Subdomains Enumeration: what is, how to do it, monitoring automation using webhooks and centralizing your findings

Eduard Toloza
Oct 3 · 10 min read

If you are reading this article is possible that you:

  • Are interested in learning what is and how to do subdomains enumeration.
  • Want to know how to automatize subdomains monitoring.
  • Want to centralize your findings in one place.
  • Want to get the new data automatically published using webhooks.

Having a tool that can do all this isn’t easy, but do not despair: Findomain exists.

Before working with Findomain, I will tell you the basics.

What is a Subdomain Enumeration process?

First, I need to tell you what is a subdomain. According to Wikipedia:

In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain.

Yes, that’s right. When you see a domain like example.org and then you see in another place drugs.example.org you’re seeing a subdomain. In more practical words, subdomains are like having a enterprise and their dependencies where the enterprise is the domain and the dependencies are the subdomains. A more technical explanation can be found here.

Most domains have at least a couple of subdomains, they are used to organize topics, for example having a blog for example.org in the blog.example.org subdomain, a forum in forum.example.org or for another tasks like a subdomain called mail.example.org to route mail traffic, etc. Having a big number of subdomains can lead to security problems if they are not managed well enough and that’s what usually happens with companies (but not limited to) that have tens, hundreds, or thousands of subdomains. It is not easy to track them one by one and they end up running outdated software, having miss-configurations, and bad security policies.

With subdomain enumeration you will find the highest quantity of subdomains for a target domain either for security testing, crawling, subdomain takeover checks, or another task. Subdomain enumeration is one of the most important steps while doing security tests to a target domain.

How to do Subdomain Enumeration?

Now that we know what is a subdomain enumeration and why it is so important, the next step is knowing how to do it. There are many subdomain enumeration tools, some better than others. In this post I am using Findomain, a tool that I have written in Rust from scratch, does not use bruteforce methods, it is the fastest compared with existing subdomains enumeration tools, is very light with resource consumption, can be installed in any architecture or operative system (including phones, tablets, etc) and allow you to do a lot of interesting things. If you are interested in getting Findomain, it is open source and can be downloaded from https://github.com/Edu4rdSHL/findomain. Let’s do it!

If you want to know just what subdomains have a target, in it case example.org, just run findomain -t example.org and you will got in a couple of seconds…

$ findomain -t example.orgTarget ==> example.orgSearching in the CertSpotter API... 🔍
Searching in the Crtsh database... 🔍
Searching in the Virustotal API... 🔍
Searching in the Sublist3r API... 🔍
Searching in the Spyse API... 🔍
Searching in the Facebook API... 🔍
Searching in the Threadcrowd API... 🔍
Searching in the Bufferover API... 🔍
Searching in the Virustotal API using apikey... 🔍
morev.example.org
wpad.example.org
versus.example.org
... snip
A total of 65 subdomains were found for ==> example.org 👽Good luck Hax0r 💀!

65 subdomains were found for example.org!

If you want to search for a list of domains you can put they into a text file, every domain in a line and run findomain -f domains.txt and Findomain will search subdomains for every domain in the file.

That is the most basics Findomain usage, if you want for example to run Findomain and only show resolvable domains (that have a public IP), you must execute findomain -t example.org -r and Findomain will show to you only subdomains that have a public IP address and can be accessed from where you are. Findomain will print all of the found subdomains in the screen or in a output file as described below.

If you want to use all APIs, you need to configure some things. Please see the Findomain documentation to configure needed access tokens for some APIs, it will improve the number of subdomains found.

If you want to write to an output file, you have two options:

  1. Give to Findomain the control of the output file names using the -o flag. If you run findomain -t example.org -o the resulting file name will be called example.org.txt in it case but even follows the rule domain string+.txt. Have in mind that if you are reading subdomains from a file every domain will have their own output file.
  2. The other option is using the -u flag and giving your own name to a unique output file still if Findomain is reading domains from a text file. If you run findomain -t example.org -u myfile.txt or findomain -f domains.txt -u myfile.txt in both cases the output filename is myfile.txt. It’s specially useful if you are working with a list of domains into a file and want to save all data into a unique output file for further tests.

