Checking for existence of subdomains with nmap

Whether you’re searching for story ideas, doing competitive research, or just exercising some web curiosity, having a list of all the subdomains off a given host can be helpful.
I stumbled on this tutorial and thought it was a helpful intro, in large part due to the inclusion of lists containing the top 1,000,000 subdomains. If you’re on a Mac, you can get going with nmap by installing with brew install nmap
. Then grab one of the subdomain lists – say, the top 1,000 subdomains – and put it on your desktop.
So with the subdomain list and nmap installed, we can open our terminal app, change directory to the desktop, and then setup a one-liner like this:
nmap --script dns-brute --script-args dns-brute.domain=onwardstate.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000.lst
And voila, a couple minutes later you’ll have a list of the configured subdomains, as well as their IP addresses.
Your ad blocker is on.
Read ad free.
Purchase a Subscription!

Capturing Shawmont Station before its $1,000,000 preservation begins – the oldest extant passenger rail station in America

A remarkable love story in a least expected time & place: Eastern State Penitentiary during the Civil War
Send this to a friend
Comments