Top Subdomain Scanner Tools for Bug Bounty
Subdomain enumeration is an important step of the reconnaissance process. Let's ask the first obvious question then. What is a subdomain? A subdomain is a part of a domain name that precedes the main domain and is used to organize or navigate different sections of a website. It functions as an extension of the main domain, often used to create separate areas within a website or system, each with a specific purpose. What is subdomain enumeration then?
Subdomain enumeration is the process of discovering subdomains associated with a domain. It's a common step in the reconnaissance phase of penetration testing or bug bounty hunting, as subdomains can expose additional services, applications, or infrastructure that may be vulnerable.
There are some efficient tools to enumerate subdomains...
Sublist3r
Sublist3r is a Python tool designed to enumerate subdomains
of websites using OSINT. It helps penetration testers and bug hunters collect
and gather subdomains for their target domain. Sublist3r enumerates
subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and
Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal,
ThreatCrowd, DNSdumpster, and ReverseDNS.
- Download & Installation: Github
- Using Git:
git clone https://github.com/aboul3la/Sublist3r.git
python sublist3r.py -d example.com
Amass
The OWASP Amass Project maps network attack surfaces and discovers external assets through open-source intelligence gathering and active reconnaissance methods.
- Download & Installation: Github
Subfinder
Subfinder is a tool designed to discover subdomains, utilizing passive online sources to return valid subdomains for websites. It boasts a straightforward, modular design and is fine-tuned for rapid performance. Dedicated solely to passive subdomain enumeration, Subfinder excels in this function.
- Download & Installation: Github
Assetfinder
To discover domains and subdomains associated with a specific domain, you can use this tool developed by the well-known Tom Hudson, also known as @tomnomnom.
- Download & Installation: Github
Findomain
Findomain offers a subdomain monitoring service featuring directory fuzzing, port scanning, and vulnerability discovery. It enables monitoring of target domains with tools like OWASP Amass, Sublist3r, Assetfinder, and Subfinder. It also provides alert notifications via Discord, Slack, Telegram, Email, or Push Notifications across various platforms such as Android, iOS, Smart Watches, and Desktops upon detecting new subdomains.
- Download & Installation: Github
Knockpy
Knockpy is a versatile and modular Python3 tool crafted for the rapid enumeration of subdomains on a target domain via passive reconnaissance and dictionary scanning.
- Download & Installation: Github
Recon-ng
Recon-ng features a user interface similar to the Metasploit Framework, which eases the learning process for those familiar with the framework. However, Recon-ng is distinct in its purpose. It is not meant to rival other frameworks but is specifically tailored for web-based open-source reconnaissance. For exploitation purposes, one should utilize the Metasploit Framework, while for social engineering, the Social-Engineer Toolkit is the appropriate choice.
- Download & Installation: Github
SubDomainizer
SubDomainizer is a tool designed to discover hidden subdomains and secrets within webpages, Github, and external JavaScript files associated with a specified URL. This tool also identifies S3 buckets, CloudFront URLs, and more within those JavaScript files, which could reveal intriguing details such as open S3 buckets with read/write permissions, or potential subdomain takeovers, similar to cases with CloudFront. Additionally, it can scan within a specified folder containing your files.
- Download & Installation: Github
crt.sh
A straightforward but effective tool utilizes certificate
transparency logs to discover subdomains. crt.sh examines SSL/TLS certificates
to identify domain names and subdomains, offering a comprehensive list derived
from the issued certificates.
- Website: crt.sh | Certificate Search
PureDNS
Puredns is a rapid domain resolver and subdomain bruteforcing tool adept at precisely filtering out wildcard subdomains and DNS poisoned entries. It employs massdns, an efficient stub DNS resolver, for conducting bulk lookups. Given adequate bandwidth and a robust list of public resolvers, it can resolve millions of queries within minutes. However, the quality of massdns results is contingent upon the reliability of the public resolvers' responses, which are frequently marred by incorrect DNS answers and false positives due to wildcard subdomains.
- Download & Installation: Github
Ffuf
FFUF, an acronym for 'Fuzz Faster U Fool,' is an open-source web fuzzer developed in Go that offers speed and flexibility. It is widely utilized for various tasks such as discovering content, enumerating subdomains, and brute-forcing directories. Due to its high efficiency and customizability, FFUF has become a favored tool among penetration testers and bug bounty hunters.
- Download & Installation: Github
GoBuster
Gobuster is a versatile tool designed for brute-forcing various targets, including URIs (directories and files) on websites, DNS subdomains with wildcard support, virtual host names on web servers, as well as identifying open Amazon S3 buckets, Google Cloud buckets, and TFTP servers.
Download & Installation: Github
No comments