Skip to content

Enumeration subdomain

dnsdumpster

  • https://dnsdumpster.com

crt.sh

  • https://crt.sh

urlscan

  • https://urlscan.io/search/#page.domain%3Amichalszalkowski.com

virustotal

  • https://www.virustotal.com/gui/domain/michalszalkowski.com/relations

wfuzz

wfuzz -c -f sub-finger -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hc 302

subdomain_fl.sh - bash - Forward Lookup Brute Force

cat << 'EOF' > /tmp/subdomain_fl.sh
#!/bin/bash
echo "TARGET: $1"
for sub in $(cat /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt); do 
  host $sub.$1 | grep -v 'not found';
done
EOF
chmod +x /tmp/subdomain_fl.sh

subdomain_fl.sh $URL

subdomain_rl.sh - bash - Reverse Lookup Brute Force

for ip_part in $(seq 0 254); do 
  host 51.222.169.$ip_part | grep -v 'not found';
done

Gobuster

gobuster dns -r $IP -d $URL -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

dig

dig $URL any

knockpy {URL}

RUN apt-get install -y python-dnspython && \
    cd home && \
    curl -LOk -o knock.tar.gz https://github.com/guelfoweb/knock/archive/4.1.0.tar.gz && \
    mv 4.1.0.tar.gz knock.tar.gz && \
    tar -xzf knock.tar.gz && \
    rm knock.tar.gz && \
    cd knock-4.1.0 && \
    python setup.py install

sublist3r -d {URL}

RUN cd /home && \
    git clone https://github.com/aboul3la/Sublist3r && \
    cd /home/Sublist3r && \
    pip install -r requirements.txt && \
    ln -sf /home/Sublist3r/sublist3r.py /usr/local/bin/sublist3r

dnsenum

dnsenum $URL

theHarvester

theHarvester -d $URL -b all

dnsrecon

# Brute force domains and hosts using a given dictionary.
dnsrecon -d $URL -D /usr/share/wordlists/subdomains-top1million-110000.txt -t brt
dnsrecon -d $URL -t bing
dnsrecon -d $URL -t yand
dnsrecon -d $URL -t crt

online

  • https://transparencyreport.google.com/https/certificates
  • https://search.censys.io/certificates?q={URL}
  • https://github.com/OWASP/Amass

online other

  • https://www.crunchbase.com
  • https://bgp.he.net
  • https://github.com/j3ssie/metabigor
  • https://www.whoxy.com
  • https://github.com/vysecurity/DomLink
  • https://builtwith.com
  • https://www.shodan.io
  • https://github.com/hakluke/hakrawler
  • https://github.com/tomnomnom/unfurl
  • https://github.com/jaeles-project/gospider
  • https://github.com/nsonaniya2010/SubDomainizer
  • https://www.youtube.com/watch?v=qLTe6Z10vj8&t=0s