tool designed to enumerate subdomains using OSINT.Sublist3r enumerates the subdomains using many search engines like Google , Bing , Yahoo, Baidu and Ask.It also enumerates the subdomains using many third party services like VirusTotal , PassiveDNS , Netcraft , DNSDumpster , SSL Certificates.Sublist3r can also bruteforce subdomains using the sub-brute functionality with a good wordlist.

4.1 Installing Sublist3r

1. First git clone the directory by the following command

git clone https://github.com/aboul3la/Sublist3r.git

2. Next install the dependencies by the following command

sudo pip install -r requirements.txt

3. Now check if Sublist3r is running fine on your system or not

python sublist3r.py -h

4.2 Sublist3r Usage

1. Enumerate subdomains of a specific domain

python sublist3r.py -d example.com

2. Enumerate subdomains of specific domain and show only subdomains which have open ports 80 and 443

python sublist3r.py -d example.com -p 80,443

3. To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines

python sublist3r.py -e google,yahoo,virustotal -d example.com

4. To enumerate subdomains and enable the bruteforce module

python sublist3r.py -b -d example.com

5. PureDns

Puredns is a subdomain brute forcing tool that improves massdns to accurately handle wildcard subdomains and DNS poisoning. It’s easy to use and can be integrated into workflows, it ensures the results obtained by public resolvers are clean.

Features:

  • Resolve thousands of DNS queries per second using massdns and a list of public DNS resolvers
  • Bruteforce subdomains using a wordlist and a root domain
  • Clean wildcards and detect wildcard roots using the minimal number of queries to ensure precise results
  • Validate that the results are free of DNS poisoning by running against a list of known, trusted resolvers

5.1 Installing PureDns

1. First, Puredns requires massdns binary to be present on the system. So make sure that massdns is installed. You can check if massdns is installed or not by the following command

massdns -h

2. If massdns is not installed , execute the following commands

git clone https://github.com/blechschmidt/massdns.gitcd massdnsmakesudo make install

3. After you have verified that massdns is installed, execute the following command

go install github.com/d3mondev/puredns/v2@latest

4. Verify if puredns is working fine or not by the following command

puredns --help

5.2 Puredns Usage

1. Bruteforce subdomains using wordlist file

puredns -r DNS.txt bruteforce wordlist.txt domain.com

Note: wordlist.txt contains all the words for bruteforcing subdomains, wordlists can be found on SecLists Github.

2. Resolving list of domains one per line

puredns -r DNS.txt resolve domains.txtFast and accurate DNS resolving and bruteforcingCrafted with <3 by @d3mondevhttps://github.com/sponsors/d3mondev------------------------------------------------------------[+] Mode : resolve[+] File : domains.txt[+] Resolvers : DNS.txt[+] Rate Limit : unlimited[+] Rate Limit (Trusted) : 500 qps[+] Wildcard Threads : 100[+] Wildcard Tests : 3------------------------------------------------------------Resolving domains with public resolvers[ETA 00:00:00] |██████████████████████████████████████| 13/13 rate: 13 qps (time: 00:0[ETA 00:00:00] |██████████████████████████████████████| 13/13 rate: 13 qps (time: 00:0[ETA 00:00:00] |██████████████████████████████████████| 13/13 rate: 13 qps (time: 00:0[ETA 00:00:00] |██████████████████████████████████████| 13/13 rate: 13 qps (time: 00:00:00)Detecting wildcard root subdomains[ETA 00:00:00] |██████████████████████████████████████| 7/7 queries: 0 (time: 00:00:00)Validating domains against trusted resolvers[ETA 00:00:00] |██████████████████████████████████████| 7/7 rate: 7 qps (time: 00:00:0[ETA 00:00:00] |██████████████████████████████████████| 7/7 rate: 7 qps (time: 00:00:0[ETA 00:00:00] |██████████████████████████████████████| 7/7 rate: 7 qps (time: 00:00:00)Found 7 valid domains:shubertorg.comshubertticketing.comtelechargeoffers.comforrestham.cominsiteticketing.comtelecharge.combroadwayinbound.com

NOTE:

-r parameter needs to be supplied a DNS resolvers file.

3. Saving the results to files

puredns -r DNS.txt resolve domains.txt -w results.txtFast and accurate DNS resolving and bruteforcingCrafted with <3 by @d3mondevhttps://github.com/sponsors/d3mondev------------------------------------------------------------[+] Mode : resolve[+] File : domains.txt[+] Resolvers : DNS.txt[+] Rate Limit : unlimited[+] Rate Limit (Trusted) : 500 qps[+] Wildcard Threads : 100[+] Wildcard Tests : 3[+] Write Domains : results.txt------------------------------------------------------------Resolving domains with public resolvers[ETA 00:00:00] |██████████████████████████████████████| 13/12 rate: 13 qps (time: 00:00:00[ETA 00:00:00] |██████████████████████████████████████| 13/12 rate: 13 qps (time: 00:00:00[ETA 00:00:00] |██████████████████████████████████████| 13/12 rate: 13 qps (time: 00:00:00[ETA 00:00:00] |██████████████████████████████████████| 13/12 rate: 13 qps (time: 00:00:00)Detecting wildcard root subdomains[ETA 00:00:00] |██████████████████████████████████████| 7/7 queries: 0 (time: 00:00:00)Validating domains against trusted resolvers[ETA 00:00:00] |██████████████████████████████████████| 7/7 rate: 7 qps (time: 00:00:00)Found 7 valid domains:shubertorg.comshubertticketing.combroadwayinbound.comtelecharge.comforrestham.comtelechargeoffers.cominsiteticketing.comlsDNS.txt domains.txt results.txt

Summary

In this post , we have learnt the top 5 tools used for Subdomain Enumeration in Web application Pentesting. All the tools in this post are very essential for a web application pentest and I would advise to at least use 3 tools combined for a Web Pentest. If you are just getting started with Security , then please checkout our in-depth articles on Ethical Hacking. If you encounter issues in any of the commands above, please let us know in the comments below.

Top 5 Subdomain Enumeration Tools [Web Application Pentest] | GoLinuxCloud (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Ray Christiansen

Last Updated:

Views: 6123

Rating: 4.9 / 5 (49 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Ray Christiansen

Birthday: 1998-05-04

Address: Apt. 814 34339 Sauer Islands, Hirtheville, GA 02446-8771

Phone: +337636892828

Job: Lead Hospitality Designer

Hobby: Urban exploration, Tai chi, Lockpicking, Fashion, Gunsmithing, Pottery, Geocaching

Introduction: My name is Ray Christiansen, I am a fair, good, cute, gentle, vast, glamorous, excited person who loves writing and wants to share my knowledge and understanding with you.