Subdomain Enumeration Tool Face-off - 2023 Edition
Benchmarking the industry's top subdomain enumeration tools
In 2022, we benchmarked the industry's top subdomain enumeration tools.
Since then, the tools have received some neat upgrades and there are even some new ones on the block. We decided it would be fun to do an updated face-off for 2023, and we're glad we did because we encountered some surprises along the way - like this suspiciously good subdomain API (more on that later)!
The goal of this face-off is to rank the top subdomain enumeration tools based on: 1) number of subdomains found, and 2) runtime.
Tools being tested:
Findomain <-- new this time around
We selected these tools mainly based on their quality and popularity. If you don't see yours in this list, please let us know so we can test it next time!
Rules
The theme this year is airlines. We will be running each of the above tools against both a large target (Delta Airlines: delta.com
) and a small target (Spirit Airlines: spirit.com
). By testing against both a large and a small target, we can see how well each of the tools scale with the size of the attack surface.
Similarly to last time, we will be running each tool out-of-the-box with no API keys and only the minimal config changes required to enable brute force and boost thread count.
Wildcards and unresolved subdomains will be removed using this script.
Results
Subdomains Found:
Runtimes (Lower is Better):
Analysis
The first thing you might notice is that while the outcomes for the small target (spirit.com
) were pretty close, delta.com
produced a lot more variety. Specifically, there is a big gap between BBOT, theHarvester, Amass, and everything else. There is an interesting explanation for this, which leads us on a fun side-journey out of the land of tools and into the land of APIs.
As it turns out, a single data source is responsible for this difference. First added to Amass only two months ago, subdomain.center is a new and mysterious API created by the Automated Reconnaissance & Pwning Syndicate. It is free to use, with a limit of 3 requests per minute, and needless to say it is now also a BBOT module.
I call it ‘mysterious’ because it's mysteriously good. Subdomain.center returns more subdomains than any other free API by a huge margin. It returned 1,594 valid delta.com
subdomains, while RapidDNS (its runner up) returned only 774.
The most mysterious thing about this API is the data itself. Its database is full of strange and complex (but totally valid) subdomains that don't seem to show up anywhere else. No other free APIs contain this data, and none of the tools we're aware of are capable of discovering them via brute force. Even BBOT's massdns module with its NLP-powered subdomain mutations couldn't replicate a fair number of them.
I reached out to ARPSyndicate hoping to find some answers as to the source of their data, but they declined comment except to say that they are “continuously aggregating and analyzing DNS datasets”. Truly then, it's a mystery where they got them. But who cares? They're giving them away for free!
(UPDATE 8/6/2023: Subdomain.center’s website now says, “Subdomain Center utilizes Apache's Nutch, Calidog's Certstream, OpenAI's Embedding Models & a few of our proprietary tools to discover more subdomains than anyone else.”)
Runtimes
Runtimes are all over the place. Subfinder and Findomain roughly tie for the fastest tool, both finishing in less than 15 seconds. These tools are not performing any brute forcing, only querying APIs. But damn, are they fast! A fun side note: Subfinder is written in Golang, and Findomain in Rust. Always nice to see some friendly competition between Gophers and Rustaceans. :)
Amass and Spiderfoot are the big offenders here. I actually chose to shrink their footprints in the graph because they were dwarfing the other tools' results. In the case of delta.com
, both Amass and Spiderfoot had to be cancelled after 6 hours.
Subdomains
But enough about runtimes. Give me subdomains, you say! Give me as many subdomains as humanly possible!
In that regard, BBOT has you covered. As the creator of BBOT, I may be a little biased, but regardless of how you slice it, it's the clear winner in this category. BBOT found the most subdomains for both spirit.com
and delta.com
, gathering 44% more subdomains on average for Spirit, and 118% more for Delta than the other tools.
Conclusion
Most Subdomains: BBOT
Fastest: Tie between Subfinder and Findomain
Honorable Mention: theHarvester
Details
BBOT
Version: 1.1.0.2001
Command:
bbot -t <domain> -f subdomain-enum -c modules.massdns.max_resolvers=5000
spirit.com:
Subdomains: 235
Runtime: 5 minutes, 15 seconds
delta.com:
Subdomains: 1964
Runtime: 30 minutes, 18 seconds
theHarvester
Version: 4.4.0
Command:
theHarvester.py -d <domain> --dns-brute --dns-lookup -b anubis,baidu,bevigil,binaryedge,bing,bingapi,bufferoverun,brave,certspotter,criminalip,crtsh,dnsdumpster,duckduckgo,fullhunt,github-code,hackertarget,hunter,hunterhow,intelx,netlas,onyphe,otx,pentesttools,projectdiscovery,rapiddns,rocketreach,securityTrails,sitedossier,subdomaincenter,subdomainfinderc99,threatminer,tomba,urlscan,virustotal,yahoo,zoomeye
spirit.com:
Subdomains: 191
Runtime: 3 minutes, 15 seconds
delta.com:
Subdomains: 1607
Runtime: 5 minutes, 1 second
Subfinder
Version: v2.6.1
Command:
subfinder -d <domain> -silent
spirit.com:
Subdomains: 183
Runtime: 4.9 seconds
delta.com:
Subdomains: 696
Runtime: 10.2 seconds
Amass
Version: v4.0.3
Command:
amass enum -d <domain> -active -brute
spirit.com:
Subdomains: 185
Runtime: 69 minutes, 58 seconds
delta.com:
Subdomains: 1598
Runtime: Cancelled after 6 hours
OneForAll
Version: git clone 2023-07-25
Command:
oneforall.py --target <domain> run
spirit.com:
Subdomains: 169
Runtime: 2 minutes, 28 seconds
delta.com:
Subdomains: 811
Runtime: 7 minutes, 26 seconds
Spiderfoot
Version: git clone 2023-07-25
Command:
sf.py -s <domain> -t INTERNET_NAME -n
spirit.com:
Subdomains: 175
Runtime: Cancelled after 6 hours
delta.com:
Subdomains: 712
Runtime: Cancelled after 6 hours
Findomain
Version: v9.0.0
Command:
findomain -t <domain>
spirit.com:
Subdomains: 174
Runtime: 4.0 seconds
delta.com:
Subdomains: 721
Runtime: 13.6 seconds
Sublist3r
Version: git clone 2023-07-25
Command:
sublist3r.py -d <domain> --bruteforce
spirit.com:
Subdomains: 68
Runtime: 12 minutes, 49 seconds
delta.com:
Subdomains: 172
Runtime: 17 minutes, 11 seconds