Accuracy, reliability, productivity, speed and easy integration are some of the keys for an automated process but it also need to offer a easy way to let the user know what is happening in real time instead of sending this to learn SQL database sentences and check manually what changed or use external utilities that were not made specifically for the process purpose.
Reconnaissance is the process of Information Gathering and getting to know the target systems is the first process in hacking. It is made up for a set of processes and techniques (Footprinting, Scanning and Enumeration) used to covertly discover and collect information about a target system.
About
Findomain is one of the favorite subdomain enumeration tools for bug bounters and cybersecurity specialists around the world. Findomain+ (plus version of the tool) is a complete recon framework that uses cutting edge technology and is able to send alerts about new subdomains, their HTTP status, open ports, IP and more to webhooks, emails, Telegram chats and push notifications to Android, iOS, Desktop and Smart Watches through Pushover. The tool is written in Rust who offers performance, security and reliability for big tasks.
Among his achievements you can find:
- Second place in the top 20 most popular hacking tools of 2019.
- Hackerone “100 hacking tools and resources” #42.
- Fastest tool by independent research.
- A-Tier Framework in The Bugbounty Methodology V4.
- Available in the following repositories ArchLinux, Pentoo, FreeBSD ports, Ninjutsu OS (Windows based), Homebrew and more.
You can setup your own server and database manually with the basic version that does not have special features compared with the Plus version or just buy one of our plans, configure your targets list, notifications method and start receiving notifications about new subdomains.
Check our plans.
Findomain+ Workflow
Findomain+ is able to do all the work itself but is well known that only one tool is not sufficient for recon, so we integrated the passive results of the top four tools (OWASP Amass, Sublist3r, Assetfinder and Subfinder) in our process.
Once collected, the data is passed to Findomain+ who is the head of the workflow doing the following: analyzing the data offered by the other tools, query exiting data in the database, compare against the data collected by itself and the other offered by the sources, if new data is found then the respective steps are done for every subdomain. The steps can be: IP discover, HTTP status check, screenshots of the subdomains, write to output file, scan open ports discovering services and versions with Nmap, commit to database and finally the alert is sent to the user using Discord or Slack webhooks, Telegram chats, email using our own mail server and/or push notifications to any device through Pushover.
The final schema is represented in the following image:
Data storage
Findomain+ uses the PostgreSQL relational database management system for storing the data and working with this. It is a highly stable database management system, backed by more than 20 years of community development which has contributed to its high levels of resilience, integrity, and correctness. PostgreSQL is used as the primary data store or data warehouse for many web, mobile, geospatial, and analytics applications.
The Findomain+ database schema for each user is the following:
id | name | ip | http_status | open_ports | root_domain | jobname | timestamp | cname
----+------+----+-------------+------------+-------------+---------+-----------+-------
id = Sequential number of the database records.
name = subdomain name.
ip = IP Address of the subdomain if exists, NULL if not.
http_status = ACTIVE if an HTTP server is running, INACTIVE if not.
open_ports = Open ports numbers found in the scan. Findomain+ uses his own ports scanner implementation being faster that any other scanner.
root_domain = The name of the target for which we search subdomains.
jobname = Name of the job identifying the process, it is “findomain” for all the users in the server.
timestamp = Date of when the information was saved in the database.
The user can request a dump of their database at any time, maximum 2 times per month.
Data management
When other tools run and finish, Findomain+ import all the results, does its own data collection and keep only the unique subdomains and then make a query to the database to know which ones where already discovered and processed. Finally Findomain+ find the difference between collected data and existing one, these are the new subdomains. At this point the tool have identified which subdomains need to be processed and apply the respective process.
Important Notes:
- All process listed below are asynchronous, that makes Findomain+ faster and able to manage big amounts of subdomains.
- The described steps are applicable per plan, see the Findomain+ Pricing to know what is the best plan for your needs.