Now that we know what is subdomain enumeration and why it is so important, the next step is knowing how to do it.

Subdomain Monitoring automation and publishing to webhooks

At the moment we know that example.org have 65 subdomains but what happens if we want to know when and what new subdomains are added? Well, you can save the last results into a file and then run the tool again and check the difference between the two files… not very practical, true? Yes, doing that sucks, imagine that we are going to monitor 1000 subdomains, doing that task manually for every domain is really a waste of time. But there’s another good notice for you: Findomain can monitor a subdomain (using the -t option) or X number of subdomains (putting they in a file and using the -f option). First I will explain to you how it works.

Findomain can do subdomains monitoring if you pass the -m flag. Anyways, the tool need to have some prerequisites before using it:

  • The PostgreSQL relational database needs to be installed in at least one of your devices (PC/Server/Phone). The PostgreSQL software is multi-platform and can be installed in GNU/Linux, Windows, Macintosh, Termux and more. See https://www.postgresql.org/download/ if you can’t find the package in your distribution repository’s for GNU/Linux or if you are in another OS.
  • A Discord/Slack or Telegram webhook configured. Note: You need a Discord, Slack or Telegram account in order to create webhooks. If you think that another platform should be supported, open an issue in https://github.com/Edu4rdSHL/findomain/issues.
  • A job scheduler if you want to run Findomain automatically in your system. See the documentation.

If you don’t know how to create webhooks, read the respective documentation for every platform: Slack documentation , Discord documentation and my own Telegram documentation.

When you have completed the requirements, continue with the next steps.

Configuring Findomain for the subdomains monitoring automation.

Findomain does some checks before starting with the monitoring process. These checks are:

  • Check if at least one of the findomain_discord_webhook, findomain_slack_webhook , findomain_telegrambot_token and findomain_telegrambot_chat_id system variables are set. They are needed to publish the results of the monitoring task.
  • Check if the connection to the PostgreSQL database can be performed correctly.

If these checks are passed, the tool will start working.

See the following examples to have a idea of how you can start Findomain in the monitoring mode.

  • GNU/Linux, Mac, Termux.
$ export findomain_discord_webhook='https://discordapp.com/api/webhooks/XXXXXXXXXXXXXXX'
$ export findomain_slack_webhook='https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX'
$ export findomain_telegrambot_token="Your_Bot_Token_Here"
$ export findomain_telegrambot_chat_id="Your_Chat_ID_Here"
$ findomain -m -t example.org --postgres-host 192.168.1.73 --postgres-port 5432 --postgres-database findomain --postgres-user findomain --postgres-password postgres
  • Windows
> set findomain_discord_webhook=https://discordapp.com/api/webhooks/XXXXXXXXXXXX 
> set findomain_slack_webhook=https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX
> set findomain_telegrambot_token=Your_Bot_Token_Here
> set findomain_telegrambot_chat_id=Your_Chat_ID_Here
> findomain -m -t example.org --postgres-host 192.168.1.73 --postgres-port 5432 --postgres-database findomain --postgres-user postgres --postgres-password postgres

If you don’t set some of the options, Findomain will use default values. See the documentation for more info. Additionally if you are going to run the tool in your current computer you only need to set the --postgres-password and the —-postgres-user option — only if the user is different to postgres — example:

$ findomain -t example.org -m --postgres-password 1234

Or if you don’t have any password and the user is postgres:

$ findomain -t example.org -m

To use a list of domains instead of only a domain, change the -t option for the -f option.

When you execute the command, internally the following events occur:

  1. The checks mentioned before are done.
  2. Connection to the PostgreSQL database.
  3. Search in the APIs and save the results as a current subdomains variable.
  4. Database query to search if there are existing subdomains associated with the current target domain and save the results as a existing subdomains variable.
  5. Comparison of existing subdomains with the current subdomains and check what is in current subdomains that aren’t in the existing subdomains and save the results into a new subdomains variable.
  6. Format the data and publish the new subdomains to webhooks.
  7. If the publish is successful then prepare the SQL transaction and commit new subdomains to the database, otherwise show the error message without doing the database commit.

