A web-developer , domainer or a casual surfer are many times tempted to find subdomains of website or domain. This might be due to various reasons like,
- To find details of unsecured subdomains
- To see SEO effects (e.g. Google displaying results from subdomains search)
- To check for misbehaving redirects
- Finding hidden subdomains of competitor domains
- Working on subdomains as CDN or… just sheer curiosity.
Whatever may be the reasons, but it is always interesting to look at all that information and wonder how it relates. Many times, such info provides insights to a developer or server admin which he might don’t know to exists. So, I am putting here 10 best subdomain finder tools which are available online and are very easy to use. No installation on local or server is needed. I am also providing small info around them which will come handy to you. Subdomain search won’t be a tough job after you go through the list.
The reason I am starting with Wolfram Alpha is the tool has really got me hooked on data and analytics it provide. Don’t make mistake of taking it as simple subdomain finding tool. With free searches you will get more than info you are searching for. However, you can easily understand it’s true power if you take a look at results. You can also search your own site and get important, hidden data about your site like I did here; GeekAct Analytics at Wolfram Alpha.
Short for penetrating testing tools, this one is unbelievably a complete set of tools for website penetration testing. It works on a credit basis but is free for basic services and gives 40 credits to anonymous users every 24 hours. You can also download the whole report as PDF file.
Pentest-tools works more than a subdomain finder and provides additional insight and details.
Registered users can see even more details but that comes with credit fee. This is really a good online tool if you are looking for security audit of just curious about a domain’s subdomains.
Netcraft is my another favorite when it comes to searching and diagnosing sites and sub-sites. It is simple, concise and gives required basic information instantly but there is a simple catch. You need to be concise first in your search text.
If you want to search subdomains for “Facebook.com” then only search “Facebook” with proper selection and not facebook.com.
Named as Private Key Project is quite good set of tools which includes searching subdomains for a website. Site seems of Indian origin due to .in domain. The site is without any complexity and very easy for user of any level. Results are quite faster than any other site and intuitive. In below example, I pulled all google subdomains list as below.
CloudPiercer is neat and clean. It’s a powerful tool which scans for IP history databases, DNS records, Subdomains, Sensitive files, Pingbacks, Certificates and more. This generates a comprehensive report which is easy to analyze. Only turnoff is to provide email before scan can begin.
Quite surprising! Isn’t it? Who taught that VirusTotal can give you good set of results on subdomains and IPs along with Virus results? It works with a little trick in which you can use predefined code from their developer.
Just go to Search tab and then type “domain:google.com” without quotes. The results will astonish you.
This one comes straight from well known Comodo CA. And, let me tell you, it is pretty cool tool. It is actually a certificate and identity tool but also outputs all subdomains. Just use the “%” as wildcard for something like “%.twitter.com” and hit enter.
How can someone drop Google out from any list which is about searching things. Yes, you can use Google to gain basic information and all the linked domains. Just type in “site:” followed by “*.domain.com” both without quotes and hit enter. Though the results are not very detailed or precise but they are important and easily accessible. Also, they show the search and usage related to each subdomain in Google results.
Very few people know that Censys is brain child of Scans.io. It is basically a IPv4 hosts and certificates query tool. Even if it is favorite of many but I didn’t placed it in top five . The reason for this is that the results are too overwhelming for an average user. It provides good insights or IP addresses, CDNs, server nodes and certificates but tricky to find out about subdomain.
A HackerTarget.com project and basically a security tool. This one gives idea about all the DNS hosts, routed traffic, Geolocation IPs on a very hacker savvy domain network map. This essentially doesn’t give directly subdomains but is worth a mention as interested people can probe further and get the things done.
Though you only get basic information in trial account which is mandatory to submit a website or domain to know the subdomains and all other info, it is still good enough to mention. Being long in industry with zero day scanning and specialized WordPress and Joomla scanning, Acutenix knows their business. It works well but is very limited in terms of usability for free users.
While online tools are quite neat, needs least work and easy for every day user, this might not be the case with savvy and web admins. We want something which can run from our own server or PC and scrape the internet to get much more data than they present. I am listing other tools and codes here from GitHub to satisfy your thirst.
Subbrute – This is a DNS meta-query spider that pulls DNS records, and subdomains list.
DNScan – A DNS subdomain scanner. This is built on python and can be installed on server.
Sublist3r – An ultra fast domain and subdomain enumeration tool. Also based on python.
Knock – Also known as Knockpy as it is developed in python. Freely available on GitHub.
Recon-Ng – Complex tool with brute_hosts module that facilitates you to bruteforce on domains for subdomains.
DNSRecon – Originally available in Kali Linux. A favorite among penetration testers.
This completes our extensive article on best tools to find subdomains. Hope you enjoyed! Have you ever used any of above tools? How was your experience? Most importantly, for what you used it?