It is not that easy to find subdomains of websites by only searching different keywords on Google related to that website.
Google doesn’t look at the subdomains as a part of the root domain. Google treats subdomains as different domains.
That is why we can’t find subdomains of websites by only searching on Google.
Most websites with large resources create subdomains to organize and categorize their resources to make them user-friendly.
Sometimes we need or we want to know subdomains of some websites. We may get one or two subdomains of our websites by searching on the different search engines, but we will not get them all.
What can we do without doing so much effort?
If you are a Linux user, the list of tools we are going to discuss here might help you. These tools are a new generation and they have a lot of functionality.
Let’s see if these tools are useful or not.
#Tool 1: Subdomain3
Using this tool you can find out subdomains, IP addresses, CDN of the target website. To install it, fire up your Kali Linux machine and download it from Github.
Now, its time to configure to work on Kali Linux.
1. Navigate to the directory where you have downloaded it and expand it.
2. Satisfy the requirements by launching the “requirement.txt” script. Use the command given below.
pip install -r requirement.txt
3. Go to the “subdomain3” folder, create a new folder and name it “result“. If you don’t create a result folder, you will get the following error.
[Errno2] No such file or directory: result/example.com
4. Now launch the Subdomain3 tool using the commands given below.
python3 brutedns.py -d example.com -s high -l 5
Here we’ve set the configuration all high but you can customize them according to you. See the usage table to know the options you can use.
Short form Long form Description
-d domain example.com
-s speed high, medium, low
-l level 2:w.example.com
-f file list of target domains
-c CNAME collect cname, Y or N
-ns default DNS Y or N
-f1 subfile sub dict
-f2 next sub dict
-f3 other file subdomain logs from search engines
#Tool 2: Turbolist3r
Turbolist3r looks for public DNS information. This tool is used to discover subdomains and perform advanced analysis on them. It is a fork of the sublist3r tool and pretty much the same with the subdomain3 tool.
Download Turbolist3r from Github and navigate to the directory where you’ve downloaded it and expand it.
Now, install it on Kali Linux.
1. Satisfy the requirements by running the “requirements.txt” file. Use the following command.
pip install -r requirements.txt
2. Launch Turbolist3r using the command given below.
python turbolist3r.py -d example.com -a –saverdns example.txt
3. View the options you can use by using the command given below.
python turbolist3r.py -h
Here we added some examples for advanced use.
- To perform advanced analysis on a list of subdomains.
python turbolist3r.py -d example.com –inputfile subdomains.txt
- To enumerate subdomains with Bruteforce module enabled.
python turbolist3r.py -b -d example.com
- Set specific search engines to enumerate subdomains.
python turbolist3r.py -e google, yahoo, Yandex -d example.com
It has many features. We explained only some of them. Explore them yourself!
There are many tools on the Internet that can be used to find and analyze subdomains. We’ve tested most of them and found these two tools error-free and advanced.
These tools have many advanced features we haven’t discussed. But you can explore them and let us know!
What’s your opinion about these two tools? did you find them helpful? Let us know in the comment box.