#8 Subdomain Enumeration —How to find Subdomains of any Domain (2024)

#8 Subdomain Enumeration —How to find Subdomains of any Domain (2)

Hello, I have come today with a very useful topic of recon. In this blog we will see how to find Subdomain of any target. So, lets start.

A subdomain is, as the name would suggest, an additional section of your main Domain name. You create subdomains to help organize and navigate to different sections of your main website. Within your main Domain, you can have as many subdomains as necessary to get to all of the different pages of your website.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (3)

It is one of the most crucial parts of the reconnaissance phase while performing a security assessment. Subdomain Enumeration is a process of finding sub-domains of one or more root domains.

Why we need Subdomain Enumeration?

Subdomain Enumeration helps to create a scope of security assessment by revealing Domains/Subdomains of a target organization. It increases the chance of finding vulnerabilities. And it helps us in finding the web applications that might be forgotten/left unattended by the organization for the maintenance or other reasons and may lead to the disclosure of critical vulnerabilities.

By search engines

Search engines like Google supports various advanced search operators to refine search queries. These operators are often referred to as Google Dorks. We can use site: operator in Google search to find all the Subdomains that Google has found for a Domain. Lets take an example on “site:vulnweb.com”.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (4)

By online sites

These are some online sites who find the Subdomains of any Domain.

  1. https://scantrics.io/subdomain-scanner/
  2. https://site-analyzer.pro/services-seo/site-all-subdomains/
  3. https://wikihak.com/Subdomains/Subdomains-scanner.php
  4. https://subdomainfinder.c99.nl/

Lets take an example

#8 Subdomain Enumeration —How to find Subdomains of any Domain (5)

By Subfinder(in Kali machine)

Subfinder is a Subdomain discovery tool that discovers valid Subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (6)

Installation Subfinder:- Open Kali Terminal

sudo git clone https://github.com/projectdiscovery/subfinder.git

And will be installed. Now open new terminal and type this command

subfinder -d "your target domain"

I am taking “example.com”.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (7)

By Sublist3r(in Kali machine)

Sublister is a tool designed in python and uses OSINT in order to enumerate Subdomains of websites. It helps pen-testers in collecting and gathering Subdomains for a Domain which is their target.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (8)

For installation of Sublist3r checkout this link https://www.geeksforgeeks.org/what-is-sublist3r-and-how-to-use-it/

And will be installed. Now open new terminal and type this command

sublist3r -d "your target domain"

I am taking “vulnweb.com”.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (9)

By Amass(in Kali machine)

This package contains a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (10)

Installation Amass:- Open Kali Terminal and write these commands

sudo apt-get update
sudo apt-get install amass

And will be installed. Write the Subdomain Enumeration command.

amass enum -d "your target domain"

I am again taking “vulnweb.com”.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (11)

Brute Force Subdomain By ffuf(in Kali machine)

ffuf is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (12)

Installation ffuf:- Open Kali Terminal and write this

git clone https://github.com/ffuf/ffuf ; cd ffuf ; go get ; go build

And will be installed. In this method we are performing brute force, so we also need domain wordlist. You can download the Subdomain wordlist by Google and save wordlists folder. Now see an example on “vulnweb.com”

Command,

ffuf -w /path/to/wordlist -u https://FUZZ.target

-w means wordlist, -u means target URL and FUZZ is the part that has to be brute force.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (13)

Here are some methods to find subdomain, hope you will have learned something new that’s all for today. Thank you for reading. Be an #Ethical Hacker and stay safe.

P.S. I am looking for a job, my email is uttamgupta1802@gmail.com.

#8 Subdomain Enumeration —How to find Subdomains of any Domain (2024)

FAQs

Are subdomains searchable? ›

It means that subdomains are search engine indexable!

If content is on a subdomain, it is spidered as part of the overall website.

What is subdomain enumeration? ›

Subdomain enumeration is the process of listing out all the valid subdomains that are part of the larger domain.

