Top 5 Subdomain Enumeration Tools [Web Application Pentest]

Hello Learners, in this article we will learn the different tools used for Subdomain Enumeration of a Web Application Pentest. The Subdomain Enumeration process has evolved a lot in recent years and finding subdomains manually will take forever , thankfully we don't have to since we can use the tools below to easily enumerate the subdomains.

 

How do Subdomain Enumeration Tools work ?

There are 5 methods which most of the Subdomain Enumeration tools use:

Advertisement
  • Google Dorks
  • Brute Forcing
  • Third party services
  • SSL/TLS Certificates
  • DNS Zone Transfers

 

Method-1: Google Dorks

Search Engines like Google and Bing support various operators to make search Queries which are known as Google Dorks.

Site:google.com

This will return the full list of Google Indexed Subdomains , This list basically comes from a Googlebot crawl. This is very useful for finding subdomains which are not protected by the robots.txt configuration.

Bing also supports some operators just like Google , for example the site operator.

Site:yahoo.com

 

Method-2: Brute Forcing

Some subdomain enumeration tools use brute-force and recursive brute-force most of the time with a good wordlist.

So , you can just grab some snacks and the scanners will test all the words in the wordlist to see which subdomains are alive. It’s not very fast but it’s actually the most accurate.

Some tools which use this method are : Amass , SubBrute , Puredns and Fierce.

Advertisement

 

Method-3: Third party services

There are a lot of third party services which collects massive DNS data , so these subdomain enumeration tools can add their API’s as sources and the tools will find the subdomains from each of the service.

Some of the third party services are : VirusTotal , CloudFlare, WaybackMachine .

 

Method-4: SSL Certificates

SSL/TLS Certificates contain information about domain names . subdomain names and email addresses. This practically makes them a treasure for all the hackers.

The best way to look up certificates of a domain is using the below 2 URLs

 

Method-5: DNS Zone Transfer

DNS Zone Transfer is a process through which a DNS Server passes a copy of a part of it’s DNS database to another server. The portion which got replicated is known as zone.This technique only works when the DNS zone is not protected from AXFR requests. Most of the servers are fixed with type of request but still its a method being used by the subdomain enumeration tools till date.

With that in mind , let's get started to learn the best tools for Subdomain-Enumeration.

Advertisement

 

Top 5 Subdomain Enumeration Tools

1. Amass

Amass is an intelligent subdomain-enumeration tool used for Subdomain enumeration and information gathering. Amass, an open source tool, finds subdomains through DNS Enumeration , Network mapping , Certificates and Archives.There are various modules inbuilt in Amass which do the work starting from Gathering information to displaying the results in graphs.

 

1.1 Amass Core Modules

amass intel - Gathering Information 
amass enum - DNS Enumeration and mapping 
amass viz - Visual results
amass track - Track differences between outputs
amass db - Stores all the found results and display the results in various formats

 

1.2 Installation of Amass

OWASP Amass can be installed on Linux OS by the following command :

go get -v github.com/OWASP/Amass/v3/…

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

For Mac OS,

brew tap caffix/amass

brew install amass

For Kali,

sudo apt install amass

Check whether amass is properly installed or not

amass -h 

amass -version

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

 

1.3 Amass Usage

1. Basic command to enumerate the target:

Advertisement
amass enum -d <URL>

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

2. Mention the ports to scan while enumeration

amass enum -d <URL> -p 443,80,8080

3. Passive Recon

amass enum -passive -d <URL> -src

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

4. Search based on ASN

amass intel -asn <ASN ID’s>

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

5.Find ASN ID’s through Organisation name

amass intel -org ‘Org Name’

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

 

2. Assetfinder

Assetfinder is one of the fastest subdomain enumeration tools available in the market . It's an open source tool written in Go by Tomnomnom which uses the following resources to find subdomains.

  • crt.sh
  • certspotter
  • hackertarget
  • threatcrowd
  • wayback machine
  • dns.bufferover.run
  • facebook
  • virustotal
  • Findsubdomains

 

2.1 Installing Assetfinder

1.Check if Go-lang is installed. If it isn’t installed then make sure to install it.

