Finding unmaintained subdomains is the cruise control for cool, and some easy money while doing bug bounties.
The tool I use is SubBrute by The Rook
. Download it from Github and you may also need to download Python
if you do not have it.
Run it in Command Prompt
subbrute.py yelp.com -o stuffFound.txt
: script name
: url to test
: output found urls
Included in the SubBrute's file package there is 'name.text' which is the list of subdomains that the Python script will be attempting to access. Note there is also a 'names_small.txt' for quick runs.
The command can also run multiple domains at the same time like this:
subbrute.py yelp.com hotmail.com -o stuffFound.txt
You can also import a list of domains to test like so:
subbrute.py -t ManyDomains.txt
Subdomains can also have subdomains! Example:command.calendar.gmail.com
subbrute.py gmail.com > stuffFound.txt
subbrute.py -t stuffFound.txt
Findings will print to both to screen and file.