09/06/2022 - Miniseries - Subdomain Enumeration Part 1

In this small series I would like to introduce a few tools with which you can track down subdomains. I'm trying to make the mini-series beginner-friendly.

09/06/2022 - Miniseries - Subdomain Enumeration Part 1


This post is aimed more at beginners who want to get into the topic. I will write it a bit simpler and not highlight the "How does it work exactly?", but rather how to get to the goal on a simple level. I will not address payment software.

What you should always keep in mind is that you need to verify the results. Also, it is EXTREMELY important to run the scans multiple times and use different sources. If you get a 404 message and the device doesn't respond via ping, it doesn't mean that there is nothing there - you may be working with PAT (Port Address Translation), firewall dropping packets or similar.

Probably the best known website is: https://subdomainfinder.c99.nl. This also has an API and its key must be purchased. Everything else is free and you have the possibility to download all data via .csv or JSON. I still recommend to check the box "private scan".
picture from subdomainfinder.99.nl search result example.com

If you see a yellow cloud in the search result on the right, it means that Cloudflare is active for this domain/subdomain.

That's it in my opinion with websites. Shodan falls away because, in order to use it sensibly, you have to pay money. This makes sense from a certain level (or company), but not as a beginner.

See you in the next part.