Is it possible to find all subdomains for a certain domain?
Solution 1
No, there's no way other than bruteforcing.
And if you try that, you'll likely find yourself blacklisted.
Solution 2
Try this brute force script in Linux: It uses reverse DNS lookup (one name per IP), so it can't find virtual hosts (when at one IP more then one name).
vi /tmp/dnsscan.sh
Type i and paste this:
#!/bin/bash
IPPFX=$1
for i in `seq 1 255` ; do LIST="$LIST ${IPPFX}.$i" ; done
for i in $LIST ; do
ENTRY="`host $i`"
[ $? -ne 0 ] && continue
ENTRY=`echo "$ENTRY" l sed -e 's/.* //' -e 's/\.$//'`
echo -e "$i\t$ENTRY"
done
Then type [Esc]:wq and run
chmod 777 /tmp/dnsscan.sh
Then:
/tmp/dnsscan.sh your.ipv4.address
Replace your.ipv4.address with IPv4 without last octet!
For example http://www.wikipedia.org have next IP address: 208.80.152.201, so you need execute this:
/tmp/dnsscan.sh 208.80.152
Result will be:
208.80.152.1 vrrp-gw-100.wikimedia.org
208.80.152.2 rr.pmtpa.wikimedia.org
208.80.152.3 upload.pmtpa.wikimedia.org
208.80.152.5 m.pmtpa.wikimedia.org
208.80.152.6 owa.wikimedia.org
208.80.152.7 payments.wikimedia.org
208.80.152.10 lvs-svc-test.wikimedia.org
... so on
If you need to find virtual hosts try Bing.com with real IP:
Example: http://www.bing.com/search?q=**IP:208.80.152.201
Solution 3
Your client should have access and in some way control on the nameservers, that are authoritative for his domains.
Why not asking the DNS admin for a zone download/export?
Solution 4
Don't forget that if you use another website after using the test website, the test website's URL will likely show up in the other site's referrer log, which can lead to the admin of the other site knowing that yours exists.
Solution 5
Yes, if you google site:*.sitename.com
, google will wildcard the *
, and display a list of sub domains.
Simon Hayter
Updated on September 17, 2022Comments
-
Simon Hayter over 1 year
a client of mine is currently hosting a web-project on one of his servers with some sub domains for previews, testing etc.
Those are really hard to guess sub domains like:
donottestme123789.example.com
preview_for_you15685485468.example.com
and so on ...
In the past days we noticed, that there are some users using those project instances which shouldn't even know of those :-)
Is there any way besides Google or brute forcing to get a full listing of sub domains from a domain?
-
dunxd over 13 yearsDo you really mean for an entire top level domain? That means .com, .org, .net, .uk etc. Do you really mean for a domain such as example.com?
-
Admin over 13 yearsI meant a domain - sorry - edited the question ...
-
Admin over 10 years@Christofian - no site:*.sitename.com will not work. Google does not allow wildcards in site search anymore.
-
Admin over 10 yearsI liked one answer from this forum - link . Searching for site:sitename.com -inurl:www gives all the sub-domains that are indexed by Search Engines.
-
Lèse majesté over 12 yearsThat shouldn't happen unless you click a link to that other website (in which case the page containing the backlink would be the referrer). Otherwise that would be a huge invasion of privacy.
-
arjarj over 12 yearsYou don't necessarily need to click on a link for that, loading any external content (an image for example) on the test website will show up as a referrer on the external server.
-
Lèse majesté over 12 years@arjaj: That's technically correct, and it's used for a lot of analytics applications. But I was referring to the act of the user visiting a webpage as the answer discusses. gbroiles' answer seems to suggest that simply using the same browser window/tab to visit another site will cause the current site's URL to be logged as a referrer. But that is simply not the case unless you arrive at the new site via a link (or redirect).