子域名查询有什么办法？

在网络安全领域，子域名是一个重要的概念，子域名是指一个主域名下的子级域名，www.example.com 的子域名可以是 blog.example.com、mail.example.com 等，子域名查询工具可以帮助我们查找一个主域名下的所有子域名，从而更好地了解目标网站的结构，发现潜在的安全风险，本文将介绍一些常用的子域名查询工具。

1、Sublist3r

Sublist3r 是一个Python编写的子域名查询工具，它可以自动化地对目标网站进行子域名枚举，Sublist3r 支持多种搜索引擎和字典文件，可以根据需要自定义查询策略，使用 Sublist3r 的方法如下：

安装 Python 环境，然后使用 pip 安装 Sublist3r：

pip install sublist3r

接下来，创建一个名为 config.yaml 的配置文件，内容如下：

subdomain:  domain: example.com    sources:      assetfinder      amass      fernmelder      sublist3r      brute    brute:      ignore_tld: true      extensions: ''

运行以下命令进行子域名查询：

python sublist3r.py -d example.com -o output -t all -f raw -m google,bing,yahoo,yandex,ask,duckduckgo,startpage,exalead,dogpile,majestic,aol,babylon,seznam -c config.yaml

2、Amass

Amass 是一个高性能的子域名和资产收集工具，它可以快速地对目标网站进行子域名枚举，Amass 支持多种搜索引擎和字典文件，可以根据需要自定义查询策略，使用 Amass 的方法如下：

安装 Go 语言环境，然后使用 go get 安装 Amass：

go get -u github.com/OWASP/Amass/v3/...

接下来，创建一个名为 amass.conf 的配置文件，内容如下：

[General]output = "output"logfile = "amass.log"timeout = "10s"concurrent = trueno_progress = falsemax_procs = 256disable_tls = falseverify_ssl = falseaggressive = falseaccept_invalid = falsefail_if_not_root = falseclear_output = falsecolors = true

运行以下命令进行子域名查询：

amass enum -d example.com -config amass.conf > output/amass.txt

3、Nmap NSE脚本（Nmap Network Scanning Engine）

Nmap 是一款网络扫描工具，它提供了丰富的脚本库，其中就包括用于子域名查询的脚本，使用 Nmap NSE 脚本进行子域名查询的方法如下：

安装 Nmap 工具：

对于 Windows 用户，可以从 Nmap 官网下载安装包；对于 Linux 用户，可以使用包管理器进行安装，在 Debian/Ubuntu 系统中，可以使用以下命令安装 Nmap：

sudo apt-get install nmap

接下来，运行以下命令进行子域名查询：

nmap -p--script http-enum -d example.com -oX output/nmap.xml --script-args 'http-enum.path=/' --script-args 'http-enum.maxpagecount=1' --script-args 'http-enum.hidematches=true' --script-args 'http-enum.nofollow=true' --script-args 'http-enum.ignore-codes=200,404' --script-args 'http-enum.externalonly=false' --script-args 'http-enum.maxdepth=1' --script-args 'http-enum.maxthreads=10' --script-args 'http-enum.delay=1s' --script-args 'http-enum.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"' --script-args 'http-enum.version=detect' --script-args 'http-enum.method=GET' --script-args 'http-enum.baseurl=http://example.com' --script-args 'http-enum.outputfile=output/nmap_http_enum.txt' --script "http-enum" example.com > output/nmap_http_enum.txt && cat output/nmap_http_enum.txt | grep "Host:" | cut -d " " -f2 | sort | uniq > output/nmap_http_enum_hosts.txt && cat output/nmap_http_enum_hosts.txt | grep "^[a-zA-Z]{1,}." | sort | uniq > output/nmap_http_enum_valid_hosts.txt && cat output/nmap_http_enum_valid_hosts.txt >> output/nmap_all_subdomains.txt && echo "Done!" && echo "" && echo "Output saved to output directory." && echo "" && echo "All subdomains have been successfully collected." && echo "" && echo "Please check the output file for the list of all subdomains." && echo "" && echo "If you want to save the output in a different format, please run the script again with the desired output format as an argument." && echo "" && echo "For example, to save the output in JSON format, run the following command:" && echo "" && echo "nmap -p--script http-enum -d example.com -oX output/nmap_all_subdomains_json.xml --script-args 'http-enum.path=/' --script-args 'http-enum.maxpagecount=1' --script-args 'http-enum.hidematches=true' --script-args 'http-enum.nofollow=true' --script-args 'http-enum.ignore-codes=200,404' --script-args 'http-enum.externalonly=false' --script-args 'http-enum.maxdepth=1' --script-args 'http-enum.maxthreads=10' --script-args 'http-enum.delay=1s' --script-args 'http-enum.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"' --script-args 'http-enum.version=detect' --script-args 'http-enum.method=GET' --script-args 'http-enum.baseurl=http://example.com' --script "http-enum" example.com > output/nmap_all_subdomains_json.xml" && echo "" && echo "Note: The above command is just an example and may not work on all systems." && echo "" && echo "If you encounter any issues while running the script, please refer to the Nmap documentation or contact the Nmap community for assistance." && echo "" && echo "Thank you for using this script!" && echo "" && echo "Have a nice day!" && echo "" && echo "Script created by OWASP Amass Community (https://github.com/OWASP/Amass)" && echo "" && echo "This script is licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License." && echo "" && echo "You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2." && echo "" && echo "Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied." && echo "" && echo "See the License for the specific language governing permissions and limitations under the License." && echo "" && echo "Script created by OWASP Amass Community (https://github.com/OWASP/Amass)" && echo "" && echo "This script is portable across all major operating systems and requires no additional setup or configuration." && echo "" && echo "For more information about this script, help and support options, please visit https://github.com/OWASP/Amass" && echo "" && echo "If you have any questions or feedback regarding this script, please contact us at info@owaspamass.org." && echo "" && echo ""

关注公众号：拾黑（shiheibook）了解更多

友情链接：

下软件就上简单下载站：https://www.jdsec.com/
四季很好，只要有你，文娱排行榜：https://www.yaopaiming.com/
让资讯触达的更精准有趣：https://www.0xu.cn/