How to Find Subdomains using automation tools?
In this article, I am going to show you various methods and tools from which you can easily find the sub-domain of a domain.
Below are the multiple methods all bug bounty hunters and cyber security personnel use.
1. Finding Subdomain Using Amass | Subfinder
Here is a quick recon used by bug bounty hunters to find subdomains.
Code:
#!/bin/bash# $1 => example.domainamass enum --passive -d $1 -o domains_$1assetfinder --subs-only $1 | tee -a domains_$1subfinder -d $1 -o domains_subfinder_$1cat domains_subfinder_$1 | tee -a domains_$1sort -u domains_$1 -o domains_$1cat domains_$1 | filter-resolved | tee -a domains_$1.txt
This code will provide you the all subdomain of a main domain. In order to run this above code you
need to install a couple of tools in your system.
- https://github.com/OWASP/Amass
- https://github.com/projectdiscovery/subfinder
- https://github.com/tomnomnom/hacks/tree/master/filter-resolved
Source Link
Thanks, @TobiunddasMoe for the amazing tip.
2. VirusTotal Subdomain Finder
Virustotal is the website to analyze any domain. It is used to find suspicious files, malware, URLs.
Using this online tool you can find IP addresses, sub-domain, APIs, etc.
Step 1. Go to https://www.virustotal.com/gui/home/search
Step 2. Enter the Domain to find the subdomain. Example: google.com
Step 3: You will see four options, click on the RELATIONS tab
Step 4: Scroll down a little bit you will see the subdomain section. You will also be able to see the IP addresses of that subdomain.