How do I find all the subdomains associated with a domain?

Posted by FunInformatique 3 minutes of reading
how to find all the subdomains associated with a domain
how to find all the subdomains associated with a domain

DNSmap is open source software licensed under the GNU GPL v2 which allows you to retrieve the subdomains attached to a specific domain. It is mainly used during the phase of information gathering.

During this phase, a pentester must collect as much information as possible on the target: IP addressing, domain names, network protocols, phone number, email address, etc.
This tool allows him to discover all the subdomains associated with a given domain (for example from google.com, it is possible to discover mail.google.com, earth.google.com, sketchup.google.com, desktop .google.com, ...). DNSmap is intended for both security professionals and pentesters as well as website administrators.

Main features of DNSmap:

  • Obtain all IP addresses (A records) associated with each subdomain
  • Interrupt the bruteforcing process in case the target domain uses wildcards
  • Ability to be able to run the tool without providing a list to do a bruteforce attack
  • Save results in a readable format

Installing DNSMAP

DNSMAP only works under Linux, if you have a Windows computer I advise you to use a virtual machine running the linux distrubition "kali linux". Just download VMware and an image of Kali Linux. DNSMAP is already pre-installed on it.
Otherwise to install it on another distribution, open a terminal as root and run the following commands:

#wget http://dnsmap.googlecode.com/files/dnsmap-0.30.tar.gz
#tar -zxvf dnsmap-0.30.tar.gz
#cd dnsmap-0.30
#make or #gcc -Wall dnsmap.c -o dnsmap
#cp ./dnsmap / usr / local / bin / dnsmap
#cp ./dnsmap-bulk.sh / usr / local / bin /
#chmod ugo + x /usr/local/bin/dnsmap-bulk.sh

How to use DNSmap?

Basic syntax:

$. / dnsmap [options]

And here are the different options:
-W
Input file to use to do the brute force attack
-R
Export results in text format
-VS
Save files in csv format
-D
Maximum delay (in ms) between 2 DNS requests
(Default: 10 ms)
-I
It allows to ignore certain IP addresses when displaying the result (useful for domains generating false positives)

Practical case:

On a distribution like Kali Linux, DNSmap is accessible via the menu "Applications -> Kali Linux -> Information Gathering -> DNS Analysis -> dnsmap"

dnsmap-kali-linux

For ease of use, we'll run a Brute Force subdomains using the wordlist built into the tool. To do this, we type the following command:

./dnsmap mysite.com

 
dnsmap

To do a brute force subdomain attack using a different wordlist, we type this command:

 ./dnsmap google.com -w combolist.txt -r / momo /

 
result-dnsmap-kali-linux

Those who liked this article also liked these: