Subdomain Finder

Details

Stay Up To Date

Follow @secforeveryone

Asset Type

domain

Need Membership

Asset Verify

API Support

Yes

Estimate Time (Second)

300

Subdomain Finder Detail

Subdomains often address different sections of a website (blog, e-mail, admin panel or another application). Each subdomain could be a new attack vector for you.

What is Subdomain ?

Subdomains are created to organise and access to different website sections such as the blog, e-mail etc. You can create multiple subdomains linked with the main domain.

For example, if your domain name is securityforeveryone.com, you can open subdomains such as admin.securityforeveryone.com, mail.securityforeveryone.com or premium.securityforeveryone.com.

Why is it important to find subdomains ?

For attackers, detecting the subdomains means new attack vectors. You might have a secure application and you might be doing security tests and system consolidation regularly. But if there is a vulnerability in another application that pages a connection with your application and database, these are not important. You probably heard you are always as safe as your weakest link.

In some cases, subdomains might be less secure than the main domains. Especially, identification of domain names addressing your test systems (test, old etc.), development environments (devel, preprod etc.) and other services (ftp, mail etc.) and analysing these subdomains from a security perspective is important.

Also, it is important to know this. When you use third-party services for subdomains, you might have different attack types such as subdomain takeover.

How To Find Subdomains?

You can use our online and free subdomain finder tool to identify the subdomains of your website. All you need to do is to type the domain name which you want to detect the subdomains.

Or you can run nmap --script dns-brute Target_Host command on nmap tool which can be installed to all operating systems.

Also, you can use searchengine_subdomains_collector auxiliary module of “Metasploit Framework” to check the vulnerability.

Lastly, you can check it with open source tools such as “Sublist3r”, “aquatone”. For example, let’s use Sublist3r tool:

	python sublist3r.py -d yourdomain.com
	[-] Enumerating subdomains now for yourdomain.com
	[-] Searching now in Baidu..
	[-] Searching now in Yahoo..
	[-] Searching now in Google..
	[-] Searching now in Bing..
	[-] Searching now in Ask..
	[-] Searching now in Netcraft..
	[-] Searching now in DNSdumpster..
	[-] Searching now in Virustotal..
	[-] Searching now in ThreatCrowd..
	[-] Searching now in SSL Certificates..
	[-] Searching now in PassiveDNS..
	[-] Total Unique Subdomains Found: 3
	admin.yourdomain.com
	blog.yourdomain.com
	devel.yourdomain.com

Some Advice for Common Problems

It is important to give some recommendations about the subdomains:

Development environment, test environment, backup and similar subdomains should be close to internet access if possible. If not, IP restriction should be present or access management should be present. And these systems should not be connected to prod environment.
Subdomains used for admin (admin, panel etc.) should be protected with password for access and user name and password must not be used if any.
If the subdomain is addressing to an external service, it is important to make sure that this external service account is not cancelled or expire against subdomain takeover vulnerability.
Just like the main domains, subdomains should be included in the penetration test.

Need a Full Assesment?

Get help from professional hackers. Learn about our penetration test service now!

Request Pentest Service