Sign in to follow this  
Followers 0
MiamiHeat

Finding Subdomains

8 posts in this topic

What is the best method, using windows or internet to find the subdomains of a domain? Thanks in advance.

0

Share this post


Link to post
Share on other sites

Your first choice should be to perform a zone transfer on the domain, using a tool like 'dig' or 'host'.

Though this isn't always possible, as the administrator of the DNS servers associated with the domain may have limited queries of this type to either a specific host, subnet, or arbitrary IP address range.

If you're content with finding some of the subdomains which may be associated with boxes running web servers, you can always take a look at what a few search engines like Google and MSN (using both is a wise idea in this case) have indexed, when using a search operator like 'site:<domain>'.

Another MSN specific operator which I find useful is 'ip:<ip-address>', especially if you can determine at least a few IP addresses of machines, that may be running an httpd (or two), associated with the organisation who owns the domain. Searching in this way often produces a few unforseen subdomains which may be indicated on the indexed page but are indexed with a URI containing the IP.

0

Share this post


Link to post
Share on other sites

Fun if the domain has a * in their DNS :)

A quick test before doing the bruteforce will verify this, just dig for a random string .domain.tld

(i.e. tgi8632uhjsiuy78u34iro98.domain.com )

0

Share this post


Link to post
Share on other sites

SolarWinds has a DNS tool in the Engineers suite that will resolve a range of IP addresses to DNS names using the current DNS settings on your computer. If you want to go the free route posted is a CLI PHP script I made a long time ago to do a similar thing. I hate to post this because it is really quick and dirty, but hope it helps.

If you want to use the authorative name server just change your DNS settings

<?php

function usage() {
print("usage: php gethost.php -s aaa.bbb.ccc.ddd -e aaa.bbb.ccc.ddd\n");
}


function valIP($ip_1,$ip_2) {
if($ip_1 > $ip_2) {
return False;
} else {
return True;
}
}

//make sure input is correct, if not do usage()
if($argc < 5 || ($argv[1] != "-s") || ($argv[3] != "-e")) {
usage();
}

else {
$sip = $argv[1 +1];
$eip = $argv[3 +1];
$count = 0;

}

if(!preg_match("/^(\d{1,3}?)\.(\d{1,3}?)\.(\d{1,3}?)\.(\d{1,3}?)$/",$sip) || !preg_match("/^(\d{1,3}?)\.(\d{1,3}?)\.(\d{1,3}?)\.(\d{1,3})$/",$eip) || !valIP(ip2long($sip),ip2long($eip))) {
die("ip address or range invalid");
}
elseif((ip2long($sip) == -1 || ip2long($sip) == False) || (ip2long($eip) == -1)) {
die("ip address is invalid");
}
else {
for($i=ip2long($sip); $i <= ip2long($eip); $i++) {
if(long2ip($i) != gethostbyaddr(long2ip($i))){
fwrite(STDOUT,long2ip($i) ." ======> " . gethostbyaddr(long2ip($i)) . "\n");
$count++;

}
}
fwrite(STDOUT,"Scan complete!! $count hosts resolved\n");
}
?>

0

Share this post


Link to post
Share on other sites

What is the best method, using windows or internet to find the subdomains of a domain? Thanks in advance.

You can use google query site:yoursite.com, or, if the nameservers are misconfigured, you can find all subdomains at this webpage Find all subdomains. Edited by NikB
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0