findomainを使ってサブドメインを探索する
概要
更新履歴
- 2024/03/19 初版
目次
はじめに
このドキュメントはfindomainというフリーツールを使って,サブドメインを探索する.主にペネトレーションテストを実施する際に,攻撃対象のサブドメインを洗い出すために利用する模様.類似のツールとしてはSublist3r on macOS Mojaveがある.インストール
公式サイトの確認
- 公式サイトは次のgithub.
- GitHub - Findomain/Findomain: The fastest and complete solution for domain recognition. Supports screenshoting, port scan, HTTP check, data import from other tools, subdomain monitoring, alerts via Discord, Slack and Telegram, multiple API Keys for sources and much more.
- https://github.com/Findomain/Findomain
パッケージを探す
- HomeBrewでパッケージを探す
$ brew search findomain🆑
==> Formulae
findomain🈁
findent
==> Casks
insomnia
$
確認.
$ brew info findomain🆑
==> findomain: stable 9.0.4 (bottled)
Cross-platform subdomain enumerator
https://github.com/Findomain/Findomain
Not installed
From: https://github.com/Homebrew/homebrew-core/blob/HEAD/Formula/f/findomain.rb
License: GPL-3.0-or-later
==> Dependencies
Build: pkg-config ✔, rust ✘
Required: openssl@3 ✔
==> Analytics
install: 33 (30 days), 191 (90 days), 1,126 (365 days)
install-on-request: 33 (30 days), 191 (90 days), 1,126 (365 days)
build-error: 0 (30 days)
$
- インストールする.
$ brew install findomain🆑
==> Downloading https://ghcr.io/v2/homebrew/core/findomain/manifests/9.0.4
############################################# 100.0%
==> Fetching findomain
==> Downloading https://ghcr.io/v2/homebrew/core/findomain/blobs/sha256:18b73d207b2c5
############################################# 100.0%
==> Pouring findomain--9.0.4.monterey.bottle.tar.gz
🍺 /usr/local/Cellar/findomain/9.0.4: 7 files, 14.2MB
==> Running `brew cleanup findomain`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
$
- インストールされたファイルを確認.
$ brew ls findomain🆑
/usr/local/Cellar/findomain/9.0.4/.crates.toml
/usr/local/Cellar/findomain/9.0.4/.crates2.json
/usr/local/Cellar/findomain/9.0.4/bin/findomain
$ which findomain🆑
/usr/local/bin/findomain
$
- コマンドヘルプを確認.
$ findomain -h🆑
Findomain 9.0.4
Eduard Tolosa <edu4rdshl@protonmail.com>
The fastest and cross-platform subdomain enumerator, do not waste your time.
USAGE:
findomain [FLAGS] [OPTIONS]
FLAGS:
-x,
--as-resolver
Use Findomain as resolver for a list of domains in a file.
--mtimeout
Allow Findomain to insert data in the database when the webhook returns
a timeout
error.
--enable-dot
Enable DNS over TLS for resolving subdomains IPs.
--aempty
Send alert to webhooks still when no new subdomains have been found.
--external-subdomains Get external subdomains with
amass and subfinder.
-h,
--help
Prints help information
--http-status
Check the HTTP status of subdomains.
-i,
--ip
Show/write the ip address of resolved subdomains.
--ipv6-only
Perform a IPv6 lookup only.
-m, --monitoring-flag Activate Findomain monitoring mode.
-n,
--no-discover
Prevent findomain from searching subdomains itself. Useful when you are
importing
subdomains
from other tools.
--no-double-dns-check Disable double DNS check.
Currently the subdomains that report an IP address are
checked
again using a list of trustable resolvers to avoid
false-positives. Only
applies
when using custom resolvers.
--no-monitor
Disable monitoring mode while saving data to database.
--no-resolve
Disable pre-screenshotting jobs (http check and ip discover) when used
as resolver to
take
screenshots.
--no-wildcards
Disable wilcard detection when resolving subdomains.
-o,
--output
Write to an automatically generated output file. The name of the output
file is
generated
using the format: target.txt. If you want a custom output
file name, use the
-u/--unique-output
option.
--pscan
Enable port scanner.
