To test all common subdomain names of that particular domain, whenever we receive a response from the server, that’s an indicator for us that the subdomain is alive.
Finding subdomains of a particular website let you explore the full domain infrastructure of it. Building such a tool is really handy when it comes to information gathering phase in penetration testing for ethical hackers.
Searching for subdomains manually would take forever. Luckily, we don’t have to do that, in this tutorial, we will build a subdomain scanner in Python using requests library. Let’s get started!
Let’s install it:
The method we gonna use here is brute-forcing, in other words, we gonna test all common subdomain names of that particular domain, whenever we receive a response from the server, that’s an indicator for us that the subdomain is alive.
Open up a new Python file and follow along, let’s use google.com for demonstration purposes, I used it because google has a lot of subdomains though:
Now we gonna need a big list of subdomains to scan, I’ve used a list of 100 subdomains just for demonstration, but in the real world, if you really want to discover all subdomains, you gotta use a bigger list, check this github repository which contains up to 10K subdomains.
I have a file “subdomains.txt” in the current directory, make sure you do too (grab your list of your choice in this repository):
Now subdomains list contains the subdomains we want to test, let's brute-force:
First, we build up the URL to be suitable for sending a request, then we use requests.get() function to get the HTTP response from the server, this will raise a ConnectionError exception whenever a server does not respond, that’s why we wrapped it in a try/except block.
When the exception wasn’t raised, then the subdomain exists. Let’s write all the discovered subdomains to a file:
Here is a part of the result when I ran the script:
Once it’s finished, you’ll see a new file discovered_subdomains.txt appears, which includes all the discovered subdomains!
You’ll notice when you run the script that’s quite slow, especially when you use longer lists, as it’s using a single thread to scan. However, if you want to accelerate the scanning process, you can use multiple threads for scanning.
Alright, we are done, now you know how to discover subdomains of any website you want!
Here is the source code of the in the article :-https://github.com/KoderKumar/Subdomain-Scanner
Thank you for reading my article
And if you like it give me a follow.
Share with your friends and followers
Start blogging about your favorite technologies, reach more readers and earn rewards!
Join other developers and claim your FAUN account now!
Arth Kumar
Author
@arth_kumar11
User Popularity
170
Influence
17k
Total Hits
11
Posts
Read, Learn, Know, Teach
Hand curated newsletters for Developers, private Slack with like minded people, podcasts, job offers, news and more!
Only registered users can post comments. Please, login or signup.