Skip to main content

Domain Finder

Scan type

  • Light scan

Discover the domain names owned by a company and map its attack surface.

Reporting

Sample Domain Finder report

Here is a sample report from our Domain Finder that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Contains the domain names associated with the target domain.

  • Includes additional information such as: company name, contact email addresses.

  • Each result has a certainty score which indicates its level of accuracy.

See sample report
Domain Finder Report Sample

How to use the pentesting tool

Use Cases for Domain Finder

Allows you to discover domains associated with a target domain and to determine the attack surface of a target organization. Find systems which are less protected and more vulnerable to attacks.

  • Discover Attack Surface

    The domain names owned by an organization are the starting point for discovering its attack surface. Development, test, backup or less-known applications are usually hosted on different domain names of the organization and they can be easy targets for attackers

  • Asset Inventory

    This tool helps you perform an inventory of your domain names, including resources currently exposed to the Internet. Taking stock of domains can indicate which unused resources are worth decommissioning to decrease your workload.

  • Real-Time Discovery

    The Domain Finder tool provides real-time results, with no caching mechanism used, so you always get up-to-date findings. Even though this is a slower approach, the results you get are very fresh and highly accurate.

Better vulnerability discovery.Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Create your account
Pentest-Tools.com Domain Finder Scanner Sample Report

Domain Finder

Technical details

Domain names are Internet resources assigned to various companies around the world. A company can own multiple domain names which can be used for various purposes of the business (e.g. for the main website, for clients portal, for supplier applications, etc.)

Finding all the domain names owned by a company is an important step in the information gathering phase of a penetration test or during bug bounty activities. This is because these associated domains could expose resources of the company which are less secure than the ones sitting on the main domain.

For example, some of the associated domains for facebook.com are:

  • facebook.net
  • fbcdn.net
  • fb.com
  • messenger.com
  • fbsbx.com

As a result, exploring the attack surface from the additional domains could be a fruitful path during pentesting or bug bounty.

Parameters

ParameterDescription
Domain nameIs the target domain name (e.g oracle.com, yahoo.com etc.) that will be searched for associated domains
SSL CertificatesSearches Certificate Transparency Logs for certificates having the target domain as alt name
BuiltWithSearches BuiltWith relationships (e.g. Google Analytics Tags) for potentially related domains
Reverse WhoisFinds the company and contact email of the target domain with a Whois lookup and then does a reverse lookup on them
Minimum weightThe certainty (or the weight) that a domain should have in order to remain in the final list of results

How it works

The tool assigns a certain weight to each result to validate its correctness. Validation uses these factors to determine accuracy:

  • The organization name found in the SSL certificate, as well and the number of certificates linking the two compared domains
  • The number of BuiltWith relationships and duration of those relationships
  • Matching Whois records (companies, emails)
  • Domain name similarity (e.g. amazon.de/amazon.com)
  • Redirect history: checks if the found domain redirects to the base domain or vice versa (e.g. gmail.com -> mail.google.com)