Finding subdomains using subfinder
Subdomain: A subdomain concept is used to host multiple domains under single parent domain.
Eg: Parent Domain = "google.com" Subdomains = "mail.google.com", "drive.google.com", "accounts.google.com".. etc.
Most of the organizations host multiple applications in multiple subdomains as mentioned in the example "google". We can use subdomain finders during red team reconnaissance process. We use the below tool to find subdomains from various opensource databases(OSINT) and organize them into a single list. Later we can initiate penetration testing iterating each domain.
Prerequisites: This tool is based on "go" so we need go installed in the machine. To install go follow these instructions. https://golang.org/doc/install#install
After installling go, clone the subfinder repository and install
$ git clone https://github.com/subfinder/subfinder.git $ cd subfinder $ ./build.sh
build.sh builds the binary for subfinder and stores in build folder.
Goto build folder and unzip the zip file using "unzip" command.
$ cd build $ unzip subfinder_linux_amd64_1.0.zip #version may be different
$ ./subfinder -h #shows the help message and all the options $ ./subfinder -d example.com -v -o filename.txt #basic command usage
The above command finds all the subdomains and stores all the output data to filename.txt file. We can change all the options to our custom names.
Sample screenshot: If we plan for automation this tool result can be handy, with the output we can pass all the subdomains to the other tool as input. Subfinder supports multiple api's like shodan, virustotal, Cencys .. etc for better results.
Please note that running subfinder comes under passive online attack.