How to Find Subdomains of a Domain in Minutes

Hey friend! Do you know discovering all the subdomains of a domain can reveal hidden weak points and data leaks?

Subdomains often contain loosely protected backends and expired domains ripe for takeover. As a white-hat hacker and security enthusiast, I think finding subdomains is a crucial first step during reconnaissance.

In this guide, I‘ll share my top tips to quickly find all subdomains of any target domain in minutes.

Why Subdomain Discovery is Important

Before we jump into the tools, let me convince you why subdomain enumeration is so darn useful:

1. Find hidden entry points

Subdomains represent discrete domains associated with the main site. Companies often hide development, staging or admin panels under obscure subdomains. Finding these reveals hidden parts beyond the public website.

In 2020, Tesla‘s subdomain https://green.tesla.com was discovered, which hosted sensitive employee information completely unprotected! Oops.

2. Understand attack surface

Knowing all subdomains allows you to comprehensively map out an organization‘s external digital footprint. This gives you the full scope of what could be attacked or breached.

Think of it like surveying a border to map all entry points for better security. Subdomains are an organization‘s digital border.

3. Detect shadow IT

Ever had that colleague who spins up tech solutions in the dark without telling anyone? Shadow IT is a real problem.

Subdomain scanning can reveal rogue subdomains and hosting accounts created by employees. This allows compromised assets to be found and secured.

According to Gartner, 30% of corporate tech spending happens outside IT‘s purview. That‘s pretty damn high for shadow IT!

4. Uncover takeovers

When subdomains expire and their DNS lapses, attackers can opportunistically take them over to host malware, phishing pages, etc.

Discovering forgotten subdomains before the bad guys do allows organizations to remediate them. An ounce of prevention is worth a pound of cure!

5. Reveal dependencies

Modern web apps are a spiderweb of integrations and microservices. Subdomains often represent backends, APIs and middleware the main site relies on.

Mapping subdomains allows you to diagram all the dependencies to understand attack vectors better.

6. Bypass security

Subdomains may follow different security rules than the main site. For instance, cookie scopes or CORS policies may be misconfigured allowing exploits.

Finding lax subdomains can help you bypass the security of the main site. Subdomains are great pivots for penetration testing!

According to Datanyze, the average number of subdomains per website is 29! That‘s a massive attack surface.

So in summary, subdomain enumeration provides total visibility into an organization‘s external digital assets. This allows you to audit their security better and uncover hidden weak spots.

Now let‘s dig into my favorite tools and techniques to find subdomains quickly!

Top Subdomain Discovery Tools and Databases

Passive Subdomain Discovery

Passive discovery relies on aggregating and searching existing subdomain databases and DNS records. It is safe, fast and provides a wider set of historical results.

Let‘s explore some powerful passive discovery tools:

Censys

Censys continuously scans the entire IPv4 space and indexes data on hostnames, certificates and more. All subdomain data is available for search and export.

To use Censys subdomain search:

1. Sign up for a free account

2. Click on "View in Search" in the Certificates tab

3. Type parsed.names: domain.com changing the domain

This reveals subdomains along with first seen dates – perfect for historical discoveries.

Censys is free to use but limited to 250 searches daily in the free tier which is decent for most bug bounty hunters.

Certificate Transparency Logs

SSL certificates for subdomains are recorded in public Certificate Transparency logs as part of the protocol. Searching these logs using Google‘s CT search reveals associated subdomains.

To use it:

1. Go to https://transparencyreport.google.com/https/certificates

2. Enter the domain and hit Search

This brings up all current and historical subdomains recorded in certificate logs. The coverage may not be as comprehensive as Censys, but it‘s still a handy data source.

DNSDB

DNSDB by Farsight Security passively collects DNS lookup records from a sensor network to create historical DNS resolutions.

The Community Edition provides access to their comprehensive DNS database including subdomains.

To lookup subdomains on DNSDB:

1. Go to https://www.dnsdb.info/

2. Enter the target domain under Lookup Domin

3. Hit Lookup to fetch all associated subdomains

The Community Edition allows 300 lookups daily which is pretty decent for most use cases.

Between Censys, CT logs and DNSDB, you can get great coverage of historical subdomains passively without sending traffic to the target domain.

Now let‘s look at some active discovery techniques.

Active Subdomain Discovery

Active discovery relies on querying the target domain‘s name servers and brute forcing common names. This can reveal additional subdomains not in passive datasets.

Let‘s go over some powerful active discovery tools and techniques:

Subfinder

Subfinder is an actively maintained Golang-based open-source reconnaissance tool created by @projectdiscovery. It can discover subdomains using sources like search engines, certificate transparency logs, passive DNS data and more.