Advertisement
 go --version

2.You can download Assetfinder by running the following command:

go install github.com/tomnomnom/assetfinder@latest

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

3.You can also install Assetfinder by downloading the binaries directly from the following link

https://github.com/tomnomnom/assetfinder/releases

 

4.Check if assetfinder runs fine on your system

assetfinder --help

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

 

2.2 Assetfinder Usage

1.Find domains and subdomains of a specific domain

   assetfinder todoist.com

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

2.Find only the subdomains of a domain

Advertisement
assetfinder –subs-only todoist.com

Subdomain-Enumeration

 

3. Subfinder

Subfinder is an open source subdomain enumeration tool that finds subdomains using passive reconnaissance. Subfinder uses a simple modular architecture and is optimised for speed. It purely built for Passive reconnaissance and it does that very well.

The following resources are used to find the subdomains:

  • Binaryedge
  • C99
  • Certspotter
  • Chingz
  • Censys
  • Chaos
  • DnsDB
  • Fofa
  • Github
  • Intelx
  • PassiveTotal
  • Robtex
  • Shodan
  • Security trails
  • Spyse
  • Virustotal
  • Threatbook
  • Zoomeye

 

3.1 Installation of Subfinder

1.Subfinder requires go 1.17 to be installed on the OS. So make sure to check if you have go installed.

go --version

2.You can then download Subfinder using the following command :

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

3.You can also install Subfinder by downloading the latest release for your respective OS directly from the following link and moving the release to your path:

https://github.com/projectdiscovery/subfinder/releases/tag/v2.4.9

Advertisement

 

4.Check if subfinder is running fine on your system.

subfinder -version

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

 

3.3 Subfinder Usage

1.Find subdomains of a target domain

subfinder -d todoist.com

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

2.To store the output in a file

subfinder -d todoist.com -o results.txt

3.Shows only subdomains silently and saves the result in a file

subfinder  -silent -d todoist.com -o results.txt

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

 

4. Sublist3r

Sublist3r is a python based tool designed to enumerate subdomains using OSINT.Sublist3r enumerates the subdomains using many search engines like Google , Bing , Yahoo, Baidu and Ask.It also enumerates the subdomains using many third party services like VirusTotal , PassiveDNS , Netcraft , DNSDumpster , SSL Certificates.Sublist3r can also bruteforce subdomains using the sub-brute functionality with a good wordlist.

 

4.1 Installing Sublist3r

1. First git clone the directory by the following command

git clone https://github.com/aboul3la/Sublist3r.git

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

2. Next install the dependencies by the following command

sudo pip install -r requirements.txt

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

3. Now check if Sublist3r is running fine on your system or not

python sublist3r.py -h

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

 

4.2 Sublist3r Usage

1. Enumerate subdomains of a specific domain

python sublist3r.py -d example.com

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

2. Enumerate subdomains of specific domain and show only subdomains which have open ports 80 and 443

python sublist3r.py -d example.com -p 80,443

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

3. To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines

python sublist3r.py -e google,yahoo,virustotal -d example.com

4. To enumerate subdomains and enable the bruteforce module

python sublist3r.py -b -d example.com

 

5. PureDns

Puredns is a subdomain brute forcing tool that improves massdns to accurately handle wildcard subdomains and DNS poisoning. It’s easy to use and can be integrated into workflows, it ensures the results obtained by public resolvers are clean.

Features:

  • Resolve thousands of DNS queries per second using massdns and a list of public DNS resolvers
  • Bruteforce subdomains using a wordlist and a root domain
  • Clean wildcards and detect wildcard roots using the minimal number of queries to ensure precise results
  • Validate that the results are free of DNS poisoning by running against a list of known, trusted resolvers

 

5.1 Installing PureDns

1. First, Puredns requires massdns binary to be present on the system. So make sure that massdns is installed. You can check if massdns is installed or not by the following command

massdns -h

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

2. If massdns is not installed , execute the following commands

git clone https://github.com/blechschmidt/massdns.git

cd massdns

make

sudo make install

3. After you have verified that massdns is installed, execute the following command

go install github.com/d3mondev/puredns/v2@latest

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

4. Verify if puredns is working fine or not by the following command

puredns --help

 

5.2 Puredns Usage

1. Bruteforce subdomains using wordlist file

puredns -r DNS.txt bruteforce wordlist.txt domain.com

Top 5 Subdomain Enumeration Tools [Web Application Pentest]

Note: wordlist.txt contains all the words for bruteforcing subdomains, wordlists can be found on SecLists Github.

