子域名查询工具有哪些

在网络安全领域，子域名是一个重要的概念，子域名是指一个主域名下的子级域名，www.example.com 的子域名可以是 blog.example.com、mail.example.com 等，子域名查询工具可以帮助我们查找一个主域名下的所有子域名，从而更好地了解目标网站的结构，发现潜在的安全风险，本文将介绍一些常用的子域名查询工具。

1、Sublist3r

Sublist3r 是一个Python编写的子域名查询工具，它可以自动化地对目标网站进行子域名枚举，Sublist3r 支持多种搜索引擎和字典文件，可以根据需要自定义查询策略，使用 Sublist3r 的方法如下：

安装 Python 环境，然后使用 pip 安装 Sublist3r：

pip install sublist3r

接下来，创建一个名为 config.yaml 的配置文件，内容如下：

subdomain:
  domain: example.com
    sources:
      assetfinder
      amass
      fernmelder
      sublist3r
      brute
    brute:
      ignore_tld: true
      extensions: ''

运行以下命令进行子域名查询：

python sublist3r.py -d example.com -o output -t all -f raw -m google,bing,yahoo,yandex,ask,duckduckgo,startpage,exalead,dogpile,majestic,aol,babylon,seznam -c config.yaml

2、Amass

Amass 是一个高性能的子域名和资产收集工具，它可以快速地对目标网站进行子域名枚举，Amass 支持多种搜索引擎和字典文件，可以根据需要自定义查询策略，使用 Amass 的方法如下：

安装 Go 语言环境，然后使用 go get 安装 Amass：

go get -u github.com/OWASP/Amass/v3/...

接下来，创建一个名为 amass.conf 的配置文件，内容如下：

[General]
output = "output"
logfile = "amass.log"
timeout = "10s"
concurrent = true
no_progress = false
max_procs = 256
disable_tls = false
verify_ssl = false
aggressive = false
accept_invalid = false
fail_if_not_root = false
clear_output = false
colors = true

运行以下命令进行子域名查询：

amass enum -d example.com -config amass.conf > output/amass.txt

3、Nmap NSE脚本（Nmap Network Scanning Engine）

Nmap 是一款网络扫描工具，它提供了丰富的脚本库，其中就包括用于子域名查询的脚本，使用 Nmap NSE 脚本进行子域名查询的方法如下：

安装 Nmap 工具：

对于 Windows 用户，可以从 Nmap 官网下载安装包；对于 Linux 用户，可以使用包管理器进行安装，在 Debian/Ubuntu 系统中，可以使用以下命令安装 Nmap：

sudo apt-get install nmap

接下来，运行以下命令进行子域名查询：

nmap -p--script http-enum -d example.com -oX output/nmap.xml --script-args 'http-enum.path=/' --script-args 'http-enum.maxpagecount=1' --script-args 'http-enum.hidematches=true' --script-args 'http-enum.nofollow=true' --script-args 'http-enum.ignore-codes=200,404' --script-args 'http-enum.externalonly=false' --script-args 'http-enum.maxdepth=1' --script-args 'http-enum.maxthreads=10' --script-args 'http-enum.delay=1s' --script-args 'http-enum.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"' --script-args 'http-enum.version=detect' --script-args 'http-enum.method=GET' --script-args 'http-enum.baseurl=http://example.com' --script-args 'http-enum.outputfile=output/nmap_http_enum.txt' --script "http-enum" example.com > output/nmap_http_enum.txt && cat output/nmap_http_enum.txt | grep "Host:" | cut -d " " -f2 | sort | uniq > output/nmap_http_enum_hosts.txt && cat output/nmap_http_enum_hosts.txt | grep "^[a-zA-Z]{1,}." | sort | uniq > output/nmap_http_enum_valid_hosts.txt && cat output/nmap_http_enum_valid_hosts.txt >> output/nmap_all_subdomains.txt && echo "Done!" && echo "" && echo "Output saved to output directory." && echo "" && echo "All subdomains have been successfully collected." && echo "" && echo "Please check the output file for the list of all subdomains." && echo "" && echo "If you want to save the output in a different format, please run the script again with the desired output format as an argument." && echo "" && echo "For example, to save the output in JSON format, run the following command:" && echo "" && echo "nmap -p--script http-enum -d example.com -oX output/nmap_all_subdomains_json.xml --script-args 'http-enum.path=/' --script-args 'http-enum.maxpagecount=1' --script-args 'http-enum.hidematches=true' --script-args 'http-enum.nofollow=true' --script-args 'http-enum.ignore-codes=200,404' --script-args 'http-enum.externalonly=false' --script-args 'http-enum.maxdepth=1' --script-args 'http-enum.maxthreads=10' --script-args 'http-enum.delay=1s' --script-args 'http-enum.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3"' --script-args 'http-enum.version=detect' --script-args 'http-enum.method=GET' --script-args 'http-enum.baseurl=http://example.com' --script "http-enum" example.com > output/nmap_all_subdomains_json.xml" && echo "" && echo "Note: The above command is just an example and may not work on all systems." && echo "" && echo "If you encounter any issues while running the script, please refer to the Nmap documentation or contact the Nmap community for assistance." && echo "" && echo "Thank you for using this script!" && echo "" && echo "Have a nice day!" && echo "" && echo "Script created by OWASP Amass Community (https://github.com/OWASP/Amass)" && echo "" && echo "This script is licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License." && echo "" && echo "You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2." && echo "" && echo "Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied." && echo "" && echo "See the License for the specific language governing permissions and limitations under the License." && echo "" && echo "Script created by OWASP Amass Community (https://github.com/OWASP/Amass)" && echo "" && echo "This script is portable across all major operating systems and requires no additional setup or configuration." && echo "" && echo "For more information about this script, help and support options, please visit https://github.com/OWASP/Amass" && echo "" && echo "If you have any questions or feedback regarding this script, please contact us at info@owaspamass.org." && echo "" && echo ""