Finding Subdomains

Online websites:
Subbrute – This is a DNS meta-query spider that pulls DNS records, and subdomains list.
DNScan – A DNS subdomain scanner. This is built on python and can be installed on server.
Sublist3r – An ultra fast domain and subdomain enumeration tool. Also based on python.
Knock – Also known as Knockpy as it is developed in python. Freely available on GitHub.
Recon-Ng – Complex tool with brute_hosts module that facilitates you to bruteforce on domains for subdomains.
DNSRecon – Originally available in Kali Linux.


Reverse DNS lookup

“whois lookup registered to” inurl:ip-address-lookup
“whois lookup registered to” inurl:domaintools

Now run -range on the IP ranges you find to lookup dns names

fierce -range -dnsserver





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s