About the Find Subdomains tool
Allows you to discover subdomains of a target domain and to view the attack surface of a target organization.
Finding subdomains is useful in a penetration test because they point to different applications and indicate different external network ranges used by the target company. For instance, x.company.com points to IP 22.214.171.124 and y.company.com points to IP 126.96.36.199. Now you know two different IP ranges possibly owned by your target and you can extend the attack surface.
Furthermore, subdomains sometimes host 'non-public' applications (e.g. test, development, restricted) which are usually less secure than the public applications so they can be the primary attack targets.
- Domain name: is the target domain (ex. oracle.com, yahoo.com, etc)
- Include IP information: this option instructs the tool to do whois queries in order to determine the network owners and country for each IP addresses
How it works
This tool uses multiple techniques to find subdomains such as:
- DNS zone transfer
- DNS enumeration based on a specially chosen wordlist
- Public search engine queries
- Word mutation techniques