Subdomains often address different sections of a website (blog, e-mail, admin panel or another application). Each subdomain could be a new attack vector for you.
Subdomains are created to organize and access different website sections such as the blog, e-mail, etc. You can create multiple subdomains linked with the main domain.
For example, if your domain name is securityforeveryone.com, you can open subdomains such as admin.securityforeveryone.com, mail.securityforeveryone.com, or premium.securityforeveryone.com.
For attackers, detecting the subdomains means new attack vectors. You might have a secure application and you might be doing security tests and system consolidation regularly. But if there is a vulnerability in another application that pages a connection with your application and database, these are not important. You probably heard you are always as safe as your weakest link.
In some cases, subdomains might be less secure than the main domains. Especially, identification of domain names addressing your test systems (test, old, etc.), development environments (devel, preprod etc.) and other services (ftp, mail etc.) and analysing these subdomains from a security perspective is important.
Also, it is important to know this. When you use third-party services for subdomains, you might have different attack types such as subdomain takeover. You can check Security for Everyone’s Subdomain Takeover Vulnerability Tool.
You can use Security for Everyone's online and free subdomain finder tool on how to find all the subdomains of a domain. All you need to do is to type the domain name which you want to detect the subdomains.
Other Ways to Scan for Subdomains
You can run nmap --script dns-brute Target_Host command on nmap tool which can be installed to all operating systems.
Also, you can use the searchengine_subdomains_collector auxiliary module of “Metasploit Framework” to check the vulnerability.
Lastly, you can check it with open source tools such as “Sublist3r”, “aquatone”. For example, let’s use Sublist3r tool:
python sublist3r.py -d yourdomain.com [-] Enumerating subdomains now for yourdomain.com [-] Searching now in Baidu.. [-] Searching now in Yahoo.. [-] Searching now in Google.. [-] Searching now in Bing.. [-] Searching now in Ask.. [-] Searching now in Netcraft.. [-] Searching now in DNSdumpster.. [-] Searching now in Virustotal.. [-] Searching now in ThreatCrowd.. [-] Searching now in SSL Certificates.. [-] Searching now in PassiveDNS.. [-] Total Unique Subdomains Found: 3 admin.yourdomain.com blog.yourdomain.com devel.yourdomain.com
It is important to give some recommendations about the subdomains: