Results 1 to 7 of 7

Thread: how to find all the sub-domains of a website without missing a single sub-domain? Share/Save - My123World.Com!

  1. #1

    how to find all the sub-domains of a website without missing a single sub-domain?

    how to find all the sub-domains of a website without missing a single sub-domain?

  2. #2
    Garage Member
    Join Date
    Aug 2012
    Location
    India
    Posts
    97
    Blog Entries
    1
    Hi cruxy,

    Generally for finding sub-domains of any particular website, I usually try these 2 things:

    1. Search the domain on Wolfram Alpha and in the search results, it has the option to see the sub-domains of the website. (However, it might not list all of them)
    2. Trying popular/common sub-domains i.e. dictionary attack sort of thing. For that, you might wanna check this nice script -> https://github.com/TheRook/subbrute

    Thanks.
    Anyone who stops learning is old, whether at twenty or eighty. Anyone who
    keeps learning stays young. The greatest thing in life is to keep your mind young.
    - Henry Ford

  3. #3
    some more small tricks...
    1.
    In google.com
    site:www.site.com -www

    2.
    Try Maltego

    3.
    ping and bing (doesn't works always...)

    4.
    As said above scripts will also help u out..
    https://code.google.com/p/dnsenum/

    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
    I have not failed. Ive just found 10,000 ways that wont work.
    To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.

  4. #4
    use Acunetix subdomain scanner or goohost in backtrack or bing with domain:site.com

  5. #5
    And if you have some luck, try to do a "zone transfer" (dig -AXFR domain.com). More information here : https://en.wikipedia.org/wiki/DNS_zone_transfer.

  6. #6
    Actually ....

    The perl script named dnsenum does it well.
    It comes with backtrack / kali by default. (/pentest/enumeration/dns/dnsenum)
    It might take time .. but it would rarely miss any.

    It can try dns zone transfer, wordlist attack against domain using usual subdomains.
    It can lookup google for subdomains (same like using "site:" dork)
    It can also take the whole netrange from whois result and try reverse dns resolution one by one.
    And ... it can do it all in one shot !

    Try with google, you will see a wide bunch of google services, internal domains you did not know about.

    -

    Narcissus

  7. #7
    or write your own simple bash 'domain scanner' (using for and host)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •