How do I get a list of all subdomains of a domain?
Categories:
How to Enumerate All Subdomains of a Domain
Discover various techniques, from basic DNS queries to advanced OSINT tools, for effectively listing subdomains associated with a target domain. Learn about active and passive reconnaissance methods.
Enumerating subdomains is a crucial step in reconnaissance for penetration testing, security auditing, and understanding an organization's digital footprint. Subdomains can often reveal hidden assets, forgotten applications, or misconfigured services that might not be directly linked to the main domain. This article explores several methods, both active and passive, to uncover these valuable pieces of information.
Understanding Subdomain Enumeration
Subdomain enumeration involves discovering valid subdomains for a given domain. For example, for example.com, subdomains could include www.example.com, mail.example.com, dev.example.com, or api.example.com. This process can be broadly categorized into two types: active and passive.
Active vs. Passive Subdomain Enumeration Methods
Active enumeration involves directly interacting with the target's DNS servers or web infrastructure, which can be noisy and detectable. Passive enumeration, on the other hand, relies on publicly available information and third-party services, making it stealthier but potentially less comprehensive.
Passive Subdomain Enumeration Techniques
Passive methods leverage existing data collected by various internet services. These methods are generally safer as they don't directly interact with the target's systems.
1. Search Engine Queries (Google Dorking)
Search engines like Google, Bing, and DuckDuckGo often index subdomains. Using specific search operators can help in discovering them.
site:example.com -www
This query searches for all pages under example.com, excluding those from the www subdomain.
2. DNS Record Databases
Many websites archive DNS records, which can be queried to find historical and current subdomains. Popular services include DNSDumpster, Shodan, and Censys.
curl -s "https://dnsdumpster.com/static/map/example.com.png" -o example_dns.png
Using curl to download a DNS map from DNSDumpster (replace with actual API if available).
3. Certificate Transparency Logs
Certificate Transparency (CT) logs record every SSL/TLS certificate issued by Certificate Authorities. These certificates often contain subdomain names, revealing domains that might not be publicly linked or indexed elsewhere.
curl -s "https://crt.sh/?q=%25.example.com&output=json" | jq -r '.[].name_value' | sort -u
Querying crt.sh for subdomains of example.com and parsing the JSON output.
Active Subdomain Enumeration Techniques
Active methods involve direct interaction with DNS servers and can be more thorough, but they also carry a higher risk of detection.
1. Brute-Forcing with Wordlists
This method involves attempting to resolve a large list of common subdomain names (e.g., admin, dev, api, blog) combined with the target domain. Tools like subfinder, gobuster, ffuf, and dnsenum automate this process.
subfinder -d example.com -o subdomains.txt
Using subfinder to find subdomains for example.com and save them to a file.
2. DNS Zone Transfer
If a DNS server is misconfigured, it might allow an unauthorized zone transfer, which provides a full list of all records (including subdomains) for a domain. This is rare but highly effective when found.
dig axfr @ns1.example.com example.com
Attempting a zone transfer from ns1.example.com for example.com.
Recommended Tools and Workflow
A robust subdomain enumeration strategy often involves combining several tools and techniques. Here's a suggested workflow:
1. Step 1
Start with passive methods: Use crt.sh, DNSDumpster, and search engine dorking to gather initial subdomains.
2. Step 2
Leverage automated passive tools: Run tools like subfinder and assetfinder which aggregate data from multiple passive sources.
3. Step 3
Perform targeted brute-forcing: Use gobuster or ffuf with a curated wordlist against the target domain's nameservers. Consider using multiple public DNS resolvers to avoid rate limiting.
4. Step 4
Verify discovered subdomains: Ping or attempt to connect to the discovered subdomains to ensure they are active and responsive.
5. Step 5
Analyze results: Filter out dead subdomains and focus on those that respond, then proceed with further reconnaissance on active targets.