Finding subdomains is an important step in the information gathering phase of a penetration test. Subdomains are interesting because they point to various (less-known) applications and indicate different external network ranges used by the target company.
subdom1.company.com points to
IP 18.104.22.168 and
subdom2.company.com points to
IP 22.214.171.124. Now you know two different IP ranges possibly owned by your target organization and you can extend the attack surface.
Furthermore, subdomains sometimes host 'non-public' applications (e.g. test, development, restricted) which are usually less secure than the public/official applications so they can be the primary attack targets.
|Domain name||The target domain name (e.g. |
|Include IP information||This option instructs the tool to do whois queries in order to determine the network owners and country for each IP address.|
How it works
This tool uses multiple techniques to find subdomains such as:
- DNS records (NS, MX, TXT, AXFR)
- DNS enumeration based on a specially chosen wordlist
- Public search engine queries
- Word mutation techniques
- Searching in SSL certificates
- Parsing HTML links
- Reverse DNS on target IP ranges