If you are a web pentester, you will need to test website vulnerability from any ways, one of them is a subdomain. Because, if you failed to exploit website from main domain you can exploit it from subdomain. Subdomain is integrate with main domain in one server, the vulnerability on subdomain is very dangerous because if attacker can enter server which is combined between main domain and subdomain, they can take over your server.
A cross-platform tool that use Certificates Transparency logs to find subdomains.
All supported platforms are 64 bits only and we don’t have plans to add support for 32 bits, if you want to have support for 32 bits you can fork the repo and made it.
How it works?
It tool doesn’t use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs to find subdomains and it method make it tool very faster and reliable. The tool make use of multiple public available APIs to perform the search. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/
APIs that we are using at the moment:
- Certspotter: https://api.certspotter.com/
- Crt.sh : https://crt.sh
- Virustotal: https://www.virustotal.com/ui/domains/
- Sublit3r: https://api.sublist3r.com/
- Facebook: https://developers.facebook.com/docs/certificate-transparency
If you know other that should be added, open an issue.
Installation in Linux using source code
If you want to install it, you can do that manually compiling the source or using the precompiled binary.
Manually: You need to have Rust installed in your computer first.
Installation in Linux using compiled artifacts
If you are using the BlackArch Linux distribution, you just need to use:
Installation Aarch64 (Raspberry Pi)
Download the binary from https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-windows.exe
Open a CMD shell and go to the dir where findomain-windows.exe was downloaded.
findomain-windows in the CMD shell.
You can use the tool in two ways, only discovering the domain name or discovering the domain + the IP address.
- Make a simple search of subdomains and print the info in the screen:
findomain -t example.com
- Make a simple search of subdomains using all the APIs and print the info in the screen:
findomain -t example.com -a
- Make a search of subdomains and export the data to a CSV file:
findomain -t example.com -o csv
- Make a search of subdomains using all the APIs and export the data to a CSV file:
findomain -t example.com -a -o csv
- Make a search of subdomains and resolve the IP address of subdomains (if possible):
findomain -t example.com -i
- Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible):
findomain -t example.com -i -a
- Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible), exporting the data to a CSV file:
findomain -t example.com -i -a -o csv
- Discover subdomains without brute-force, it tool uses Certificate Transparency Logs.
- Discover subdomains with or without IP address according to user arguments.
- Read target from user argument (-t).
- Read a list of targets from file and discover their subdomains with or without IP and also write to output files per-domain if specified by the user, recursively.
- Write output to TXT file.
- Write output to CSV file.
- Write output to JSON file.
- Cross platform support: Linux, Windows, MacOS.
- Optional multiple API support.
Issues and requests
If you have a problem or a feature request, open an issue.