The fastest subdomains enumeration and monitoring (also works on Windows!)
Subdomains enumeration
This article is dedicated to Findomain, which will find subdomains in a few seconds.
Subdomain Enumeration is used by penetration testers and website security auditors to extend the attack perimeter. Subdomain is:
- a separate host on another (different from the main site) server, that is, it has its own IP address
- a separate virtual host on the same server. That is, such a subdomain has its own configuration file on the web server with its own special settings.
- just a separate folder on the web server
There are many tools for finding subdomains, a couple of particularly successful ones have already been discussed in the articles:
- How to discover subdomains without brute-force
- How to search subdomains and build graphs of network structure with Amass
The Findomain tool is distinguished by its speed and undemanding system resources (very low consumption of RAM and CPU time).
How Findomain Works
This tool does not use common subdomain detection methods, this program uses Certificate Transparency logs and well-tested APIs to search for subdomains. This method makes this tool the fastest and most reliable. The tool uses several publicly available APIs to perform searches. If you want to know more about Certificate Transparency logs, then see https://www.certificate-transparency.org/
How to install Findomain
To install Findomain on Windows, go to https://github.com/Edu4rdSHL/findomain/releases and download the file findomain-windows.exe from the latest release.
The easiest way to install Findomain on any Linux distribution:
wget https://github.com`curl -s https://github.com/Edu4rdSHL/findomain/releases | grep -E -o '/Edu4rdSHL/findomain/releases/download/[0-9.]{3,}/findomain-linux' | head -n 1` chmod +x findomain-linux ./findomain-linux
To install Findomain from source code (on any Kali Linux):
sudo apt install cargo git clone https://github.com/Edu4rdSHL/findomain cd findomain cargo build --release sudo cp target/release/findomain /usr/bin/ findomain
To install Findomain in BlackArch:
sudo pacman -S findomain
How to find site subdomains in Windows
The following commands are equally suitable for any operating system in which Findomain runs – the options for the program are the same everywhere, but the name of the executable file may be different. For example, in the following commands I will use the findomain-windows.exe file, but instead there may be findomain-linux or findomain.
To open the command prompt in Windows, press Win + r, in the window that opens, enter
cmd
and press ENTER:
Go to the folder with the downloaded program (your path to the folder may be different):
cd C:\%HOMEPATH%\Downloads
Type in command line
findomain-windows.exe
and press ENTER:
If help is displayed, then everything is fine.
To search for subdomains and print information on the screen, use the -t option, after which specify the target domain:
findomain-windows.exe -t kali.org
Subdomains can be of the third, fourth and subsequent levels. If you are only interested in subdomains nested in another subdomain, then you can specify a subdomain instead of the target domain, for example:
findomain-windows.exe -t docs.kali.org
Found domains are shown in output on the screen, but the also can be saved to a file. There are two options for this: -o and -u FILE_NAME. The difference between them is that when you use the -o option, a file name will be created by the name of the domain to which the .txt extension is added. And with the -u option, you can specify any file name of your choice.
findomain-windows.exe -t kali.org -o
Or:
findomain-windows.exe -t kali.org -u субдомены.txt
Some of the subdomains found have long ceased to exist, so if you are only interested in those subdomains that can be resolved (that is, subdomains with an IP address), then use the -r option:
findomain-windows.exe -t vk.com -r
Using the -f option, you can specify a file with a list of domains for each of which you want to search for subdomains:
findomain-windows.exe -f file_with_domains.txt
In this file, each domain should be placed on a separate line. The -f option can be combined with the other options discussed above.
Free and Online Site subdomain search service
Instant search of site subdomains using Findomain: https://w-e-b.site/?act=findomain
This service is for those who do not want to download the program and work with the command line, as well as receive additional API keys.
By the way, it will be the second part of Findomain tutorial for advanced users. In the second part of Findomain usage, we will describe the process of obtaining the API in order to use the optional services for obtaining additional results, and talk about setting up subdomain monitoring with the ability to send data to Telegram and other notification methods.
Related articles:
- Perimeter analysis for website security audit (94.2%)
- How to discover subdomains without brute-force (83.1%)
- FinalRecon: a simple and fast tool to gather information about web sites, works on Windows (80.7%)
- How to search subdomains and build graphs of network structure with Amass (65.2%)
- How to find out hostnames for many IP addresses (64.7%)
- How to find out if a site is behind CloudFlare or not (RANDOM - 26.5%)
VERY GOOD SITE!