--query-database Query
the findomain database to search subdomains that have already been
discovered.
--query-jobname
Extract all the subdomains from the database where the job name is the
specified using
the
jobname option.
-q,
--quiet
Remove informative messages but show fatal errors or subdomains not
found message.
--randomize
Enable randomization when reading targets from files.
--reset-database Reset
the database. It will delete all the data from the database.
-r,
--resolved
Show/write only resolved subdomains.
--sandbox
Enable Chrome/Chromium sandbox. It is disabled by default because a big
number of users
run
the tool using the root user by default. Make sure you are not
running the program
as
root user before using this option.
--stdin
Read from stdin instead of files or aguments.
--validate
Validate all the subdomains from the specified file.
-V,
--version
Prints version information
-v,
--verbose
Enable verbose mode (useful to debug problems).
OPTIONS:
-c, --config <config-file>
Use a
configuration file. The default configuration file is findomain and the
format can be toml, json,
hjson, ini or yml.
--resolvers <custom-resolvers>...
Path
to a file (or files) containing a list of DNS IP address. If no
specified then Google, Cloudflare and
Quad9 DNS servers are used.
--exclude-sources <exclude-sources>...
Exclude sources from searching subdomains in. [possible values:
certspotter, crtsh, sublist3r, facebook,
spyse, threatcrowd, virustotalapikey, anubis, urlscan, securitytrails,
threatminer, archiveorg, c99,
bufferover_free, bufferover_paid]
-f, --file
<files>...
Use
a list of subdomains writen in a file as input.
--http-retries <http-retries>
Number of retries for the HTTP Status check of subdomains. Default 1.
--http-timeout <http-timeout>
Value
in seconds for the HTTP Status check of subdomains. Default 5.
--import-subdomains <import-subdomains>...
Import subdomains from one or multiple files. Subdomains need to be one
per line in the file to import.
--iport
<initial-port>
Initial
port to scan. Default 0.
-j, --jobname <jobname>
Use
an database identifier for jobs. It is useful when you want to relate
different targets into a same job
name.
To extract the data by job name identifier, use the query-jobname
option.
--lport
<last-port>
Last
port to scan. Default 1000.
--lightweight-threads <lightweight-threads>
Number of threads to use for lightweight tasks such as IP discovery and
HTTP checks. Default is 50.
--max-http-redirects
<max-http-redirects>
Maximum number of HTTP redirects to follow. Default 0.
--parallel-ip-ports-scan <parallel-ip-ports-scan>
Number of IPs that will be port-scanned at the same time. Default is 10.
--postgres-database
<postgres-database>
Postgresql database.
--postgres-host
<postgres-host>
Postgresql
host.
--postgres-password
<postgres-password>
Postgresql password.
--postgres-port
<postgres-port>
Postgresql
port.
--postgres-user
<postgres-user>
Postgresql
username.
--rate-limit <rate-limit>
Set
the rate limit in seconds for each target during enumeration.
--resolver-timeout
<resolver-timeout>
Timeout in seconds for the resolver. Default 1.
-s, --screenshots <screenshots-path>
Path
to save the screenshots of the HTTP(S) website for subdomains with
active ones.
--screenshots-threads <screenshots-threads>
Number of threads to use to use for taking screenshots. Default is 10.
--exclude
<string-exclude>...
Exclude
subdomains containing specifics strings.
--filter
<string-filter>...
Filter
subdomains containing specifics strings.
-t, --target
<target>
Target
host.
--tcp-connect-threads <tcp-connect-threads>
Number of threads to use for TCP connections - It's the equivalent of
Nmap's --min-rate. Default is 500.
--tcp-connect-timeout <tcp-connect-timeout>
Value
in milliseconds to wait for the TCP connection (ip:port) in the ports
scanning function. Default 2000.
--threads <threads>
Number of threads to use for lightweight tasks such as IP discovery and
HTTP checks. Deprecated option, use
--lighweight-threads instead. This would be removed in the future.
-u, --unique-output <unique-output>
Write
all the results for a target or a list of targets to a specified
filename.
--ua
<user-agents-file>
Path
to file containing user agents strings.
-w, --wordlist <wordlists>
Wordlist file to use in the bruteforce process. Using it option
automatically enables bruteforce mode.
