This article showcases the top subdomain gathering tools currently available to the cybersecurity community. Finding subdomains is a critical task for penetration testers and security researchers. Identifying subdomains of a given domain is an integral part of the information gathering phase. These tools help uncover hidden services, track the attack surface, and identify vulnerabilities within an organization’s online presence.
Table of Contents
Top 10 Subdomain Gathering Tools
1. Sublist3r
Description: Sublist3r is a Python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting.
GitHub Link: Sublist3r on GitHub
Usage:
python sublist3r.py -d example.com
Documentation Link: Sublist3r Documentation
2. Amass
Description: The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open-source information gathering and active reconnaissance techniques.
GitHub Link: Amass on GitHub
Usage:
amass enum -d example.com
Documentation Link: Amass Documentation
3. Subfinder
Description: Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
GitHub Link: Subfinder on GitHub
Usage:
subfinder -d example.com
Documentation Link: Subfinder Documentation
4. Assetfinder
Description: Assetfinder is a tool that finds domains and subdomains related to a particular domain, useful for penetration testing and bug bounty hunting.
GitHub Link: Assetfinder on GitHub
Usage:
assetfinder example.com
Documentation Link: No official documentation, but usage is straightforward as displayed.
5. crt.sh
Description: crt.sh is an online service by Sectigo that allows users to search for SSL/TLS certificates by domain name, showing any related subdomains.
GitHub Link: N/A (crt.sh is an online service)
Usage: Visit the website and enter the domain name: crt.sh
Documentation Link: N/A (crt.sh does not offer separate documentation)
6. Findomain
Description: Findomain is a fast and cross-platform subdomain enumerator, combining various passive data sources, certificate transparency logs, and more.
GitHub Link: Findomain on GitHub
Usage:
findomain -t example.com
Documentation Link: Findomain Documentation
7. Knockpy
Description: Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
GitHub Link: Knockpy on GitHub
Usage:
python knockpy.py example.com
Documentation Link: Knockpy Documentation
8. SubOver
Description: SubOver is a powerful hostname takeover tool that checks a list of subdomains and finds dangling CNAME records.
GitHub Link: SubOver on GitHub
Usage:
./subover -l subdomains.txt
Documentation Link: SubOver Documentation
9. DNSRecon
Description: DNSRecon provides DNS enumeration with services record enumeration and DNS zone transfer.
GitHub Link: DNSRecon on GitHub
Usage:
dnsrecon -d example.com
Documentation Link: DNSRecon Documentation
10. AQUATONE
Description: AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains, take screenshots, find open ports, and more.
GitHub Link: AQUATONE on GitHub
Usage:
aquatone-discover --domain example.com
Documentation Link: AQUATONE Documentation
Conclusive Summary
In conclusion, the subdomain gathering tools mentioned above serve a variety of functions and are indispensable for penetration testers, bug bounty hunters, and security enthusiasts. They aid in uncovering potential security threats and provide a platform to strengthen online defenses against cyber attacks. While this list features ten notable tools, there are many others available in the cybersecurity domain, and the best choice depends on individual needs and specific security tasks at hand.
