This is a guide to discovering website subdomains. I'll be going over the basics of what subdomains are, why you should be searching for them, and ...
For further actions, you may consider blocking this person and/or reporting abuse
I also open robots.txt to find out what they're hiding 😂🤣
Always a favorite! 🤣
Aquatone and Sublist3r's scanning could trigger alarms on some systems. It is seen as a brute-force attack, or potential denial of service attack.
If you're on an internal network you can also use DNS tools. Usually sub-domain record transfer is disabled (I forget the tecgnical term), but if doing an internal audit perhaps you can have a machine that allows it.
Good point on the alarms! I kinda assume someone is doing a bug bounty or testing their own server, so alarms aren't a big deal. But if you're pentesting for a client (or doing something naughty) then alarms should be considered. I'll add in a quick disclaimer.
That’s true. Then you can try something like spyse.com. They already did everything for you. But still, sometimes you need to run the process yourself, you’ll just need proxy to do that.
Also, as far as I know, guys from spyse are going to add an opportunity to scan all those things with the help of their service.
You're doing it the hard way!
crt.sh with a wildcard to search for any issued certificates, then dnsdumpster for a free review of censys scans to get any domains mentioned in headers or self signed certs exposed to the internet.
Thanks for the tip! I'll look into that and update the post.
Don't forget utilising tools like VirusTotal. You'll probably find most there and won't trigger alarms.
virustotal.com/#/domain/yahoo.com
Censys and pentest-tools will not show you all subdomains, especially of government-related websites. Google.com is not indexing a lot of hidden parts. For me, spyse is a golden mean.
This is why each of my development severs has a hard coded list of approved CIDRs that can access them. ACLs are neat!
Is it possible to use nslookup for finding sub domains?