Ask HN: How to enumerate all subdomains of a main domain like foo.com? - dedalus
======
danielrm26
These will find your droids.

sublist3r
[https://github.com/aboul3la/Sublist3r](https://github.com/aboul3la/Sublist3r)

amass [https://github.com/caffix/amass](https://github.com/caffix/amass)

subfinder
[https://github.com/subfinder/subfinder](https://github.com/subfinder/subfinder)

------
haloux
Ah, the classical network pentester's problem. There's really no one good way
to go about this.

Certificate transparency tools like CTFR
([https://github.com/UnaPibaGeek/ctfr](https://github.com/UnaPibaGeek/ctfr))
work only if certs are registered.

You could go old school and use a tool like Sublist3r
([https://github.com/aboul3la/Sublist3r](https://github.com/aboul3la/Sublist3r))
or Punter
([https://github.com/nethunteros/punter](https://github.com/nethunteros/punter)),
but ymmv as API endpoints are savvy to these tools and actively work to snub
them out.

AXFR queries can be useful if the DNS server allows for it (my experience:
0-15).

Best of luck.

------
lunixbochs
If the domain uses DNSSEC, you can do an offline brute force:

[https://security.stackexchange.com/questions/94503/does-
dnss...](https://security.stackexchange.com/questions/94503/does-dnssec-still-
have-the-enumerate-all-names-in-zone-problem)

[https://nmap.org/nsedoc/scripts/dns-
nsec3-enum.html](https://nmap.org/nsedoc/scripts/dns-nsec3-enum.html)

There are tools for online brute force, but that's not very polite :)

------
fulafel
Ask the name server: do a AXFR query, as in host -l foo.com.

These days many domains are configured to refuse AXFR queries though. Then
there's a misguided but common phenomenon called split-horizon DNS is also
common, where you serve different records as answers to the same query based
on what the query originator's address is.

~~~
Diederich
> misguided

citation needed.

~~~
hluska
"Citation needed" comments are useless. If you disagree, state why. Otherwise,
you aren't helping anyone and merely adding confusion about one of the base
technologies.

~~~
LyndsySimon
I disagree - it’s merely asking for elaboration on a stated opinion.

~~~
reitanqild
I'd say it is a very confrontational way of asking for elaboration.

~~~
Diederich
I've thought about this a bit, and decided that doing 'the Wikipedia thing'
('Citation Needed') was minimally confrontational, in that it's kind of a
standard, somewhat 'mechanical' approach.

I had no idea that some would consider it 'very confrontational'; that's the
exact opposite of my intent.

Speaking transparently, when I write 'Citation Needed', it's usually because I
do disagree with the statement in question, but that my disagreement is not
sufficiently supported. It also means that I'm open to being corrected with
additional information.

~~~
reitanqild
I guess the reason it comes off as rude is because it is so short and - for my
lack of a better word - rubberstampy.

It is as if some people don't have time to ask politely for sources.

I also think it might trigger the "passive agressive"-detector for some people
here. (I think that description has been overused a lot though and don't want
to classify it as such.)

This might not be your intention but I wouldn't be very sad to see those words
less often here.

And one more thing: using wikipedia as an example for how to behave in society
might not be a good idea IMO.

------
k4ch0w
Check Google, Bing, Virustotal, Parse HTTPS Certificates including the
metadata (Censys.io is great for specific queries), subdomain bruteforce with
a good wordlist, download source code found in Github and regex search for
HTTP urls, then parse them.

Now don't do it by hand people have already built tools. I recommend sublist3r
[https://github.com/aboul3la/Sublist3r](https://github.com/aboul3la/Sublist3r),
however, grab other subdomain bruteforcer wordlists and append them all
together.

Go to [https://opendata.rapid7.com/](https://opendata.rapid7.com/), download
the reverse DNS and Forward DNS and grep for your domain. I.E grep
"*.mydomain.com" These are amazing.

I will make a note, sometimes if you are looking for servers related to a
company specifically people miss ones that aren't in a company's zone file.
You need to use a service like Shodan or Censys which regularly scan the
internet and index these. It can be a pain to parse through these results but
if you are strapped for ideas on getting a foodhold try this. I have found
some juicy servers with this in mind.

If you are on a pentest it is completely ok to ask your client for permission
to view their zone file/route53 as well. This will save you a lot of time up
front.

------
snowwrestler
This guy:

[https://medium.com/@jonathanbouman/how-i-hacked-apple-com-
un...](https://medium.com/@jonathanbouman/how-i-hacked-apple-com-unrestricted-
file-upload-bcda047e27e3)

Used a tool called Aquatone:

[https://github.com/michenriksen/aquatone/](https://github.com/michenriksen/aquatone/)

I have not used Aquatone; I just remembered this from a post on HN pretty
recently.

------
dividuum
You might search for subdomains using CT if they have certificates registered
for them explicitly:
[https://transparencyreport.google.com/https/certificates](https://transparencyreport.google.com/https/certificates)

~~~
blacksmith_tb
If they have a webserver running https you could also check its cert for the
'Certificate Subject Alt Name' for some of its subdomains.

------
pixdamix
I suggest you to take a look at this: [http://10degres.net/subdomain-
enumeration/](http://10degres.net/subdomain-enumeration/) :-)

------
urtrs
this tool could help you
[https://github.com/caffix/amass](https://github.com/caffix/amass)

------
jack9
Adding a responsive subdomain to any domain you control is trivial and isn't
registered anywhere (necessarily). I'm not sure you can achieve this, without
additional requirements.

------
efficax
It's perfectly possible to have a wildcard and respond to every subdomain.

But otherwise just use nslookup/dig/host

------
danielrm26
You should use a combination of three tools:

\- sublist3r \- amass \- subfinder

They're all on Github.

------
wank
login to cloudflare, add domain, wait for DNS slurp, export full record,
delete domain.

------
chrono_sphere
Try fierce pl - there may be newer ways but this has always yielded decent
results for me when pentesting. You generally have to do some form of brute
force as most DNS servers won't spill their guts these days.

