1. Subdomain Finder

Subdomain Finder

About this tool

Discover subdomains and determine the attack surface of an organization.

Finding subdomains is an important step in the information gathering phase of a penetration test. Subdomains are interesting because they point to various (less-known) applications and indicate different external network ranges used by the target company.

For instance, subdom1.company.com points to IP and subdom2.company.com points to IP Now you know two different IP ranges possibly owned by your target organization and you can extend the attack surface.

Furthermore, subdomains sometimes host 'non-public' applications (e.g. test, development, restricted) which are usually less secure than the public/official applications so they can be the primary attack targets.


  • Domain name: The target domain name (ex. oracle.com, yahoo.com, etc), which will be searched for subdomains

  • DNS enumeration wordlist: Chose your own wordlist or pick from the default ones in order to uncover new subdomains by trying each of them in the DNS Enumeration method.

  • Include IP information: This option instructs the tool to do whois queries to determine the network owners and country for each IP address

  • Detect web technologies: This option instructs the tool to try to find more details about each extracted subdomain, such as: OS, Server, Technology, Web Platform and Page Title.

  • Include unresolved subdomains: Unresolved subdomains found by the tool are kept in the result list, but without an IP address.

How it works

This tool uses multiple techniques to find subdomains such as:

  • Search Historical Subdomains in our database of cached subdomains

  • DNS records (NS, MX, TXT, AXFR)

  • DNS enumeration based on a specially chosen wordlist

  • Public search engine queries

  • Word mutation techniques

  • Searching in SSL certificates

  • Parsing HTML links

  • Reverse DNS on target IP ranges

  • Generates permutations and alterations of the subdomain names found so far in the scan

  • Searching in CNAME records