Finding Subdomains

Online websites:
https://pentest-tools.com/information-gathering/find-subdomains-of-domain
https://dnsdumpster.com/
https://hackertarget.com/find-dns-host-records/
https://findsubdomains.com/
https://searchdns.netcraft.com
https://censys.io
Tools:
Subbrute – This is a DNS meta-query spider that pulls DNS records, and subdomains list.
DNScan – A DNS subdomain scanner. This is built on python and can be installed on server.
Sublist3r – An ultra fast domain and subdomain enumeration tool. Also based on python.
Knock – Also known as Knockpy as it is developed in python. Freely available on GitHub.
Recon-Ng – Complex tool with brute_hosts module that facilitates you to bruteforce on domains for subdomains.
DNSRecon – Originally available in Kali Linux.

 

Reverse DNS lookup

“whois lookup registered to” inurl:ip-address-lookup
“whois lookup registered to” inurl:domaintools

Now run fierce.pl -range on the IP ranges you find to lookup dns names

fierce -range 202.147.169.1-205 -dnsserver 8.8.8.8

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s