How to search for subdomains on Google? ›

Google's search operators make it easy to narrow down the search to find more subdomains. We can use the "site" operator in the search bar to find all the subdomains that Google has indexed for a domain. Google also supports the minus operator to exclude any subdomains we are not interested in.

How do I find all the subsites of a website? ›

You can usually locate it in the root or footer section of the website. For example, the XML sitemap URL could be “www.example.com/sitemap.xml“. Once you click on the sitemap, you will find all pages & subpages of a website. You can use different sitemap generation tools if you don't have an existing sitemap.

What search phrase can be used to find subdomains of a website? ›

There are some subdomains that are defined for virtually every domain name, such as www, and others that are very common, like shop or mail. But by going through and trying a DNS query using `dig`, `nslookup`, or `host` for as many possible subdomains, you might find some hidden ones.

Is subdomain enumeration legal? ›

This type of subdomain enumeration is resource-intensive and may have legal and ethical implications since sending large requests to a target domain is required. Because of its intrusive nature, active subdomain enumeration may trigger security alerts.

What is subdomain hijacking? ›

It's a cyber threat executed when an attacker gains control of a legitimate subdomain that's no longer in use, then cleverly exploits the forgotten or misconfigured dangling DNS to host their own content on the previously used zone.

What is my subdomain domain? ›

A subdomain is an extension of your domain that helps you organize content and expand your business offerings. It allows you to create standalone pages or functions, such as a blog or online store.

Are subdomains included with the domain? ›

Subdomains are used to expand the use of a single domain, these do not need to be purchased separately to your domain; if you own a domain then you can add a subdomain to this. This method is commonly used for Moodle and Totara site setups.

How many subdomains does a domain have? ›

A domain can have up to 500 subdomains. You can create multiple levels of subdomains such as store.product.yoursite.com, test.forum.yoursite.com, etc. Each subdomain can be up to 255 characters long, but for multi level subdomains, each level can only be 63 characters long.

Where are subdomains located? ›

A subdomain, on the other hand, is another part of the URL structure that goes before the domain name. As its main purpose is for site organization, your website can work fine without it.

What is Google dorks for subdomain enumeration? ›

Google Dorking

Google Dorking is a passive subdomain enumeration technique using Google's advanced search operators, like "site:" to find information about a target, including subdomains.

How does Google view subdomains? ›

However, Google treats subdomains as separate sites.

While “blog.example.com” and “example.com” may share a root domain, Googlebot will view them as distinct domains and crawl and index them accordingly.

Are subdomains SEO friendly? ›

Optimize Your Subdomains & Subdirectories for SEO

The choice between subdomains and subdirectories largely depends on reasons outside of SEO. Both can be SEO-friendly. Whether you decide to use subdomains or subdirectories, you need to optimize them for the best chance of ranking in search engines.

Do subdomains get indexed by Google? ›

The short answer is yes, Google can and will index and rank subdomains unless you explicitly take steps to ensure they're excluded from its index. Google's entire business model is based on discovering content. The same goes for all search engines.

Does Google see subdomains as separate sites? ›

Google Considers Subdomains as Separate Standalone Sites

Google has always treated subdomains as different sites, separate from the main domain. This is evident within Google Search Console, where subdomains have to be verified separately from the content that exists under the main domain website.

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Amb. Frankie Simonis

Last Updated:

Views: 5889

Rating: 4.6 / 5 (76 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Amb. Frankie Simonis

Birthday: 1998-02-19

Address: 64841 Delmar Isle, North Wiley, OR 74073

Phone: +17844167847676

Job: Forward IT Agent

Hobby: LARPing, Kitesurfing, Sewing, Digital arts, Sand art, Gardening, Dance

Introduction: My name is Amb. Frankie Simonis, I am a hilarious, enchanting, energetic, cooperative, innocent, cute, joyous person who loves writing and wants to share my knowledge and understanding with you.