DEV Community

Cover image for How to Find Subdomains on a Website (And Why You Should)

How to Find Subdomains on a Website (And Why You Should)

Kat Maddox on March 25, 2019

This is a guide to discovering website subdomains. I'll be going over the basics of what subdomains are, why you should be searching for them, and ...
Collapse
 
gijovarghese profile image
Gijo Varghese

I also open robots.txt to find out what they're hiding 😂🤣

Collapse
 
ctrlshifti profile image
Kat Maddox

Always a favorite! 🤣

Collapse
 
mortoray profile image
edA‑qa mort‑ora‑y

Aquatone and Sublist3r's scanning could trigger alarms on some systems. It is seen as a brute-force attack, or potential denial of service attack.

If you're on an internal network you can also use DNS tools. Usually sub-domain record transfer is disabled (I forget the tecgnical term), but if doing an internal audit perhaps you can have a machine that allows it.

Collapse
 
ctrlshifti profile image
Kat Maddox

Good point on the alarms! I kinda assume someone is doing a bug bounty or testing their own server, so alarms aren't a big deal. But if you're pentesting for a client (or doing something naughty) then alarms should be considered. I'll add in a quick disclaimer.

Collapse
 
jabhatt profile image
Jabhatt

That’s true. Then you can try something like spyse.com. They already did everything for you. But still, sometimes you need to run the process yourself, you’ll just need proxy to do that.
Also, as far as I know, guys from spyse are going to add an opportunity to scan all those things with the help of their service.

Collapse
 
gtb3nw profile image
GTB3NW

You're doing it the hard way!

crt.sh with a wildcard to search for any issued certificates, then dnsdumpster for a free review of censys scans to get any domains mentioned in headers or self signed certs exposed to the internet.

Collapse
 
ctrlshifti profile image
Kat Maddox

Thanks for the tip! I'll look into that and update the post.

Collapse
 
rmcfadzean profile image
Rob McFadzean

Don't forget utilising tools like VirusTotal. You'll probably find most there and won't trigger alarms.

virustotal.com/#/domain/yahoo.com

Collapse
 
lucid profile image
Mark • Edited

Censys and pentest-tools will not show you all subdomains, especially of government-related websites. Google.com is not indexing a lot of hidden parts. For me, spyse is a golden mean.

Collapse
 
darkain profile image
Vincent Milum Jr

This is why each of my development severs has a hard coded list of approved CIDRs that can access them. ACLs are neat!

Collapse
 
hassam7 profile image
Hassam Ali

Is it possible to use nslookup for finding sub domains?