DEV Community

Cover image for How to Find Subdomains on a Website (And Why You Should)
Kat Maddox
Kat Maddox

Posted on • Originally published at explainhownow.com

How to Find Subdomains on a Website (And Why You Should)

This is a guide to discovering website subdomains. I'll be going over the basics of what subdomains are, why you should be searching for them, and how to actually find them.


Assumed knowledge:
  • Basic Linux/Unix commands

What are Subdomains?

On the surface, a subdomain is just an additional, prepended part to a domain name. In the example "dev.mytotallysecurewebsite.com", "mytotallysecurewebsite.com" is the root domain and "dev" is the subdomain.

As a developer, creating subdomains allows you to make a totally independent site, but still use your root domain. For example, it's common to create a subdomain where you test new features that aren't ready to be deployed on the official website yet.

Development subdomains are often used to "hide" new and untested features. By just visiting mytotallysecurewebsite.com, an average user has no way of knowing that something like dev.mytotallysecurewebsite.com exists.

Why Should I Find Subdomains?

Usually, a development/testing subdomain is the developer's dirty little secret. Many companies will put a lot of money and effort into making sure their root domain is as secure as possible, but then totally neglect their subdomains under the assumption that they'll never be discovered.

subdomains no looking

But without proper controls such as firewalls, subdomains will eventually be found. You can't hide anything from Google - or a particularly curious hacker.

If you're a developer with "hidden" subdomains, it's good practice to run your site against some subdomain enumerators. Because if you can find it, someone else probably already has.

As a pentester, subdomain enumeration is going to be a critical part of your reconnaissance. Subdomains are likely to contain A LOT more vulnerabilities than the root domain. Searching for subdomains is one of the first things I do when deciding how I'll be testing a website.

Find Subdomains Using Google

I don't know why you'd do this instead of just using an automated tool. But here's how.

Using Google's "site:" filter, we can see some of the subdomains Google has discovered for a site.

subdomains with google

We can then add the "-inurl:" filter to exclude the subdomains we've already found, allowing us to see more.

subdomains with google

You can keep iterating like this until you run out of subdomains, or get bored and just use an automatic tool instead. There are hundreds of decent subdomain enumeration tools, so instead of just dumping a bunch of them on you, I'll list only the ones I regularly use. Please don't yell at me if I missed your favorite!

Disclaimer: some of these tools are brute force and will trigger alarms. Alarms can be fine in some cases, but unideal in others.

Censys.io

Censys.io is a pretty awesome tool that gives you a lot of information about a website. It can be used to potentially find subdomains with the following search string: https://censys.io/certificates?q=.examplesite.com

subdomains with censys.io

There's also a decent tool on Github for automatically finding subdomains with Censys.io certificates.

Pentest-Tools

Pentest-Tools is another web app that finds subdomains. It's pretty easy to use - just type in the root domain and hit scan.

subdomains with pentest-tools

Aquatone

Aquatone-discover is one of my favorite subdomain tools. It takes a bit of time to run, but it's generally pretty robust and will yield a lot of results. Usually, I'll run Aquatone-discover first, and then get the other tools going while I wait for Aquatone to finish.

Sublist3r

Sublist3r is seriously amazing. Sublist3r uses open-source intelligence to find subdomains and will usually give you results within minutes. It's great for when you're itching to get started. By the time my other tools are done running, I've usually already taken a quick look at all the domains Sublist3r has given me.

Scavenging

Face it - you're probably not the best hacker out there. Anything you're doing, someone else might have already done better.

One of the things I like to try is Googling "site:github.com hosts example.com", or just "site:github.com" with one or two subdomains that I've already discovered. If you're lucky, someone has probably already made a dump of subdomains for the site you're testing (or unlucky, if this is a site you own).

subdomains with scavenging

Apart from searching in Github, Pastebin can have results too. This is a great way to save yourself a bit of effort if you're doing bug bounties where many pentesters have already checked out the site.

Putting it All Together

If you're a web developer and have subdomains, runnings scans on your website is a great way to check how exposed you are. Don't assume that no one will find your subdomains just because you've configured your robots.txt.

If you're a pentester, this is a vital step to understanding the attack surface of your target. If you're doing bug bounties with wide scopes, sometimes it's worthwhile to even ignore the official domain altogether and only focus your efforts on the subdomains.

Happy hacking!

This post was originally published on explainhownow.com

Top comments (11)

Collapse
 
gijovarghese profile image
Gijo Varghese

I also open robots.txt to find out what they're hiding πŸ˜‚πŸ€£

Collapse
 
ctrlshifti profile image
Kat Maddox

Always a favorite! 🀣

Collapse
 
mortoray profile image
edA‑qa mort‑ora‑y

Aquatone and Sublist3r's scanning could trigger alarms on some systems. It is seen as a brute-force attack, or potential denial of service attack.

If you're on an internal network you can also use DNS tools. Usually sub-domain record transfer is disabled (I forget the tecgnical term), but if doing an internal audit perhaps you can have a machine that allows it.

Collapse
 
ctrlshifti profile image
Kat Maddox

Good point on the alarms! I kinda assume someone is doing a bug bounty or testing their own server, so alarms aren't a big deal. But if you're pentesting for a client (or doing something naughty) then alarms should be considered. I'll add in a quick disclaimer.

Collapse
 
jabhatt profile image
Jabhatt

That’s true. Then you can try something like spyse.com. They already did everything for you. But still, sometimes you need to run the process yourself, you’ll just need proxy to do that.
Also, as far as I know, guys from spyse are going to add an opportunity to scan all those things with the help of their service.

Collapse
 
gtb3nw profile image
GTB3NW

You're doing it the hard way!

crt.sh with a wildcard to search for any issued certificates, then dnsdumpster for a free review of censys scans to get any domains mentioned in headers or self signed certs exposed to the internet.

Collapse
 
ctrlshifti profile image
Kat Maddox

Thanks for the tip! I'll look into that and update the post.

Collapse
 
rmcfadzean profile image
Rob McFadzean

Don't forget utilising tools like VirusTotal. You'll probably find most there and won't trigger alarms.

virustotal.com/#/domain/yahoo.com

Collapse
 
lucid profile image
Mark • Edited

Censys and pentest-tools will not show you all subdomains, especially of government-related websites. Google.com is not indexing a lot of hidden parts. For me, spyse is a golden mean.

Collapse
 
darkain profile image
Vincent Milum Jr

This is why each of my development severs has a hard coded list of approved CIDRs that can access them. ACLs are neat!

Collapse
 
hassam7 profile image
Hassam Ali

Is it possible to use nslookup for finding sub domains?