Friday, September 25, 2009

subdomainLookup - Find subdomains using Google

subdomainLookup is a python script that uses Google search results to find subdomains of the target domain name.

I have been using it in security assessments and it works pretty well. Essential for network mapping. Test your own domain and see the results.

Sample usage:

Download subdomainLookup v0.4 from here
* Uses main Python libraries. Tested with Python 2.5.x on Linux and Windows.

Update: Bedirhan sent me some patches that improve the results of the subdomainLookup v0.2 script. With some tests and additional improvements, here is the new version, 0.4 which can be downloaded from the same location.


bedirhan said...

Great tool! And it's wise to use mobile search instead of the heavy regular one.

I've humbly changed a few parts, which I'll send to you, to increase the coverage. My changes include;

. usage of "-site" instead of more generic "-" negation
. usage of cookielib (yes, it affects the results)
. character refining with subdomain regex (adding -)
. usage of "Accept-Language" header (that affects the results, too)
. putting the real "site:" at the end of the search query (astonishing!)


N. said...

If nameservers are misconfigured, you can also find subdomains using this page Find all subdomains

Mike said...

Great idea, but did not work for me for some reason. It timeouts after some time, not sure what I'm doing wrong. For those who are interested in a simple solution I found this tool:

Anonymous said...

I tried using your script, but the only thing it spits back is "no result found for...". I have tried multiple sites where I know sub domains exist, but the script always tells me it cannot find anything.

Anonymous said...

I've tried using your script, but I keep getting "no result found for ____" regardless of what sites I try to check.

I am using cygwin if that matters.

Sertan Kolat said...

Hi Will,

Thanks for pointing it out. I updated the script.

Please download again and retry.

Anonymous said...

Sorry for the double post yesterday... but thanks for posting an update. I've tried out the script and it does seem to work now when there are a small number of subdomains. However, when I look at pages with many subdomains like "" I get a http 414 error.

I don't know python, but I was wondering if it would be possible to modify this script to read from a csv then append the corresponding output to the right of the domains?

example output: