Subdomain tools review

Subdomain tools review - Pentest Book (six2dez.com)

Subdomain tools review

Subdomain tools review

Tools

 

Small summary of each tool with the features and results that I got. This section not follows any special order.

amass

• Author: OWASP (mainly caffix).
• Language: Go.
• Type: Passive, Active, Bruteforce, Alterations (only Active and Passive tested here).
• Api Keys added: 16 (AlienVault, Binary Edge, Censys, Chaos, Cloudflare, Facebook, Github, NetworksDB, PassiveTotal, ReconDev, SecurityTrails, Shodan, SpySe, UrlScan, VirusTotal, WhoIsXML).

Well known tool for the enumeration of subdomains. It's basically an all-in-one because it does everything, plus many other things apart from the subdomains. In the case of this tool, I have only analyzed the passive and active approaches because there is no way to do a unit analysis for brute force or alterations without consulting third-party services previously (or at least I have not known how to do it).

Pros

• Lot of third-party integrations
• Swiss army knife for subdomains enumeration, all the functionalities you can think of and more.
• It added active subdomains that none of the other tools managed to add.

Cons

• Not fast at all.
• Sometimes usability is confusing due to the large number of options

Sublist3r

• Author: aboul3la
• Language: Python
• Type: Passive, Bruteforce (only Passive tested here).
• Api Keys added: 0.

Widely used on a lot of tools since it's been around since 2015, plus you don't need to add additional API keys. One problem that I found with this tool is that it does not allow resolving subdomains found passively, but it does incorporate subbrute for bruteforce, which it does DNS resolution, but on the contrary it does not allow to specify a different wordlist, for this reason don't test the bruteforce feature.

Pros

• Really fast.
• Include subbrute for bruteforcing.
• Include port scan.

Cons

• Few results compared to others.
• Limited features, such as bruteforce without the ability to specify a custom wordlist.

crobat

• Author: Cgboal
• Language: Go
• Type: Passive
• Api Keys added: 0.

It is basically the easiest way to consult the Rapid7's Project Sonar Database.

Pros

• Consults in one of the best data sources.
• Ultra-fast.

Cons

• Nothing in particular, does a very specific thing and does it well.

chaos

• Author: projectdiscovery
• Language: Go
• Type: Passive
• Api Keys added: 1 (Chaos).

Official client to consult the Chaos database. It is mainly oriented for bug bounty, it contains the database of all the programs.

Pros

• Ultra-fast.
• Allow to update dataset with your own findings.
• Multiple filters and outputs options.

Cons

• API Key limited to invitations.

subfinder

• Author: projectdiscovery
• Language: Go
• Type: Passive and Active.
• Api Keys added: 13 (BinaryEdge, Censys, Chaos, DnsDB, GitHub, PassiveTotal, ReconDev, Robtex, SecurityTrails, Shodan, SpySe, UrlScan, VirusTotal).

The definitive subdomain tool from projectdiscovery is the one that gets the most results in passive and active mode. Simply the best.

Pros

• Fast compared with others with similar number of integrations.
• Use 35 third-party services in total.
• Lot of options for search, filters and output.

Cons

• Amass got a few subdomains that subfinder missed only in the large scope.

altdns

• Author: infosec-au
• Language: Python
• Type: Alterations.

The most popular tool for subdomain alteration and resolution. It currently has a bug that needs to be fixed to make the tool work.

Pros

• Allows set custom resolver.
• Output include CNAME.

Cons

• Really really slow.
• Not the best alteration wordlist.

shuffledns

• Author: projectdiscovery
• Language: Go
• Type: Bruteforce.

Fastest bruteforce and resolution subdomain tool by projectdisovery (yes, again). It's actually a massdns wrapper inside, but it makes it much easier to use with a simple syntax.

Pros

• Fastest.
• Allows directly massdns output.
• Wildcard support.

Cons

• In some cases, it missed some subdomains that the rest did.

assetfinder

• Author: tomnomnom
• Language: Go
• Type: Passive.
• Api Keys added: 3 (Facebook, VirusTotal, SpySe).

This tool is aimed to find domains and subdomains related to a given domain. Related means, not just subdomains, but other which could be third-party urls for example.

Pros

• Really fast for the amount of services integrated.
• 9 services included.
• That "related" feature.

Cons

• No results not found by others.

waybackurls

• Author: tomnomnom
• Language: Go
• Type: Passive.
• Api Keys added: 0.