IP Discover
It is one of the basic steps and let us know if a subdomain is alive or not. This step is made using the Public DNS nameservers list to improve the resolving process when resolving a huge list of subdomains, at same time it is one of the most important steps because if no IP is discovered then no one of the next options is applied.
CNAME Tracking
Wrong configured CNAME records leads to subdomain takeovers. The basic premise of a subdomain takeover is a host that points to a particular service not currently in use, which an adversary can use to serve content on the vulnerable subdomain by setting up an account on the third-party service. Findomain+ is also able to track CNAME records and alert the user when a new one is found.
HTTP(S) Status Discover
In this step, Findomain+ test the subdomains for a HTTP server running in the 443 and 80 ports. Suppose that we have sub.example.com, Findomain+ query https://sub.example.com first, if that subdomain gives an answer then the HTTPS URL is saved, if the mentioned step is not successful then the tool query http://sub.example.com and if it is successful then the HTTP URL of the subdomain is saved. In case that no one of the subdomain query’s succeed, the subdomain is marked as INACTIVE in the http_status column of the database.
Website Title Extraction
Findomain+ is able to extract HTML data from websites. This process is done during the HTTP(S) Status Discover step, once the data is fetched, the tool extract the title tag and include it in the alerts and output files.
HTTP Content Type
The Content-Type entity header is used to indicate the media type of the resource. In responses, a Content-Type header tells the client what the content type of the returned content actually is. Findomain+ is able to extract it and send the information through alerts.
HTTP Content Length
The Content-Length entity header is used to indicate the length of the entity-body returned in the HTTP response from the server. We calculate the bytes of the entity-body after we receive the response from the HTTP server because most servers doesn’t send that header. Findomain+ is able to extract it and send the information through alerts.
Response Status code
HTTP response status codes indicate whether a specific HTTP request has been successfully completed. Responses are grouped in five classes:
- Informational responses (
100
–199
), - Successful responses (
200
–299
), - Redirects (
300
–399
), - Client errors (
400
–499
), - and Server errors (
500
–599
).
That information is sent by Findomain+ as well.
HTML + HTTP data
We sent .html files in a .tar.gz compressed file, the file contains both the headers and body of the website for juicy information search easily. The files are grep-ables easily but you can also see them in a browser. We recommend ZArchiver to manage the files from the Android phone, iZip for managing the files from iPhone, 7-Zip for managing the files from Windows and Tar for managing the files from Linux/Unix systems.
Open Ports scan, Service and Version detection
If the subdomain answer to a IP address, then we use the well known Nmap to get all these information, that makes the information reliable and accurate. The result of the ports scan are also sent to the user via notifications and saved in the database. The range of the ports varies according to the plan.
Subdomains screenshots
As the name said, it take screenshots of the HTTP(s) websites found, compress them in a tar.gz file, save it in the screenshots
folder while also sending the file as attachment to the user email address. Please read https://findomain.app/receiving-screenshots-from-discovered-subdomain-websites-in-your-email/ for more information. We recommend ZArchiver to manage the files from the Android phone, iZip for managing the files from iPhone, 7-Zip for managing the files from Windows and Tar for managing the files from Linux/Unix systems.
Log Files
Findomain+ only send alive hosts to alerts, so the tool create log files where all the information related to subdomains remain, no matter what the subdomain status are. The files are sent in CSV format will all the information collected.
Subdomain alerts management
The logic used for all the notifications methods is the same. Findomain+ only send alive hosts to notifications methods (webhooks, chats, email or push notifications). Findomain+ consider alive hosts those who have a IP address or the HTTP status is active, once processed the information is sent to the notifications method(s) in the following format:
HOST: subdomain,IP: ip_address,HTTP/S: URL or INACTIVE,OPEN PORTS: [open_ports]
Here is a example of the new subdomain alerts via email address:
These are the current features offered in Findomain+ monitoring service along with a fully stable service and option to cancel at any time, new features will be automatically enabled to applicable plans. Get your Findomain+ subscription.
Findomain+ Team