This article showcases the top subdomain gathering tools currently available to the cybersecurity community. Finding subdomains is a critical task for penetration testers and security researchers. Identifying subdomains of a given domain is an integral part of the information gathering phase. These tools help uncover hidden services, track the attack surface, and identify vulnerabilities within an organization’s online presence.
Table of Contents
Top 10 Subdomain Gathering Tools
Description: Sublist3r is a Python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
GitHub Link: Sublist3r on GitHub
python sublist3r.py -d example.com
Documentation Link: Sublist3r Documentation
Description: The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
GitHub Link: Amass on GitHub
amass enum -d example.com
Documentation Link: Amass Documentation
Description: Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
GitHub Link: Subfinder on GitHub
subfinder -d example.com
Documentation Link: Subfinder Documentation
Description: Assetfinder is a tool that finds domains and subdomains related to a particular domain, useful for penetration testing and bug bounty hunting.
GitHub Link: Assetfinder on GitHub
Documentation Link: No official documentation, but usage is straightforward as displayed.
Description: crt.sh is an online service by Sectigo that allows users to search for SSL/TLS certificates by domain name, showing any related subdomains.
GitHub Link: N/A (crt.sh is an online service)
Usage: Visit the website and enter the domain name: crt.sh
Documentation Link: N/A (crt.sh does not offer separate documentation)
Description: Findomain is a fast and cross-platform subdomain enumerator, combining various passive data sources, certificate transparency logs, and more.
GitHub Link: Findomain on GitHub
findomain -t example.com
Documentation Link: Findomain Documentation
Description: Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
GitHub Link: Knockpy on GitHub
python knockpy.py example.com
Documentation Link: Knockpy Documentation
Description: SubOver is a powerful hostname takeover tool that checks a list of subdomains and finds dangling CNAME records.
GitHub Link: SubOver on GitHub
./subover -l subdomains.txt
Documentation Link: SubOver Documentation
Description: DNSRecon provides DNS enumeration with services record enumeration and DNS zone transfer.
GitHub Link: DNSRecon on GitHub
dnsrecon -d example.com
Documentation Link: DNSRecon Documentation
Description: AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains, take screenshots, find open ports, and more.
GitHub Link: AQUATONE on GitHub
aquatone-discover --domain example.com
Documentation Link: AQUATONE Documentation
In conclusion, the subdomain gathering tools mentioned above serve a variety of functions and are indispensable for penetration testers, bug bounty hunters, and security enthusiasts. They aid in uncovering potential security threats and provide a platform to strengthen online defenses against cyber attacks. While this list features ten notable tools, there are many others available in the cybersecurity domain, and the best choice depends on individual needs and specific security tasks at hand.