2. Resolving list of domains one per line

puredns -r DNS.txt resolve domains.txt

Fast and accurate DNS resolving and bruteforcing

Crafted with <3 by @d3mondev
https://github.com/sponsors/d3mondev

------------------------------------------------------------
[+] Mode : resolve
[+] File : domains.txt
[+] Resolvers : DNS.txt
[+] Rate Limit : unlimited
[+] Rate Limit (Trusted) : 500 qps
[+] Wildcard Threads : 100
[+] Wildcard Tests : 3
------------------------------------------------------------

Resolving domains with public resolvers
[ETA 00:00:00] |██████████████████████████████████████| 13/13 rate: 13 qps (time: 00:0[ETA 00:00:00] |██████████████████████████████████████| 13/13 rate: 13 qps (time: 00:0[ETA 00:00:00] |██████████████████████████████████████| 13/13 rate: 13 qps (time: 00:0[ETA 00:00:00] |██████████████████████████████████████| 13/13 rate: 13 qps (time: 00:00:00)

Detecting wildcard root subdomains
[ETA 00:00:00] |██████████████████████████████████████| 7/7 queries: 0 (time: 00:00:00)

Validating domains against trusted resolvers
[ETA 00:00:00] |██████████████████████████████████████| 7/7 rate: 7 qps (time: 00:00:0[ETA 00:00:00] |██████████████████████████████████████| 7/7 rate: 7 qps (time: 00:00:0[ETA 00:00:00] |██████████████████████████████████████| 7/7 rate: 7 qps (time: 00:00:00)

Found 7 valid domains:
shubertorg.com
shubertticketing.com
telechargeoffers.com
forrestham.com
insiteticketing.com
telecharge.com
broadwayinbound.com
NOTE:

-r parameter needs to be supplied a DNS resolvers file.

3. Saving the results to files

puredns -r DNS.txt resolve domains.txt -w results.txt

Fast and accurate DNS resolving and bruteforcing

Crafted with <3 by @d3mondev
https://github.com/sponsors/d3mondev

------------------------------------------------------------
[+] Mode : resolve
[+] File : domains.txt
[+] Resolvers : DNS.txt
[+] Rate Limit : unlimited
[+] Rate Limit (Trusted) : 500 qps
[+] Wildcard Threads : 100
[+] Wildcard Tests : 3
[+] Write Domains : results.txt
------------------------------------------------------------

Resolving domains with public resolvers
[ETA 00:00:00] |██████████████████████████████████████| 13/12 rate: 13 qps (time: 00:00:00[ETA 00:00:00] |██████████████████████████████████████| 13/12 rate: 13 qps (time: 00:00:00[ETA 00:00:00] |██████████████████████████████████████| 13/12 rate: 13 qps (time: 00:00:00[ETA 00:00:00] |██████████████████████████████████████| 13/12 rate: 13 qps (time: 00:00:00)

Detecting wildcard root subdomains
[ETA 00:00:00] |██████████████████████████████████████| 7/7 queries: 0 (time: 00:00:00)

Validating domains against trusted resolvers
[ETA 00:00:00] |██████████████████████████████████████| 7/7 rate: 7 qps (time: 00:00:00)

Found 7 valid domains:
shubertorg.com
shubertticketing.com
broadwayinbound.com
telecharge.com
forrestham.com
telechargeoffers.com
insiteticketing.com

ls
DNS.txt domains.txt results.txt

 

Summary

In this post , we have learnt the top 5 tools used for Subdomain Enumeration in Web application Pentesting. All the tools in this post are very essential for a web application pentest and I would advise to at least use 3 tools combined for a Web Pentest. If you are just getting started with Security , then please checkout our in-depth articles on Ethical Hacking. If you encounter issues in any of the commands above, please let us know in the comments below.

Didn't find what you were looking for? Perform a quick search across GoLinuxCloud

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can either use the comments section or contact me form.

Thank You for your support!!

Leave a Comment

X