Hi All, In this article we will see how we can easily find sub-domains of target domain.
Generally hackers use this tool in various bug bounties where they try to find sub-domain of given target domain in order to find bug.
Before going in deep lets first understand what subdomain is all about.
What is a Subdomain ?
Subdomain is the sub division of a domain which is used to separate different areas of your website , most of the websites uses different subdomain to change language for the users respected with the language
If a site has a feature of different languages then the users belonging to English language are directed to English pages and served with the service , same thing happens with the other language and countries.
Example:-blog.google.com, groups.google.com and sites.google.com
Where
blog=blogging
groups= for google groups
sites= for google site
NOTE:-
Subdomain is also called third level domain. They are same like the folders in your root directory but different URL to access.
Example:- www.website.com
Subdomain:-
1) services.website.com
2) blog.website.com
.com is the first level domain, website is the second level domain and blog,services are the third level domain
So lets start how to find different site domains:
There are multiple tools and google search engine techniques to find sub-domains which are:-
The Harvester , DNSMAP, Fierce, Subbrute and many more ..
Out of all above tool we will see how to find sub-domains using subbrute.Generally while doing testing i always prefer to use Subbrute and the reason is
Step 5 : Opening Command prompt
Fig 3: Opening command prompt
Step 6 : Now we will execute the command as follow :- subbrute.exe target.com
In our case say we are finding sub-domains of Facebook site then command would be
subbrute.exe facebook.com
Fig 4: Finding Facebook sub-domains
Set up in Kali-Linux
Step 1 : Download the subbrute on Kali-Linux from here
Step 2: Unzip the downloaded file
Step 4: Now execute the command as follow ./subbrute.py target.com
In our case say we are finding sub-domains of Google then command would be
./subbrute.py google.com
I hope you learn something new, if you have any queries or doubt you can comment or DM.
If you like my article then share it and subscribe. Thanks you
Generally hackers use this tool in various bug bounties where they try to find sub-domain of given target domain in order to find bug.
Before going in deep lets first understand what subdomain is all about.
What is a Subdomain ?
Subdomain is the sub division of a domain which is used to separate different areas of your website , most of the websites uses different subdomain to change language for the users respected with the language
If a site has a feature of different languages then the users belonging to English language are directed to English pages and served with the service , same thing happens with the other language and countries.
Example:-blog.google.com, groups.google.com and sites.google.com
Where
blog=blogging
groups= for google groups
sites= for google site
NOTE:-
Subdomain is also called third level domain. They are same like the folders in your root directory but different URL to access.
Example:- www.website.com
Subdomain:-
1) services.website.com
2) blog.website.com
.com is the first level domain, website is the second level domain and blog,services are the third level domain
So lets start how to find different site domains:
There are multiple tools and google search engine techniques to find sub-domains which are:-
The Harvester , DNSMAP, Fierce, Subbrute and many more ..
Out of all above tool we will see how to find sub-domains using subbrute.Generally while doing testing i always prefer to use Subbrute and the reason is
- Basically Sub brute is being used by pentesters for over 3 years and has not lost its place because the tools uses multi-threading using python engine.
- This tool also contains a large list of real sub-domain that you will find in the wild. Basically we were fed up with
- Fierce / fierce2, and every other tool we used so we found something way faster in python. This tool will not only brute force sub domains.
- It will also gather information about them as well. By default this tool does subdomain enumeration about 8 times faster than Fierce, and can chew through 31k lookups in about 5 minutes on a normal connection. A notable improvement over every other
You can install subbrute either on your windows machine or on kali-linux, so lets start how to use subbrute on windows machine and kali-linux.
Set up in Windows machine
Step 1 : Download the subbrute on Windows from here
Step 2:- Make sure you have python and dnspython installed on your machine
Step 3:- After the installation part go to the directory where you have unzip the subbrute in my case it is
C:\Users\Nile$h\Desktop\Sub-domain Takeover_Tool_study\subbrute-master\windows
Step 3:- After the installation part go to the directory where you have unzip the subbrute in my case it is
C:\Users\Nile$h\Desktop\Sub-domain Takeover_Tool_study\subbrute-master\windows
 |
| Fig 1: File location of subbrute.exe Step 4: Now hold Ctrl + Shift + Right click on mouse and Click on Open command window here |
 |
| Fig 2: Opening command prompt on subbrute installed path |
In our case say we are finding sub-domains of Facebook site then command would be
subbrute.exe facebook.com
Set up in Kali-Linux
Step 1 : Download the subbrute on Kali-Linux from here
Step 2: Unzip the downloaded file
Fig 5: Unzip the subbrute-master zip file
Step 3: Go to the location of the file i.e
Fig 6: Location of subbrute-master file
Step 4: Now execute the command as follow ./subbrute.py target.com
In our case say we are finding sub-domains of Google then command would be
./subbrute.py google.com
Fig 7: Finding Google sub-domains
I hope you learn something new, if you have any queries or doubt you can comment or DM.
If you like my article then share it and subscribe. Thanks you
2 comments
Write commentshow i will get these sub domain ip adresses
ReplyYou can simply ping the respective sub-domain to get the IP address detail.
ReplyEmoticonEmoticon