The mentioned steps are repeated every-time the tool runs for every domain target.

If new subdomains were found, Findomain will publish the following message to the webhooks:

Findomain data posted to Discord webhook.
Findomain data posted to Slack webhook.

If not data is found, Findomain will send the following alert:

No new subdomains found posted to Discord webhook
No new subdomains found posted to Slack webhook

The next step to complete the automation is set up a job scheduler. In internet are available a lot of tutorials about configuring jobs schedulers, found one for you or read the Findomain documentation. I’m going to give you a simple example of how to set up a systemd timer in Linux that do the work.

  • Create the file/usr/lib/systemd/user/findomain.service and put the following content there:
[Unit]
Description=Monitor subdomains.
After=network-online.target
[Service]
Type=simple
ExecStart=bash -c "findomain_virustotal_token='Your Virustotal token here' findomain_fb_token='Your Facebook token here' findomain_discord_webhook='Your Discord webhook URL here' findomain_slack_webhook='Your Slack webhook URL here' findomain_telegrambot_token='Your_Bot_Token_Here' findomain_telegrambot_chat_id='Your_Chat_ID_Here' findomain -f /path/to/domains.txt -m --postgres-host Host-IP-or-name-here --postgres-port Host-postgresql-port-here --postgres-user postgresql-username --postgres-password postgresql-password --postgres-database postgresql-database-name"
KillMode=process
KillSignal=SIGINT
[Install]
WantedBy=default.target
  • Create the file /usr/lib/systemd/user/findomain.timer and put the following content there:
[Unit]
Description=Check for new subdomains.
[Timer]
OnBootSec=10min
OnUnitActiveSec=1d
Unit=findomain.service
[Install]
WantedBy=timers.target
  • Run the command: systemctl --user start findomain.timer && systemctl --user enable findomain.timer

That will run Findomain every 24 hours (1d) and 10 minutes (10min) before the system is booted (first time).

That’s all, you have completed the subdomains monitoring automation using Findomain.

Centralizing your subdomain findings

We have learned how to enumerate subdomains, use files as a list of domains, monitor subdomains, publish data to webhooks, save the data to a database and more using our local computer as client/server… but what if I say to you that we can use a central server with PostgreSQL installed and use Phones, PC’s, Tablets, Virtual Machines or whatever as clients to monitor subdomains but having all the data only in a database? Yes, that’s possible to do with Findomain too.

You need to have a machine running PostgreSQL and configured to be accessible from anywhere (if you want to access from public IPs) or from specific IPs. In our case we are going to use a machine into our local network as central server with the IP 192.168.1.73 and the following machines as clients: Android 9 Phone, Windows 10 and BlackArch Linux virtual machines.

If you want to learn how to make your database accessible from external machines, follow it link.

Machine running the PostgreSQL server

Now, I will run the clients mentioned before and see what happens.

Android 9 Phone.

Android 9 Phone running Findomain using a remote server as central database. Target: example.com

According to the webhooks, it has found 180 subdomains for example.com in the first run.

Discord webhook alert for example.com

Lets see what is in our remote database…

Database query for example.com

Well, the 180 subdomains are now in our database. Lets see how it works on Windows and BlackArch but using different targets.

Windows 10

Windows 10 machine running Findomain using a remote server as central database. Target: example.org
Discord webhook alert for example.org

BlackArch Linux

BlackArch Linux machine running Findomain using a remote server as central database. Target: example.net
Discord webhook alert for example.org

According to the reported data, we should have 272 subdomains in our central database.

General database query.

That’s how you can centralize all your findings across all devices that you want. In our case we used a local server but you can buy your VPS and connect to it from any device as client.

Final words

I hope that you, dear lector, have enjoyed reading this article but above all, it has been useful in your learning/working process. Follow me in:

Give a clap to the article, share it and give a star to the Github project repository.

If you found a issue in the Findomain tool or want a new feature, feel free to open an issue in the repository. Coming features are:

  • Option to query the central database and get the domains from there.
  • Show the IP address of the resolved subdomains (it was implemented a time and then was removed and replaced by the -r option, now the -i will be a complement for it).

Until a next opportunity.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade