Subdomain Enumeration Tools Evaluation

Ricardo Iramar dos Santos
Feb 9 · 3 min read

TL;DR: A simple and straightforward evaluation of subdomain enumeration tools available on the internet based on number of subdomains found and in how much time.

Introduction

Subdomain enumeration become more and more important for an attacker in the last few years and different tools with different approaches are been developed so far.

In a world with so many tools a simple evaluation can help to decided which tool should use in each case.

In this post I’ll provide the results of a simple and straightforward evaluation of the following subdomain enumeration tools:

Methodology

To perform this evaluation I’ve selected the domain spotify.com since I’ve been doing bug bounty for a long time on Spotify and had a good knowledge about this domain.

All tools were installed following the standard installation procedure provided by official developer documentation and executed with the default options for a kind of fair comparison. In the end of this post I’ll provide a link for a spreadsheet with the commands that I used to install and execute the tools and the output of each tool.

The host machine was a Ubuntu 18.04 LTS (64-bit) minimal installation and running under a Virtualbox VM with the following configuration:

After enumerate with each tool I also filtered the subdomains found with the following command:

while read i; do digout=$(dig +short ${i//[$'\t\r\n ']}); if [[ ! -z $digout ]]; then echo ${i//[$'\t\r\n ']}; fi; done < spotify.com.txt > spotify.com_valid.txt

Not sure exactly why but some tools provide subdomains without and DNS record so the results will have both (all and filtered subdomains).

Results

Amass was able to find 489 valid subdomains, almost the double of the second place Sublist3r (280 valid subdomains) on the other hand Amass was the slowest tool taking around 20 minutes to finish (0.4 subdomains per second).

The fastest tool was Findomain which I didn’t know until this post. Findomain was able to find 270 subdomains and took about only 6 seconds (almost 46 subdomains per second).

The disaster was Sudomy which returned a lot errors and I decided not investigate what happened since all the others tools worked without any issues.

If you know any tool outside of this list please let me know through my twitter @ricardo_iramar or email ricardo.iramar@gmail.com.

In this link https://drive.google.com/open?id=1vc-5INapxD909GGUROcb86I_vdufS1Ha you can find a spreadsheet with the full results and the output of each tool used during this evaluation.

Ricardo Iramar dos Santos

Written by

Alguém a procura de autoconhecimento constantemente.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade