How to Find More Subdomains using Securitytrails And Haktrails

In this blog post, I will discuss how to find more subdomains. In this post, I will be telling you about how to use security trails and Haktrails

As we all know Recon is a very important step in the bug bounty or even in penetration testing and finding numerous domains will help you get more attack vectors and more widespread areas for your testing.

Why Recon is so important?

Extracting relevant information can play a very crucial role in many situations. Extracting this information is pretty simple and somewhat easy. Sometimes recon can go beyond collecting basic information to understand the system and can also identify information that might straight away lead to exploitation, sometimes without actually touching the entity being tested.

For Example:- If you want to find a bug on Google.com. You can try but there are already a lot of bug hunters who would have found a bug their so in order to find a crucial bug you would have to struggle a lot. But if you find a subdomain that is not used a lot then the chances of finding a bug increases by a lot.

LET’S GET STARTED

Securitytrails

Firstly create a free account at securitytrails.com. Your Dashboard will look something like this.

Click on Search Icon and enter the domain that you want to search more subdomains for like I did for example.com

Now you can see all the DNS records, Subdomains.

Now if you click on Subdomain, You can see all the subdomains registered.

Now that you know more domain you can start your searching for Bugs.

Haktrails

Now that you have seen the Gui version. Check out this amazing tool by hakluke. Before digging into the download and finding subdomains. Copy your security trails API from https://securitytrails.com/

Installing Haktrails.

go get github.com/hakluke/haktrails

This will go into /go/bin/haktrails

Now add ~/go/bin/ to your $PATH if you haven't already, then you can just run haktrails.

Now create a text file which is a list of root domains that you wish to gather data on.

Config file

You will need to set up a configuration file with your SecurityTrails key to use this tool. By default, the tool will look for the file in ~/.config/haktools/haktrails-config.yml. If you wish to put the config file somewhere else, the location must be specified with the -c flag.

The format of the file is very simple, just copy-paste this, and replace <yourkey> with your SecurityTrails API key:

securitytrails:
key: <yourkey>

Gather subdomains

This will gather all subdomains of all the domains listed within domain.txt.

cat domain.txt | haktrails subdomains

you can use other various flags to find more things about the domain such as whois records, associated IPs, and much more

Check out the GitHub repo of haktrails https://github.com/hakluke/haktrails