The fastest subdomains enumeration and monitoring (also works on Windows!)

Subdomains enumeration

This article is dedicated to Findomain, which will find subdomains in a few seconds.

Subdomain Enumeration is used by penetration testers and website security auditors to extend the attack perimeter. Subdomain is:

  • a separate host on another (different from the main site) server, that is, it has its own IP address
  • a separate virtual host on the same server. That is, such a subdomain has its own configuration file on the web server with its own special settings.
  • just a separate folder on the web server

There are many tools for finding subdomains, a couple of particularly successful ones have already been discussed in the articles:

The Findomain tool is distinguished by its speed and undemanding system resources (very low consumption of RAM and CPU time).

How Findomain Works

This tool does not use common subdomain detection methods, this program uses Certificate Transparency logs and well-tested APIs to search for subdomains. This method makes this tool the fastest and most reliable. The tool uses several publicly available APIs to perform searches. If you want to know more about Certificate Transparency logs, then see https://www.certificate-transparency.org/

How to install Findomain

To install Findomain on Windows, go to https://github.com/Edu4rdSHL/findomain/releases and download the file findomain-windows.exe from the latest release.

The easiest way to install Findomain on any Linux distribution:

wget https://github.com`curl -s https://github.com/Edu4rdSHL/findomain/releases | grep -E -o '/Edu4rdSHL/findomain/releases/download/[0-9.]{3,}/findomain-linux' | head -n 1`
chmod +x findomain-linux
./findomain-linux

To install Findomain from source code (on any Kali Linux):

sudo apt install cargo
git clone https://github.com/Edu4rdSHL/findomain
cd findomain
cargo build --release
sudo cp target/release/findomain /usr/bin/
findomain

To install Findomain in BlackArch:

sudo pacman -S findomain

How to find site subdomains in Windows

The following commands are equally suitable for any operating system in which Findomain runs – the options for the program are the same everywhere, but the name of the executable file may be different. For example, in the following commands I will use the findomain-windows.exe file, but instead there may be findomain-linux or findomain.

To open the command prompt in Windows, press Win + r, in the window that opens, enter

cmd

and press ENTER:

Go to the folder with the downloaded program (your path to the folder may be different):

cd C:\%HOMEPATH%\Downloads

Type in command line

findomain-windows.exe

and press ENTER:

If help is displayed, then everything is fine.

To search for subdomains and print information on the screen, use the -t option, after which specify the target domain:

findomain-windows.exe -t kali.org

Subdomains can be of the third, fourth and subsequent levels. If you are only interested in subdomains nested in another subdomain, then you can specify a subdomain instead of the target domain, for example:

findomain-windows.exe -t docs.kali.org

Found domains are shown in output on the screen, but the also can be saved to a file. There are two options for this: -o and -u FILE_NAME. The difference between them is that when you use the -o option, a file name will be created by the name of the domain to which the .txt extension is added. And with the -u option, you can specify any file name of your choice.

findomain-windows.exe -t kali.org -o

Or:

findomain-windows.exe -t kali.org -u субдомены.txt

Some of the subdomains found have long ceased to exist, so if you are only interested in those subdomains that can be resolved (that is, subdomains with an IP address), then use the -r option:

findomain-windows.exe -t vk.com -r

Using the -f option, you can specify a file with a list of domains for each of which you want to search for subdomains:

findomain-windows.exe -f file_with_domains.txt

In this file, each domain should be placed on a separate line. The -f option can be combined with the other options discussed above.

Free and Online Site subdomain search service

Instant search of site subdomains using Findomain: https://w-e-b.site/?act=findomain

This service is for those who do not want to download the program and work with the command line, as well as receive additional API keys.

By the way, it will be the second part of Findomain tutorial for advanced users. In the second part of Findomain usage, we will describe the process of obtaining the API in order to use the optional services for obtaining additional results, and talk about setting up subdomain monitoring with the ability to send data to Telegram and other notification methods.

Last Updated on

Recommended for you:

Leave a Reply

Your email address will not be published.