2

Other than testing different URLs separately, is there anyway to find out if a website has a wildcard sub domain?

Michael Blake
  • 751
  • 1
  • 12
  • 22

2 Answers2

5

In this answer, you can detect from DNS if they have a wildcard domain, this will save you time (and you won't have HTTP queries to the domain)

Taken from the serverfault post:

# dig +short '*.not-a-real-domain.com'
1.2.3.4
Community
  • 1
ndrix
  • 3,206
  • 13
  • 17
  • Appreciate the reply. I've never used dig, I'll have to get used to it. What's the 1.2.3.4? The website's IP? – Michael Blake Jun 29 '14 at 06:33
  • I tried this out, but I don't quite understand how [the output](http://www.digwebinterface.com/?hostnames=*.facebook.com&type=A&short=on&useresolver=8.8.4.4&ns=all&nameservers=) will help (unless I'm doing this wrong) – Michael Blake Jun 29 '14 at 07:42
  • This test alone will not be sufficient. Because wildcards can be set in different level of the subdomain. Eg: *.abc.xyz might not be a wildcard but *.efg.abc.xyz could be a wildcard – Aditya Jul 27 '20 at 11:45
3

The first answer doesn't technically answer the question.

Official Method

There's only one official method of doing this using the dig command:

dig @ns.thenameserver.net example.com axfr

AXFR is a method of domain transfer and if the nameservers are configured to allow the command to be executed then it would give you the full NS record for that domain including any subdomains.

However you are likely to get the following message:

; <<>> DiG 9.8.3-P1 <<>> @ns.thenameserver.net example.com axfr
; (1 server found)
;; global options: +cmd
; Transfer failed.

This is for security reasons.

Unofficial Methods

  1. SubBrute Python Script (https://github.com/TheRook/subbrute) - a Python script that uses a dictionary to brute force lookup subdomains for a given domain.
  2. Fierce2 Perl Script (http://ha.ckers.org/fierce/) - similar to SubBrute but with a smaller dictionary and anecdotally lower. Still worth a look.
  3. Google with the following query site: example.com. This may or may not retrieve subdomains of the main domain
  4. This website helps you use of a number of methods: https://pentest-tools.com/reconnaissance/find-subdomains-of-domain
Community
  • 1
RustyFluff
  • 236
  • 1
  • 5
  • Thank you for this. Are there any online interfaces I can run this on? I don't really want to set up a virtual machine just to check a couple things. – Michael Blake Jun 30 '14 at 00:52
  • 1
    Not that I know of unfortunately. (Though you have given me an idea for a website!) If it helps and you don't mind giving me the domain you're interested in then feel free to contact me confidentially (doug at tintophat.com) and I will run it today and send you back any results I find. – RustyFluff Jun 30 '14 at 07:14