To use Subfinder:

1. Install Go on your system

2. Run go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder

3. Execute subfinder -d domain.com to run against a domain

The default sources provide decent coverage, and you can add more sources and plugins. Subfinder is fast, continually updated, and suitable for bug bounty hunters.

Amass

Developed by OWASP, Amass performs subnet mapping by actively querying DNS name servers. It integrates directly with mapping tools like Maltego.

Amass supports brute forcing, scraping search engines, reverse DNS sweeping, TLS certificates and more sources for best results.

Using Amass:

1. Get the binary for your system from GitHub

2. Run amass enum -d domain.com to start a scan

Amass actively queries DNS servers and multiple sources to brute force and enumerate subdomains. The OWASP pedigree makes it a reliable choice.

MassDNS

Iterating over a subdomain wordlist and resolving it using DNS queries reveals alive subdomains. MassDNS makes this brute forcing extremely fast by concurrently sending out hundreds of queries.

Usage:

1. Get the prebuilt binaries from GitHub

2. Run ./massdns -r resolvers.txt -t A -o S -w names.txt domain.com

This resolves names.txt against domain.com across all resolvers and outputs results to a file.

MassDNS can test hundreds of thousands of subdomains in minutes. But beware – misuse can get IPs banned for abuse!

Subzy

Subzy developed by @LukaSikic passively monitors your DNS traffic and identifies new subdomains requested by your applications and devices. This reveals subdomains you didn‘t even know existed!

Using Subzy:

1. Install Subzy on Linux or MacOS

2. Configure Subzy to listen on your local DNS resolver

3. Let it passively monitor your network‘s DNS traffic for a few days

4. Check the output for newly discovered subdomains

Subzy relies on monitoring your network‘s natural DNS requests to uncover hidden subdomains. Super neat!

Subdomain Takeover Scanners

Subdomain takeover occurs when a service like AWS S3 or Heroku that a subdomain points to is deleted or expires. This allows you to claim the orphaned subdomain.

Tools like subjack and tko-subs by @haccer actively scan subdomains to detect ones vulnerable to takeover.

For example, running:

subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt

Will attempt takeover against the subdomains list and output the vulnerable ones.

subdomain takeover scanners automate the process of finding expired subdomains. This allows you to secure them or conduct ethical takeovers.

Subdomain Discovery Services

Manually running tools can be complex. These online services provide subdomain discovery with an easy interface:

1. Chaos

Chaos provides OSINT APIs including subdomain discovery. Just pass a domain to the Chaos Subdomain API and it returns results scraped from search engines, archives, bug bounty platforms and more:

curl -s https://chaos-api.projectdiscovery.io/subdomain/uber.com | jq

2. subdomain.watch

subdomain.watch is a freemium online subdomain discovery service. It combines active brute forcing with data from search engines, DNS resolvers, certificates, etc.

The free plan allows 2 searches daily – adequate for most use cases.

3. Spyse

Spyse offers subdomain lookups and monitoring as part of their broader cyber OSINT platform.

The standard plan allows 20 domain searches daily which is decent for individuals.

These online services provide an API/browser-based option if you don‘t want to install and run your own tools.

Subdomain Discovery Github Resources

There are tons of individual scripts and tools for subdomain discovery on Github.

Curated lists like notify/subdomain-discovery-list and bitquark/subdomains can help you find Github projects.

Also explore repositories of subdomain researchers like edoardottt, gwen001 and jonluca for finder scripts beyond the well-known tools.

GitHub is a treasure trove of subdomain discovery utilities if you search and experiment beyond the popular tools.

Subdomain Discovery Methodology and Workflow

Now that you know the top tools and databases, let‘s build a streamlined workflow for subdomain discovery.

Comprehensive Subdomain Discovery Workflow

For comprehensive results, I recommend a 4-step methodology:

Passive Discovery

Use databases like Censys, DNSDB, Netcraft etc. to retrieves existing historical subdomain records.

Search Engines

Scrap search engines like Google and Bing for additional subdomains.

Brute Forcing

Use wordlist mutation and resolvers like MassDNS to brute force potential names.

Active Scanning

Scan the domain with Amass, Subfinder, and enumerators to actively populate DNS.

This full workflow using the best tools will provide the most complete subdomain mapping:

With this methodology you can discover even obscure or old subdomains in addition to newer ones.

Now let‘s optimize it based on your specific needs:

Optimized Discovery Workflow

If you just need a quick list of currently active subdomains, optimize the workflow:

Passive

• Use Subdomains.app to aggregate data from 75+ sources

Active

• Use Subfinder to actively enumerate subdomains
• Use Amass for targeted brute forcing

This condensed workflow focuses on active discovery while still leveraging some passive data:

You‘ll miss historical subdomains but the result will contain currently resolvable ones.