$
サブドメインを探索する
簡単なサブドメインを探索する.
- 一番シンプルな探査.
$ findomain -t apple.co.jp🆑
Target ==> apple.co.jp
Searching in the CertSpotter API... 🔍
Searching in the Crtsh database API... 🔍
Searching in the AnubisDB API... 🔍
Searching in the Threatminer API... 🔍
Searching in the Urlscan.io API... 🔍
Searching in the Archive.org API... 🔍
Searching in the Sublist3r API... 🔍
Searching in the Threatcrowd API... 🔍
blast.apple.co.jp
atpx.asep.apple.co.jp
ajworks.apple.co.jp
survey.apple.co.jp
about.apple.co.jp
www.asep.apple.co.jp
enquete.apple.co.jp
community.apple.co.jp
cyberdog.apple.co.jp
images.apple.co.jp
www.cse.apple.co.jp
appleshareip.apple.co.jp
ns.apple.co.jp
event.apple.co.jp
www2.apple.co.jp
biz-part.apple.co.jp
livepage.apple.co.jp
hokuto.apple.co.jp
20thmac.apple.co.jp
ftp-info.apple.co.jp
devworld.apple.co.jp
cidb.apple.co.jp
apple.apple.co.jp
db2.apple.co.jp
httpwww.apple.co.jp
sec.apple.co.jp
asep.apple.co.jp
pref.enews.apple.co.jp
developer.apple.co.jp
discussions.info.apple.co.jp
asep2.apple.co.jp
ftp.apple.co.jp
enterprise.apple.co.jp
www.livepage.apple.co.jp
cgi.apple.co.jp
akane.apple.co.jp
til.info.apple.co.jp
exchange.info.apple.co.jp
www.apple.co.jp
enews.apple.co.jp
www.field.apple.co.jp
imac.apple.co.jp
www4.apple.co.jp
atp2.asep.apple.co.jp
apple.co.jp
atp.asep.apple.co.jp
search.apple.co.jp
newsdb.apple.co.jp
cse.apple.co.jp
imaging.apple.co.jp
biz-part.doa.apple.co.jp
db.apple.co.jp
images2.apple.co.jp
Job finished in 4 seconds.
Good luck Hax0r 💀!
$
- .comに転送されるものだと思ったけど,意外と,まだまだドメインがあったのね.
サブドメインとIPアドレスを探査する
- -iオプションをつけて実行.
$ findomain -t apple.co.jp -i🆑
Target ==> apple.co.jp
Searching in the CertSpotter API... 🔍
Searching in the Sublist3r API... 🔍
Searching in the Crtsh database API... 🔍
Searching in the Threatcrowd API... 🔍
Searching in the AnubisDB API... 🔍
Searching in the Urlscan.io API... 🔍
Searching in the Threatminer API... 🔍
Searching in the Archive.org API... 🔍
Running wildcards detection for apple.co.jp...
No wilcards detected for apple.co.jp, nice!
Performing asynchronous resolution for 53 subdomains for the target apple.co.jp, it will take a while...
cgi.apple.co.jp,210.171.136.65
apple.co.jp,17.142.160.9
pref.enews.apple.co.jp,203.82.135.57
enterprise.apple.co.jp,210.174.164.103
enquete.apple.co.jp,202.228.234.199
livepage.apple.co.jp,17.253.142.4
www.apple.co.jp,17.172.224.38
blast.apple.co.jp,210.142.61.14
search.apple.co.jp,210.174.164.103
ns.apple.co.jp,210.174.164.106
newsdb.apple.co.jp,210.171.136.66
survey.apple.co.jp,210.171.136.64
ajworks.apple.co.jp,17.83.150.101
www.livepage.apple.co.jp,17.253.142.4
sec.apple.co.jp,61.215.220.252
Job finished in 13 seconds.
Good luck Hax0r 💀!
$
- すべてのレコードにIPアドレスがついているわけではない,ということかなぁ.
感想
- 自分のドメインを検索したら,最小限しか出てこなかったので,これも万能では無い.
- 逆にどういう条件だと出てくるとか出てこないとか,知っておくと良いのかもしれない.