# Course #182: Findomain$ Unleashed
## Section 1: Introduction to Findomain$
Findomain$ is a powerful tool used for subdomain enumeration, which is a critical step in the reconnaissance phase of penetration testing. Effective subdomain enumeration can reveal valuable information about a target's infrastructure and potential attack vectors. In this section, we will cover the installation and configuration of Findomain$ on Kali Linux, followed by its usage through practical examples and detailed explanations.
### Installation and Configuration on Kali Linux
#### Step 1: Update Kali Linux
Before installing Findomain$, ensure that your Kali Linux distribution is up to date. Open your terminal and run the following commands:
"`bash
sudo apt update && sudo apt upgrade -y
"`
#### Step 2: Install Findomain$
Findomain$ is available on GitHub, and we will install it using the Go programming language. Ensure you have Go installed; if not, you can install it with the following commands:
"`bash
sudo apt install golang -y
"`
Next, we will get Findomain$ from the repository:
"`bash
go get -u github.com/Findomain/Findomain
"`
After installation, you can verify that Findomain$ has been installed correctly by checking its version:
"`bash
~/go/bin/findomain -v
"`
You should see the version number printed in the terminal.
#### Step 3: Configuring Findomain$
Findomain$ does not require extensive configuration. However, you may want to set your API keys for services like VirusTotal, Shodan, or any other integrated services to enhance its capabilities. Create a configuration file to store your API keys.
"`bash
nano ~/.findomain/config.json
"`
In this file, you can set API keys for services by adding entries in JSON format:
"`json
{
"virustotal": "YOUR_VIRUSTOTAL_API_KEY",
"shodan": "YOUR_SHODAN_API_KEY"
}
"`
### Step-by-Step Usage of Findomain$
Now that we have Findomain$ installed and configured, let’s explore its functionality through step-by-step usage and practical examples.
#### Basic Command Structure
The basic command structure of Findomain$ is as follows:
"`bash
findomain -d domain.com
"`
This command initiates a search for subdomains associated with `domain.com`.
#### Real-World Use Case 1: Enumerating Subdomains
**Example: Finding Subdomains for example.com**
"`bash
findomain -d example.com
"`
**Output Explanation:**
Upon execution, Findomain$ will return a list of discovered subdomains for `example.com`. The output will contain subdomains, such as:
"`
www.example.com
api.example.com
blog.example.com
"`
These results can give insights into the target’s digital footprint, which can be further investigated for vulnerabilities.
#### Real-World Use Case 2: Using the Output to Conduct Vulnerability Assessments
Once you have a list of subdomains, you can further analyze them for common vulnerabilities using tools like `nmap`, `nikto`, or `wpscan` for WordPress sites.
**Example: Scanning Subdomains with Nmap**
First, save the output of Findomain$ to a text file:
"`bash
findomain -d example.com -o example_subdomains.txt
"`
Then, use `nmap` to scan the listed subdomains for open ports:
"`bash
nmap -iL example_subdomains.txt
"`
**Detailed Explanation:**
– `-o` flag: Specifies the output file for subdomain enumeration.
– `-iL` flag: Indicates that `nmap` should read its target list from a file.
#### Advanced Features of Findomain$
Findomain$ also offers advanced features, such as recursive searching and API integrations.
1. **Recursive Search**: To search for subdomains recursively, you can use the `-r` flag:
findomain -d example.com -r
2. **Using APIs**: If you have stored your API keys in the configuration file, Findomain$ will automatically use them to enhance its subdomain enumeration process.
#### Practical Scenarios
In practice, Findomain$ can be utilized in various scenarios, including:
– **Bug Bounty Hunting**: Many bug bounty programs require the discovery of subdomains to report vulnerabilities.
– **Red Team Assessments**: During red team operations, subdomain enumeration plays a crucial role in identifying attack vectors.
– **Network Mapping**: Understanding the landscape of a target’s infrastructure can aid in building a comprehensive network map.
For further reading on subdomain enumeration techniques and tools, refer to the following resources:
– [OWASP Subdomain Takeover](https://owasp.org/www-community/attacks/Subdomain_Takeover)
– [Subdomain Enumeration Techniques](https://www.cybrary.it/course/subdomain-enumeration/)
– [Almanac of Subdomain Enumeration](https://medium.com/@saagie/almanac-of-subdomain-enumeration-a5abbcbd7b56)
### Conclusion
In this section, we have gone through the installation and configuration of Findomain$ on Kali Linux, learned its basic command structure, and explored practical use cases. Mastering Findomain$ is essential for any penetration tester looking to enhance their reconnaissance capabilities.
As we continue through this course, we will delve deeper into advanced techniques and how to integrate Findomain$ into broader penetration testing methodologies, ensuring comprehensive coverage of web security assessments.
nnMade by pablo rotem / פבלו רותם