Subdomains often reveal which internal systems, websites, or platforms a company operates. Finding subdomains is an important part of security assessments, penetration tests, or general research, as it can uncover potential attack surfaces that might otherwise remain hidden.
The SubDomainFinder from binsec.tools identifies subdomains of a domain by combining several methods:
- It accesses the CertWatch database from binsec.tools – a collection of public SSL/TLS certificates where subdomains often appear.
- Additionally, it performs DNS queries using a predefined subdomain wordlist to systematically test commonly used subdomains.
- Moreover, targeted search queries are sent to google.com to discover additional subdomains that appear in public search results and might otherwise be overlooked.
