Competitive intelligence from a website's subdomains

Finding out the subdomains of a website can be a gold mine of competitive intelligence. This is the same type of search that discovers whether one website is hosted on the same server as another website, which in competitive intelligence terms may provide clues about linked websites/companies (and in other contexts can show security weaknesses).

There are four tools worth using for subdomain discovery: Magic-Net, Robtex, gWebTools and DomainCrawler. Magic-Net is usually the most informative.

Most of the time, the searches will be unproductive. The target server must have been set to allow zone transfers, which applies to a minority of web servers. When the server does allow these searches, the list of subdomains can be data with little information. For example, for Intuit:

That is mostly useless (although on some occasions of great value, odd subdomains can hint at coming products).

In rare instances, which are the ones worth investigating, the subdomains will show a list of the target's clients: for example if the target is a software company that hosts client content or client email accounts. We will avoid listing specific examples, because random examples would be of limited value anyway, but subdomain searches should be part of any thorough competitive intelligence project focusing on a target's clients.