Recon Tool: Findomain
Reading Time: 3 Minutes
Recon Tool: Findomain
As a Bug Bounty Hunter or Pentester, the first thing you get usually is a domain of a company. There is much information to be gathered from that domain but, it requires a specific methodology that chains several recon results with other tools for better examination of the target.
Findomain is a complete solution for domain recognition. It Supports screenshotting, port scan, HTTP check, data import from other tools, subdomain monitoring, alerts via Discord, Slack, and Telegram, multiple API Keys for sources, and much more.
Findomain Monitoring Service
If you don’t want to deal with servers and complex configurations for doing recon but also have more features in an integrated solution, Findomain offers a subdomains monitoring service that provides: directory fuzzing/ports scan/vulnerabilities discovery (with Nuclei) – and more that allow you to monitor your target domains with multiple top tools (OWASP Amass, Sublist3r, Assetfinder and Subfinder) and send alerts to Discord, Slack, Telegram, Email or Push Notifications (Android/iOS/Smart Watch/Desktop) when new subdomains are found. The only you need to do is configure a file with your email address (if applicable) or/and webhooks/Telegram chat information and put your domains in another file, once you have done that you have a full automated subdomains monitoring service that keep you up to date with new subdomains discovered, Host IP, HTTP Status, Screenshots of the HTTP websites, Open Ports, Subdomains CNAME and more. All your data is securely saved in a relational database and you can request a dump of your data whenever you want.
See Also: Recon Tool: Smap
What Findomain can do?
The table gives you an idea why you should use findomain and what it can do for you. The domain used for the test was aol.com in the following BlackArch virtual machine:
Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-3.1)
Kernel: 5.2.6-arch1-1-ARCH
CPU: Intel (Skylake, IBRS) (4) @ 2.904GHz
Memory: 139MiB / 3943MiB
The tool used to calculate the time, is the time command in Linux.
| Enumeration Tool | Search Time | Total Subdomains Found | CPU Usage | RAM Usage |
| Findomain | real 0m5.515s | 84110 | Very Low | Very Low |
Summary: 84110 subdomains in 5.5 seconds.
See Also: Recon Tool: ReconFTW
Features
- Subdomains monitoring: put data to Discord, Slack or Telegram webhooks. See Subdomains Monitoring for more information.
- Multi-thread support for API querying, it makes that the maximun time that Findomain will take to search subdomains for any target is 15 seconds (in case of API’s timeout).
- Parallel support for subdomains resolution, in good network conditions can resolv about 3.5k of subdomains per minute.
- DNS over TLS support.
- Specific IPv4 or IPv6 query support.
- Discover subdomains without brute-force, it tool uses Certificate Transparency Logs and APIs.
- Discover only resolved subdomains.
- Discover subdomains IP for data analysis.
- Read target from user argument (-t) or file (-f).
- Write to one unique output file specified by the user all or only resolved subdomains.
- Write results to automatically named TXT output file(s).
- Hability to query directly the Findomain database created with Subdomains Monitoring for previous discovered subdomains.
- Hability to import and work data discovered by other tools.
- Quiet mode to run it silently.
- Cross platform support: Any platform, it’s written in Rust and Rust is multiplatform. See the documentation for instructions.
- Multiple API support.
- Possibility to use as subdomain resolver.
- Subdomain wildcard detection for accurate results.
- Support for subdomain discover using bruteforce method.
- Support for configuration file in TOML, JSON, HJSON, INI or YAML format.
- Custom DNS IP addresses for fast subdomains resolving (more than 60 per second by default, adjustable using the –threads option.
See Also: Complete Offensive Security and Ethical Hacking Course
How it works?
The tool doesn’t use the common methods for sub(domains) discovery, the tool uses Certificate Transparency logs and specific well-tested APIs to find subdomains. This method makes it faster and more reliable. The tool make use of multiple public available APIs to perform the search. If you want to know more about Certificate Transparency logs, read https://www.certificate-transparency.org/
APIs that they are using at the moment:
- Certspotter
- Crt.sh Database (favorite) or Crt.sh HTTP API
- Virustotal
- Sublist3r
- Facebook **
- Spyse (CertDB) *
- Bufferover
- Threatcrowd
- Virustotal with apikey **
- AnubisDB
- Urlscan.io
- SecurityTrails **
- Threatminer
- C99 **
- Archive.org
- CTSearch
Notes
APIs marked with **, require an access token to work. Search in the Findomain documentation how to configure and use it.
APIs marked with * can optionally be used with an access token, create one if you start experiencing problems with that APIs. Search in the Findomain documentation how to configure and use it.
Installation
They offer binaries ready to use for the following platforms (all are for 64 bits only):
If you need to run Findomain in another platform, continue reading the documentation.
See Also: Write up: How to schedule tasks the right way in Linux, using crontab
Recent Tools
Offensive Security Tool: Freeway
Freeway is a Python scapy-based tool for Wi-Fi penetration testing, …Offensive Security Tool: PingRAT
PingRAT is a tool designed to secretly passes C2 traffic …Offensive Security Tool: Genzai
Genzai is a tool designed to identify and analyze IoT …OSINT Tool: SiteDorks
SiteDorks is a tool that allows users to query multiple …
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
