
If you are a web pentester, you will need to test website vulnerability from any ways, one of them is a subdomain. Because, if you failed to exploit website from main domain you can exploit it from subdomain. Subdomain is integrate with main domain in one server, the vulnerability on subdomain is very dangerous because if attacker can enter server which is combined between main domain and subdomain, they can take over your server.
Findomain
A cross-platform tool that use Certificates Transparency logs to find subdomains.
Supportted platforms
All supported platforms are 64 bits only and we don’t have plans to add support for 32 bits, if you want to have support for 32 bits you can fork the repo and made it.
- Linux
- Windows
- MacOS
- ARM
- Aarch64
How it works?
It tool doesn’t use the common methods for sub(domains) discover, the tool uses Certificate Transparency logs to find subdomains and it method make it tool very faster and reliable. The tool make use of multiple public available APIs to perform the search. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/
APIs that we are using at the moment:
- Certspotter: https://api.certspotter.com/
- Crt.sh : https://crt.sh
- Virustotal: https://www.virustotal.com/ui/domains/
- Sublit3r: https://api.sublist3r.com/
- Facebook: https://developers.facebook.com/docs/certificate-transparency
If you know other that should be added, open an issue.
Installation in Linux using source code
If you want to install it, you can do that manually compiling the source or using the precompiled binary.
Manually: You need to have Rust installed in your computer first.
git clone https://github.com/Edu4rdSHL/findomain.git
cd findomain
cargo build --release
sudo cp target/release/findomain /usr/bin/
findomain
Installation in Linux using compiled artifacts
wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux
chmod +x findomain-linux
./findomain-linux
If you are using the BlackArch Linux distribution, you just need to use:
Installation ARM
wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-arm
chmod +x findomain-arm
./findomain-arm
Installation Aarch64 (Raspberry Pi)
wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-aarch64
chmod +x findomain-aarch64
./findomain-aarch64
Installation Windows
Download the binary from https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-windows.exe
Open a CMD shell and go to the dir where findomain-windows.exe was downloaded.
Exec: findomain-windows
in the CMD shell.
Installation MacOS
wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-osx
chmod +x findomain-osx.dms
./findomain-osx.dms
Usage
You can use the tool in two ways, only discovering the domain name or discovering the domain + the IP address.
findomain 0.1.4
Eduard Tolosa <[email protected]>
A tool that use Certificates Transparency logs to find subdomains.
USAGE:
findomain [FLAGS] [OPTIONS]
FLAGS:
-a, --all-apis Use all the available APIs to perform the search. It take more time but you will have a lot of
more results.
-h, --help Prints help information
-i, --get-ip Return the subdomain list with IP address if resolved.
-V, --version Prints version information
OPTIONS:
-f, --file <file> Sets the input file to use.
-o, --output <output> Write data to output file in the specified format. [possible values: txt, csv, json]
-t, --target <target> Target host
Examples
- Make a simple search of subdomains and print the info in the screen:
findomain -t example.com
- Make a simple search of subdomains using all the APIs and print the info in the screen:
findomain -t example.com -a
- Make a search of subdomains and export the data to a CSV file:
findomain -t example.com -o csv
- Make a search of subdomains using all the APIs and export the data to a CSV file:
findomain -t example.com -a -o csv
- Make a search of subdomains and resolve the IP address of subdomains (if possible):
findomain -t example.com -i
- Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible):
findomain -t example.com -i -a
- Make a search of subdomains with all the APIs and resolve the IP address of subdomains (if possible), exporting the data to a CSV file:
findomain -t example.com -i -a -o csv
Features
- Discover subdomains without brute-force, it tool uses Certificate Transparency Logs.
- Discover subdomains with or without IP address according to user arguments.
- Read target from user argument (-t).
- Read a list of targets from file and discover their subdomains with or without IP and also write to output files per-domain if specified by the user, recursively.
- Write output to TXT file.
- Write output to CSV file.
- Write output to JSON file.
- Cross platform support: Linux, Windows, MacOS.
- Optional multiple API support.
Issues and requests
If you have a problem or a feature request, open an issue.
Follow in Twitter:
- https://twitter.com/sechacklabs (Team)
- https://twitter.com/edu4rdshl (Developer)
Screenshot