So in summary:

• Use the comprehensive workflow during penetration tests or full recon.

• Use the optimized workflow when you just need currently active subdomains quickly.

Customize these workflows to suit your specific needs and timeframe.

Avoid Getting Flagged During Discovery

Since active subdomain discovery involves heavy use of resolvers, you may get flagged or blocked for abuse.

Here are some tips to avoid getting blocked:

Rotate User Agents

Switch up your user agent regularly so all traffic doesn‘t look the same.

Slow Your Tools Down

If the tool allows it, use slower timing options like --delay to add latency between requests.

Spread Across Resolvers

Split the workload across multiple public resolvers instead of hammering just a few.

Proxy Your Queries

Proxying tools via Burp or Proxychains adds IP diversity and avoids blocks.

Limit Wildcards

Wildcard DNS responses make active brute forcing inefficient, so focus on tools that filter out wildcards intelligently.

Stay Under Radar

Avoid going too fast. It‘s better to be slow and stealthy than fast and flagged.

Monitor Ratelimits

Keep an eye out for any 429 or 503 errors that indicate you triggered a ratelimit.

With these precautions, you‘ll avoid irritating DNS providers and continue subdomain discovery uninterrupted!

Subdomain Discovery Using PassiveRecon Framework

PassiveRecon is an OSINT framework created by @xmcy0011 to automate passive reconnaissance including subdomain discovery.

It pulls data from GitHub, Censys, Shodan, Google, Baidu, Bing and more to aggregate subdomains.

Using PassiveRecon:

1. Git clone the repo to your system

2. Run pip3 install -r requirements.txt to install dependencies

3. Execute python3 passiverecon.py -d domain.com

This will automatically aggregate subdomains from 30+ sources and output results.

The cool part is you can also enable active engine integration like Subfinder for hybrid passive + active discovery!

PassiveRecon is an automated framework that codifies the entire discovery workflow for you. Worth exploring!

Monitoring New Subdomain Registrations

After discovering all existing subdomains, you need to monitor for newly created ones as well. Services like Whoxy, dnstwister and Anubis can notify you when new subdomains are registered in real-time.

Whoxy has flexible filters like:

*.domain.com – alerts on all new subdomains

test.*.domain.com – track subdomains matching a pattern

domain.com NOT www – all except one subdomain

With subdomain monitoring, you can automatically flag new subdomains in an ongoing manner.

Subdomain Discovery Using APIs

Many online subdomain discovery services like Chaos, Spyse, Whoxy, SecurityTrails, etc. also offer APIs for automation.

For example, here is a script to call the Chaos API and print subdomains:

import requests

api_url = "https://chaos-api.projectdiscovery.io/subdomain/uber.com"

response = requests.get(api_url)
for subdomain in response.json():
  print(subdomain)

APIs allow integrating subdomain discovery into your workflows and reporting.

Most vendors offer Python, CLI and NodeJS libraries to call the API easily.

Tips for Effective Subdomain Discovery

Here are some final tips for making your subdomain discovery more successful:

• Use passive data first to build a foundation of historical subdomains

• Always have an active discovery tool like Subfinder or Amass running to catch real-time changes

• Create targeted wordlists like a brand name, product names, city names etc to brute force related subdomains

• Sort final subdomains by active ones first, then passive for easy analysis

• Monitor newly registered subdomains in an ongoing manner for complete visibility

• For takeovers focus on forgotten subdomains not hosted on popular platforms

• Multi-day analysis spanning weeks catches short-lived subdomains better

• Chain complementary tools like Sublist3r > Amass > Subfinder for expanded coverage

• Stay under the radar to avoid getting flagged or blocked during active discovery

These tips will help you become a subdomain discovery expert!

Conclusion

And there you have it friend!

We explored numerous tools, techniques and workflows to thoroughly enumerate subdomains for a target domain.

Here are some key things to remember:

☑️ Use passive discovery to get historical subdomain data

☑️ Brute force common names using resolvers and wordlists

☑️ Actively scan to populate DNS with live subdomains

☑️ Chain multiple tools like Subfinder, Amass etc. for best coverage

☑️ Stay stealthy to avoid blocks during active discovery

☑️ Monitor for new subdomain registrations for ongoing visibility

☑️ Use APIs and frameworks to automate discovery at scale

Subdomain mapping is a crucial first step in reconnaissance activities. Mastering subdomain discovery allows you to uncover an organization‘s hidden weak spots and undiscovered assets.

I hope this guide helps you comprehensively map attack surfaces to improve your defensive recommendations or conduct more thorough penetration tests.

Go forth and use your powers only for good!