You cannot hide anything on the internet anymore, the full IPv4 range is scanned regularly by multiple entities. If you open a port on a public IP it will get found.<p>If it's a obscure non-standard port it might take longer, but if it's on any of the standard ports it will get probed very quickly and included tools like shodan.io<p>The reason why I'm repeating this, is that not everyone knows this. People still (albeit less) put up elastic and mongodb instances with no authentication on public IP's.<p>The second thing which isn't well known is the Certificate Transparency logs. This is the reason why you can't (without a wildcard cert) hide any HTTPS service. When you ask Let's Encrypt (or any CA actually) to generate veryobscure.domain.tld they will send that to the Certificate Transparency logs. You can find every certificate which was minted for a domain on a tool like <a href="https://crt.sh" rel="nofollow noreferrer">https://crt.sh</a><p>There are many tools like subdomain.center, <a href="https://hackertarget.com/find-dns-host-records/" rel="nofollow noreferrer">https://hackertarget.com/find-dns-host-records/</a> comes to mind. The most impressive one I've seen, which found more much more than expected, is Detectify (which is a paid service, no affiliation), they seem to combine the passive data collection (like subdomain.center) with active brute to find even more subdomains.<p>But you can probably get 95% there by using CT and a brute-force tool like <a href="https://github.com/aboul3la/Sublist3r">https://github.com/aboul3la/Sublist3r</a>
Cute, it managed to find 121486 subdomains for amazonaws.com [1], and somehow I suspect that's a tiny fraction of what's in use.<p><a href="https://gist.githubusercontent.com/Q726kbXuN/bf8a9a22b81fe651e38f67548aeb7f3f/raw/e47a312c7a9dc7a9ce41ca1c522a687479a0cf4c/amazonaws.json" rel="nofollow noreferrer">https://gist.githubusercontent.com/Q726kbXuN/bf8a9a22b81fe65...</a>
As others have said, certificate transparency seems to be doing some heavy lifting here. It reports subdomains for me that have never had a public CNAME or A record, but have had let's encrypt certs issued for internal use.<p>It's also missing some that have not had certs issued, but that are in public DNS
Hardly "all subdomains". Unless it's doing an AXFR of my zone file (unlikely), this isn't possible.<p>It's a scraper/guesser, using cert transparency, common names, etc. Cute toy, but false claims.
I would be keen to know what techniques are used. Usually subdomain discovery is done with dns axfr transfer request which leaks the entire dns zone (but this only works on ancient and unpatched nameservers) or with dictionary attacks. There are some other techniques you can check if you look at the source code of amass (open source Golang reconnaissance/security tool), or CT logs. Dns dumpster is one of the tools I used alongside pentest tools (commercial) and amass (oss)
Interesting. Our domain has some subdomains with a numeric suffix; and the API response here has entries in that pattern for not only the particular subdomains that exist or ever existed, but also for subdomains of the same pattern that go <i>beyond</i> any suffix number we've ever actually used.<p>You'd think they'd at least be filtering their response by checking which subdomains actually have an A/AAAA/CNAME record on them...
For my personal domain: it got the ones I have on the SSL cert alternative subject names, made up three, returned one I deleted more than a year ago, and didn't find two. Very curious.
Interesting. It only found less that a quarter of the subdomains of the site I work on, and everything it did find is public facing. I wonder if that’s maybe something to do with how we set up certificates for public vs internal subdomains? It even missed “staging.” which should be nearly identical in configuration to www
Note, if you looked up a domain and it had no results, you should check back again after some minutes. I looked my domain up and had zero results, which was weird as it should at least find some in the ct logs, but a few minutes later it showed some subdomains.
If this were able to determine which wildcard subdomains were active for a given domain, you could use it to figure out a lot of B2B companies’ client/customer list.
Just for giggles, does anyone else remember when "subdomains" were called "machine names" because physical devices were limited to one service?<p>www.
ftp.
mail.<p>... weren't theoretical or merely mnemonic.<p>Felt like an old coot when using "machine name" to a 40 year old IT professional and she was perplexed!
It gave me empty results for some of my domains that have multiple subdomains that have TLS certificate associated with them so that must appear in the certificate transparency log.<p>I guess it should be "discover <i>some</i> subdomains for <i>some</i> domains".
The subdomain explorer may be fun, but their Exploit Observer is really useful: <a href="https://www.exploit.observer/" rel="nofollow noreferrer">https://www.exploit.observer/</a>
This is fantastic!!!<p>What kind of security considerations are there to having multi-tenant user applications on subdomains and then having them exposed like this?<p>I'm building a SaaS right now, and I guess one thing is that a given username can then be discovered as a valid login for the system...but obviously that's only part of the login credential.<p>Maintaining a list of mappings to opaque subdomains seems to reduce targeting, and conceal login partial credentials, but doesn't seem to offer much besides.<p>Analysis?
One thing I noticed looking at my logs is that there is almost no unsolicited traffic (i.e. failed authentication attempts, exploits of various worldpress bugs, etc) through ipv6. I think it's a function of 1) those coming from networks (compromised home devices, etc) that don't support v6, 2) the v6 address space being too large to scan (the size of an encryption key), so good security by obscurity. This would nullify 2).
I got back an empty list for my domain on Cloudflare with several subdomains (non wildcard)<p>edit: I retried on my computer (was on my phone earlier) and now it returns all of our subdomains, even picking up our test R2 bucket. In guessing I was rate limited because I accidentally loaded the example file a few times
Seems similar yet still useful to Wolfram Alpha; just enter a domain and click on the "Subdomains" button:<p><a href="https://www.wolframalpha.com/input?i=ycombinator.com" rel="nofollow noreferrer">https://www.wolframalpha.com/input?i=ycombinator.com</a>
Sublist3r [1] does a similar job, as long as you have the authorisation to use it on a particular domain, as it uses more aggressive discovery techniques.<p>[1] <a href="https://github.com/aboul3la/Sublist3r">https://github.com/aboul3la/Sublist3r</a>
<a href="https://github.com/projectdiscovery/subfinder">https://github.com/projectdiscovery/subfinder</a> does this, but it explains all the methods and lets you choose to only do a passive scan.
Took a while, but was impressed it detected all of ours: <a href="https://api.subdomain.center/?domain=radiantai.health" rel="nofollow noreferrer">https://api.subdomain.center/?domain=radiantai.health</a>