Search Engine Subdomains Collector

Gathering subdomains is a great way to find new targets, and we can use the Search Engine Subdomains Collector auxiliary module,        auxiliary/gather/searchengine_subdomains_collector, to gather subdomains about a domain from Yahoo and Bing.

To gather subdomains from a target domain, we just need to set the target domain. Let's quickly perform a test on packtpub.com and analyze the output:

msf > use auxiliary/gather/searchengine_subdomains_collector
msf auxiliary(searchengine_subdomains_collector) > set TARGET packtpub.com
TARGET => packtpub.com
msf auxiliary(searchengine_subdomains_collector) > run

[*] Searching Bing for subdomains from domain:packtpub.com
[*] Searching Yahoo for subdomains from domain:packtpub.com
[+] domain:packtpub.com subdomain: www.packtpub.com
[*] Searching Bing for subdomains from ip:83.166.169.231
[*] Searching Yahoo for subdomains from ip:83.166.169.231
...

[+] domain:packtpub.com subdomain: www1.packtpub.com
[*] Searching Bing for subdomains from ip:83.166.169.231
[*] Searching Yahoo for subdomains from ip:83.166.169.231
[+] ip:83.166.169.231 subdomain: www.packtpub.com
[+] ip:83.166.169.231 subdomain: www1.packtpub.com
[+] ip:83.166.169.231 subdomain: www2.packtpub.com
[*] Auxiliary module execution completed

The Search Engine Subdomains Collector auxiliary module helped us find new targets, such as www.packtpub.com, cdp.packtpub.com, authorportal.packtpub.com, among others.

Now that we have a good idea about the capabilities of some of the basic modules, let's try the big guns.