Discovering sub-domains of a domain is an essential part of pentest reconnaissance. Having unsecured subdomains can lead to serious risk to your business and lately, there were a number of security incidents where the hacker used sub-domains tricks. Thanks to author who committed to develop tool for doing subdomains enumeration.
There are a lot subdomain enumeration tools, such as Sublist3r. Sublist3r written in python. Sublist3r works by enumerate all possible subdomains through search engines, like google, yahoo, bing, etc. Not only using search engine, sublist3r also has bruteforce method, subbrute is integrated with wublist3r to increase possibility of finding more subdomains. Also sublist3r can scan the found subdomains against specific tcp ports.
STEP 1 : Installing Sublist3r and Dependencies
git clone https://github.com/aboul3la/Sublist3r.git cd Sublist3r pip install -r requirements.txt #installing dependencies
STEP 2 : Run Sublist3r
python sublist3r --help
STEP 3 : Enumerate subdomains with output file!
python sublist3r.py -d [domain] -o [file location]
As you can see, its exported to output file. Now we got a list, we can do anything, for example: using Nmap to scan available open ports and or running services with -iL option to scan entire target on a file.