Find the Company’s Domains and Sub-domains using Netcraft

Launch any browser, in this lab we are using Mozilla Firefox. In the address bar of the browser place your mouse cursor and type https:// www.netcraft.com and press Enter.

Netcraft page appears, as shown in the screenshot.
If cookie pop-up appears at the lower section of the browser, click Accept.

Click on menu icon from the top-right corner of the page and navigate to the Resources -> Tools -> Site Report.

The What’s that site running? page appears. To extract information associated with the organizational website such as infrastructure, technology used, sub domains, background, network, etc., type the target website’s URL (here, https://www.airbnb.com) in the text field, and then click the Look up button, as shown in the screenshot.

The Site report for https://www.airbnb.com page appears, containing information related to Background, Network, Hosting History, etc., as shown in the screenshot.

In the Network section, click on the website link (here, airbnb.com) in the Domain field to view the subdomains.

The result will display subdomains of the target website along with netblock and operating system information, as shown in the screenshot.

This concludes the demonstration of finding the company’s domains and sub- domains using the Netcraft tool. The attackers can use this collected list of subdomains to perform web application attacks on the target organization such as injection attacks, brute-force attack and Denial-of-Service (DoS) attacks.

You can also use tools such as Sublist3r (https://github.com), Pentest-Tools Find Subdomains (https://pentest-tools.com), etc. to identify the domains and sub-domains of any target website.