The main purpose of this tool is to fetch urls from WaybackMachine, but is widely used to retrieve subdomains too.

Pros

• Fast.

Cons

• Not subdomains feature, you have to filter with some tool like unfurl or grep.

github-subdomains

• Author: gwen001
• Language: Go
• Type: Passive.
• Api Keys added: 1 (GitHub).

The main purpose of this tool is to fetch urls from WaybackMachine, but is widely used to retrieve subdomains too.

Pros

• Fast.
• GitHub is always a useful source.

Cons

• With some common names or companies could be very slow.

dnscan

• Author: rbsec
• Language: Python
• Type: Bruteforce.

Actively updated tool for bruteforce with some nice features like transfer zone checker and recursiveness.

Pros

• Transfer zone feature.
• Custom insertion points.
• Provided with 7 wordlists.

Cons

• Python 2.

gobuster

• Author: OJ
• Language: Go
• Type: Bruteforce.

Mainly known for web fuzzing, it also has the option to scan for DNS. It's one of the must-have tools in the community.

Pros

• Wildcard support.
• Option to show CNAME or IP.

Cons

• None really.

knock

• Author: guelfoweb
• Language: Python
• Type: Passive and Bruteforce.
• Api Keys added: 1 (VirusTotal).

It performs Passive scan and Bruteforce but not resolves what it found in passive. It does not stand out especially anywhere.

Pros

• Transfer zone check.
• CSV output customization.

Cons

• Python 2.
• Output is messy.
• Slow.

aiodnsbrute

• Author: blark
• Language: Python
• Type: Bruteforce.

According to its description is mainly focused in speed and also has with multiple output formats.

Pros

• Multiple output formats.
• Customizable DNS lookup query.
• Fast.

Cons

• Feels outdated and abandoned.

dmut

• Author: bp0lr
• Language: Go
• Type: Alterations.

Fast permutations tool with very good wordlist.

Pros

• Fastest in its type.
• Lot of DNS options to optimize.

Cons

• Output is a bit poor.

subdomain3

• Author: yanxiu0614
• Language: Python
• Type: Bruteforce.

Bruteforce tools with some interesting additions like IP, CDN or CIDR support.

Pros

• Fastest in its type.
• The IP, CDN and CIDR support
• Multi-level subdomains option.

Cons

• Python 2.
• Feels outdated and abandoned.
• In some cases, it missed some subdomains that the rest did.

Sudomy

• Author: Screetsec
• Language: Python
• Type: Passive, Active and Bruteforce (Bruteforce with Gobuster, so not tested).
• Api Keys added: 9 (Shodan, Censys, VirusTotal, BinaryEdge, SecurityTrails, DnsDB, PassiveTotal, SpySe and Facebook).

Much more than a subdomain tool, it's a recon suite, but the subdomain search process is not delegated to third parties, so it gets on this list.

Pros

• Multiple options apart the subdomain search.
• Active scan really fast.

Cons

• No results not found by others.
• Active scans output could be better.

Findomain

• Author: Edu4rdSHL
• Language: Rust
• Type: Passive, Active and bruteforce.
• Api Keys added: 4 (Facebook , Spyse, VirusTotal and SecurityTrails).

Findomain is one of the standard subdomain finder tools in the industry, it has a limited free version and a paid full-featured version.

Pros

• Really fast.
• Free version is still completely useful.

Cons

• Paid version has all the features.
• No customizable output file in free version.

 

Tool	Url
amass	https://github.com/OWASP/Amass
sublist3r	https://github.com/aboul3la/Sublist3r
crobat	https://github.com/Cgboal/SonarSearch
chaos	https://github.com/projectdiscovery/chaos-client
subfinder	https://github.com/projectdiscovery/subfinder
altdns	https://github.com/infosec-au/altdns
shuffledns	https://github.com/projectdiscovery/shuffledns
assetfinder	https://github.com/tomnomnom/assetfinder
waybackurls	https://github.com/tomnomnom/waybackurls
github-subdomains	https://github.com/gwen001/github-subdomains
dnscan	https://github.com/rbsec/dnscan
gobuster	https://github.com/OJ/gobuster
knock	https://github.com/guelfoweb/knock
aiodnsbrute	https://github.com/blark/aiodnsbrute
dmut	https://github.com/bp0lr/dmut
subdomain3	https://github.com/yanxiu0614/subdomain3
Findomain	https://github.com/Findomain/Findomain
sudomy	https://github.com/Screetsec/Sudomy