What is a Subdomain Finder?
A Subdomain Finder is a subdomain enumeration tool that helps you discover subdomain hosts (aka subdomain FQDNs) which serve specific functions for your target (e.g. hosting public websites, private subdomains for testing web apps, URLs where you can find backups, etc.).
Manual methods involve a lot of time and effort to retrieve subdomain information, taking away precious resources from completing your time-limited engagements.
Since finding subdomains is an important step in the information gathering stage of a penetration test, we built a Subdomain Finder to maximize your chances of finding vulnerabilities worth pursuing.
For an ethical hacker, subdomains are interesting because they point to various (less-known) applications and indicate various external network ranges the target company uses.
For instance, a subdomain finder report might show you that subdom1.company.com points to IP 188.8.131.52 and subdom2.company.com points to IP 184.108.40.206. Now you know two different IP addresses your target organization might own and you can extend the attack surface while still operating in the scope of the engagement.
Subdomains sometimes host applications for internal use (e.g. test, development, backup, restricted) that are usually less secure than public/official applications, which makes them attractive targets for cybercriminals.
Our automatic subdomain enumeration helps you retrieve not just subdomains, but also their IP address, WHOIS information (netname and country), OS, server and its technology, plus the web platform running on them and the page title – all in scope of the security assessment you’re tasked with performing.
What makes our Subdomain Finder different
The effectiveness of any pentesting tool depends on the ecosystem it’s part of. Because we know much work it takes to connect different tools and ensure you can follow your workflow without interruptions, we built Pentest-Tools.com with this in mind.
Instead of offering a Subdomain Scanner as a standalone tool, we chose to offer the ability to chain the results with our other tools from the start. As a result, our platform provides an entire ecosystem of tools and features you can even combine into automated testing sequences.
To make it easy for you to find all subdomains and identify low hanging fruit as well as less obvious potential entry points, we combined almost a dozen search methods with various enumeration wordlist options, and even the ability to include unresolved subdomains.
On top of the ability to use your own wordlists for enumeration and fuzzing, you can also use our Subdomain Finder to get extra information about the subdomains it finds, including IP address, WHOIS, and web server and web technologies information built-in (if applicable). Plus, you can easily filter results to surface the most useful findings you need to move forward.
How our Subdomain Finder works
If you’re looking for domain checker tools that are free to use, you can try our Subdomain Finder for free with the Light scan version. This searches DNS records (NS, MX, TXT, AXFR) and performs subdomain enumeration using a built-in wordlist.
The Deep scan version delivers speed, accuracy and extensiveness, all together, along with access to all the pentesting tools and features on the platform. The Deep scan uses multiple techniques to find subdomains fast and effectively:
- DNS records (NS, MX, TXT, AXFR)
- Enumeration using built-in wordlists, plus the option to use your own
- External APIs search
- Public search engine queries (Google search, Bing)
- Word mutation techniques
- Searching in SSL certificates
- Parsing HTML links
- Reverse DNS on target IP ranges
- Generates permutations and alterations of the subdomain names found so far in the scan
- Searching in CNAME records
On top of the subdomains list, you can customize the output to include:
- Unresolved domains
- IP addresses of the found subdomains
- WHOIS information
- Operating system information
- Web server and web technologies.
Subdomain Finder is a comprehensive tool, so scan duration varies depending on the target. For an average domain, a subdomain scan takes just a few minutes. For instance, it can return up to 500 results in under 10 minutes.
For domains with thousands or tens of thousands of subdomains, such as websites in the government, educational, medical, etc. sectors, subdomain scans can take up to a few hours. To slightly increase scanning speed, deactivate the “Detect web technologies” option.
Scanning parameters for paying customers
When you choose a paid plan and log into your Pentest-Tools.com account, you get eight additional detections methods and can select and combine the following subdomain scanning parameters to customize the output:
|Include IP information||Check this to instruct the tool to do WHOIS queries in order to determine the network owners and country for each IP address.|
|Detect web technologies||Use this option to have the tool try to find more details about each extracted subdomain, such as: OS, Server, Technology, Web Platform and Page Title.|
|Include unresolved subdomains||Gives you the option of keeping unresolved subdomains in the list of results, but without an IP address.|
What to do next
Besides the Subdomain Finder, you have other domain checker tools on Pentest-Tools.com, along with a full arsenal of vulnerability scanners and exploitation tools.
Our solution for finding domains, our free Google Hacking tool, and Find Virtual Hosts provide breadth by extending your attack surface. Enhance your reconnaissance work with complementary tools such as the TCP Port Scanner, the UDP Port Scanner, and the Website Recon tool which provide you with in-depth information about a specific target.
Our Subdomain Finder is also closely connected to all other tools on the platform, which allows you to get much more information about subdomains and act on it with precision and speed.
Web vulnerability scanners, web CMS scanners, and network vulnerability scanners are all available from your online account, along with powerful offensive tools (e.g. URL Fuzzer, Subdomain Takeover, Sniper Auto-Exploiter, and more).
We make it easy to access the one that is relevant to your next steps from the list of subdomain results to remove as much repetitive work from your day as possible.
Automation features also help you expedite entire testing sequences. For instance, Recon Robot, one of our pentest robots, automatically discovers all subdomains of any given domain, does full port scanning and service discovery, and gathers technologies and takes screenshots for each web port it finds. It also delivers all the data it aggregates in the unified Attack Surface view. All without you having to wait for scans to finish to start follow-up scans with different tools and other work that disrupts your flow.
Use this Subdomain Finder with other features in our cloud platform to further boost its capabilities:
- Webhooks for real-time notifications
- Scheduled scans and bulk scanning
- Workspace & items sharing for effective collaboration
- Finding templates and report templates for high-speed reporting
- API access for integrating it into your own pentesting stack.
Plus, the entire arsenal on Pentest-Tools.com gets updates on a regular basis, consistently growing stronger with new features.