Google Subdomain Discovery For Sites Using Naked Domain

Published: August 30, 2017


In a blog post from Bugcrowd titled “Discovering Subdomains”, Google dorking is the first strategy covered…

The site directive will filter results only to your target:

After we have the initial domain in there we can use the -inurl directive. -inurl:www

Each subdomain we find can then be filtered out with more -inurl directives to make place for others: -inurl:www -inurl:shopping

This strategy for identifying subdomains is very convenient, but what about if the target is using their naked domain instead of www?

This is an issue I struggled with a bit. For example, for which any part of * is in scope on Bugcrowd (unless explicity mentioned as out of scope) uses a naked domain.

Googling for including naked domain

However, after some time, the solution became obvious.

inurl: looks at the entire url, so we can filter out the naked domain by including everything starting from the protocol…

Googling for with naked domain filtered

It worked perfectly!

Happy hacking :smiley:

Hi, I'm Max!

I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.

During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.

I built a tool called Domain Clamp which monitors and alerts about expiring domains and SSL certificates.

If you'd like to get in touch with me the best way is on Twitter.