What? This is a December 2020 subdomain tools review made by myself. I have compared and review every tool one by one and obtained a general view of the "state-of-the-art" of the most used subdomain tools.
Why? Sometimes I have doubts if I am actually finding all the subdomains when I start hunting and if the tool I use will find them all. This is the review that I would like to have read before deciding on one tool or another.
How? As the main objective is to find subdomains, I have launched the tools against a small scope (zego.com), a medium scope (tiktok.com) and a large one (twitter.com) to see how the different tools respond.
Having different tools and different approaches I have compared the tools by typology, like this:
Passive: It relies on third-party services with which it collects the largest possible number of subdomains, dead or alive. The problem with this approach is that you can find numerous subdomains, but many of them may be prehistoric, but in return they do it very quickly.
Active: From any source, for example third-party sources of the passive approach, it verifies through DNS requests (or in any other way) if the subdomain is alive or not. This approach takes a little longer than the passive one, but the results it generates are almost entirely useful.
Bruteforce: From a wordlist and a domain, it makes DNS requests for each word along with the domain. The advantage of this approach is that the results obtained are always real, but it depends entirely on the quality of the wordlist.
Alterations/permutations: In this case, from a list of subdomains and a list of alterations or permutations, a new list of subdomains is generated that are verified through DNS requests. With this approach you can find subdomains that with the rest would be impossible.
The integrations with third-party services I have tried to use as many as the tool allows me for free. All scans have been done against the same targets and with the same bruteforcing wordlists and alteration wordlists.
This is not intended to be a serious investigation, a technical paper, or anything like that, just a series of tests that I have done for fun. The results shown are my opinion and if at any time you don't like them, or you don't agree, you can stop reading or explain to me how I could have done it better 😉
All the results of my runs and tests are posted here, it has four sheets (Summary, Small scope, Medium Scope and Large Scope).
In addition, the results of all the scans that I have done have been uploaded to a folder that you can seehere.
Small summary of each tool with the features and results that I got. This section not follows any special order.
Well known tool for the enumeration of subdomains. It's basically an all-in-one because it does everything, plus many other things apart from the subdomains. In the case of this tool, I have only analyzed the passive and active approaches because there is no way to do a unit analysis for brute force or alterations without consulting third-party services previously (or at least I have not known how to do it).
Lot of third-party integrations
Swiss army knife for subdomains enumeration, all the functionalities you can think of and more.
It added active subdomains that none of the other tools managed to add.
Not fast at all.
Sometimes usability is confusing due to the large number of options
Widely used on a lot of tools since it's been around since 2015, plus you don't need to add additional API keys. One problem that I found with this tool is that it does not allow resolving subdomains found passively, but it does incorporate subbrute for bruteforce, which it does DNS resolution, but on the contrary it does not allow to specify a different wordlist, for this reason don't test the bruteforce feature.
Include subbrute for bruteforcing.
Include port scan.
Few results compared to others.
Limited features, such as bruteforce without the ability to specify a custom wordlist.
Api Keys added: 4 (Facebook , Spyse, VirusTotal and SecurityTrails).
Findomain is one of the standard subdomain finder tools in the industry, it has a limited free version and a paid full-featured version.
Free version is still completely useful.
Paid version has all the features.
No customizable output file in free version.
With amass and subfinder this part is more than completed, but there are other tools that, depending on the objective, may provide valuable information.
In this field subfinder is the best, I find it to get results incredibly fast.
Again projectdiscovery does a great job with shuffledns and is far from the rest of the tools in speed and options.
I don't find alterations and permutations with resolution useful, but in case you like it, dmut should be your option by far.
When I started the review, I believed that amass would be the winner in most cases, but it seems that I have found new tools with which to improve the workflow, just as it happened with gobuster in the bruteforce section. In the permutations/alterations part I don't see the utility, they don't solve anything quickly and I think it is much more useful to use tools like dnsgen to generate a good wordlist of alterations and then run it with shuffledns, or any of the bruteforce tool to resolve them.
Finally, thanks to all the tools developers who facilitate our work and implement the recon methodology better and better.