Skip to content

Enumeration - Subdomain

dnsdumpster

crt.sh

wfuzz

wfuzz -c -f sub-finger -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://cmess.thm" -H "Host: FUZZ.cmess.thm" --hw 290

subdomain_fl.sh - bash - Forward Lookup Brute Force

cat << 'EOF' > /tmp/subdomain_fl.sh
#!/bin/bash
echo "TARGET: $1"
for sub in $(cat /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt); do 
  host $sub.$1 | grep -v 'not found';
done
EOF
chmod +x /tmp/subdomain_fl.sh
subdomain_fl.sh $(target)

subdomain_rl.sh - bash - Reverse Lookup Brute Force

for ip_part in $(seq 0 254); do 
  host 51.222.169.$ip_part | grep -v 'not found';
done

Gobuster

gobuster dns -d $(target) -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt

dig

dig $(target) any

knockpy {URL}

RUN apt-get install -y python-dnspython && \
    cd home && \
    curl -LOk -o knock.tar.gz https://github.com/guelfoweb/knock/archive/4.1.0.tar.gz && \
    mv 4.1.0.tar.gz knock.tar.gz && \
    tar -xzf knock.tar.gz && \
    rm knock.tar.gz && \
    cd knock-4.1.0 && \
    python setup.py install

sublist3r -d {URL}

RUN cd /home && \
    git clone https://github.com/aboul3la/Sublist3r && \
    cd /home/Sublist3r && \
    pip install -r requirements.txt && \
    ln -sf /home/Sublist3r/sublist3r.py /usr/local/bin/sublist3r

dnsenum

dnsenum $(target)

theHarvester

theHarvester -d $(target) -b all

dnsrecon

# Brute force domains and hosts using a given dictionary.
dnsrecon -d $(target) -D /usr/share/wordlists/subdomains-top1million-110000.txt -t brt
dnsrecon -d $(target) -t bing
dnsrecon -d $(target) -t yand
dnsrecon -d $(target) -t crt

online

  • https://transparencyreport.google.com/https/certificates
  • https://search.censys.io/certificates?q={URL}
  • https://github.com/OWASP/Amass

online other

  • https://www.crunchbase.com
  • https://bgp.he.net
  • https://github.com/j3ssie/metabigor
  • https://www.whoxy.com
  • https://github.com/vysecurity/DomLink
  • https://builtwith.com
  • https://www.shodan.io
  • https://github.com/hakluke/hakrawler
  • https://github.com/tomnomnom/unfurl
  • https://github.com/jaeles-project/gospider
  • https://github.com/nsonaniya2010/SubDomainizer
  • https://www.youtube.com/watch?v=qLTe6Z10vj8&t=0s