This is a guide to discovering website subdomains. I’ll be going over the basics of what subdomains are, why you should be searching for them, and how to actually find them.
- Basic Linux/Unix commands
What are Subdomains?
On the surface, a subdomain is just an additional, prepended part to a domain name. In the example “dev.mytotallysecurewebsite.com”, “mytotallysecurewebsite.com” is the root domain and “dev” is the subdomain.
As a developer, creating subdomains allows you to make a totally independent site, but still use your root domain. For example, it’s common to create a subdomain where you test new features that aren’t ready to be deployed on the official website yet.
Development subdomains are often used to “hide” new and untested features. By just visiting mytotallysecurewebsite.com, an average user has no way of knowing that something like dev.mytotallysecurewebsite.com exists.
Why Should I Find Subdomains?
Usually, a development/testing subdomain is the developer’s dirty little secret. Many companies will put a lot of money and effort into making sure their root domain is as secure as possible, but then totally neglect their subdomains under the assumption that they’ll never be discovered.
But without proper controls such as firewalls, subdomains will eventually be found. You can’t hide anything from Google - or a particularly curious hacker.
If you’re a developer with “hidden” subdomains, it’s good practice to run your site against some subdomain enumerators. Because if you can find it, someone else probably already has.
As a pentester, subdomain enumeration is going to be a critical part of your reconnaissance. Subdomains are likely to contain A LOT more vulnerabilities than the root domain. Searching for subdomains is one of the first things I do when deciding how I’ll be testing a website.
Find Subdomains Using Google
I don’t know why you’d do this instead of just using an automated tool. But here’s how.
Using Google’s “site:” filter, we can see some of the subdomains Google has discovered for a site.
We can then add the “-inurl:” filter to exclude the subdomains we’ve already found, allowing us to see more.
You can keep iterating like this until you run out of subdomains, or get bored and just use an automatic tool instead. There are hundreds of decent subdomain enumeration tools, so instead of just dumping a bunch of them on you, I’ll list only the ones I regularly use. Please don’t yell at me if I missed your favorite!
Disclaimer: some of these tools are brute force and will trigger alarms. Alarms can be fine in some cases, but unideal in others.
Censys.io is a pretty awesome tool that gives you a lot of information about a website. It can be used to potentially find subdomains with the following search string: https://censys.io/certificates?q=.examplesite.com
There’s also a decent tool on Github for automatically finding subdomains with Censys.io certificates.
Pentest-Tools is another web app that finds subdomains. It’s pretty easy to use - just type in the root domain and hit scan.
Aquatone-discover is one of my favorite subdomain tools. It takes a bit of time to run, but it’s generally pretty robust and will yield a lot of results. Usually, I’ll run Aquatone-discover first, and then get the other tools going while I wait for Aquatone to finish.
Sublist3r is seriously amazing. Sublist3r uses open-source intelligence to find subdomains and will usually give you results within minutes. It’s great for when you’re itching to get started. By the time my other tools are done running, I’ve usually already taken a quick look at all the domains Sublist3r has given me.
Face it - you’re probably not the best hacker out there. Anything you’re doing, someone else might have already done better.
One of the things I like to try is Googling “site:github.com hosts example.com”, or just “site:github.com” with one or two subdomains that I’ve already discovered. If you’re lucky, someone has probably already made a dump of subdomains for the site you’re testing (or unlucky, if this is a site you own).
Apart from searching in Github, Pastebin can have results too. This is a great way to save yourself a bit of effort if you’re doing bug bounties where many pentesters have already checked out the site.
Putting it All Together
If you’re a webdev and have subdomains, runnings scans on your website is a great way to check how exposed you are. Don’t assume that no one will find your subdomains just because you’ve configured your robots.txt.
If you’re a pentester, this is a vital step to understanding the attack surface of your target. If you’re doing bug bounties with wide scopes, sometimes it’s worthwhile to even ignore the official domain altogether and only focus your efforts on the subdomains.