Pentest Book
Pentest Book
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
AIO Recon Tools
Domain Enum
Subdomain Enum
Subdomain Takeover
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
VirtualBox
Code review
Pentesting Web checklist
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered by GitBook

Subdomain Enum

Best Tools

# https://github.com/OWASP/Amass
amass enum -passive -d example.com -o example.com.subs.txt
# Active needs DNS resolution - takes a long time
amass enum -active -brute -w /hpath/DNS/clean-jhaddix-dns.txt -d example.com -o example.com.subs.brute.txt
# Amass get company ASN and scan
amass intel -org EVILCORP -max-dns-queries 2500 | awk -F, '{print $1}' ORS=',' | sed 's/,$//' | xargs -P3 [email protected] -d ',' amass intel -asn @ -max-dns-queries 2500''
# Bruteforce subdmain lists here
# https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
# https://github.com/Screetsec/Sudomy
./sudomy -d example.com
# https://github.com/cihanmehmet/sub.sh
bash ./sub.sh -a example.com

Subdomain enumeration tools

assetfinder example.com
subfinder -d example.com  -recursive -silent -t 200 -v -o  example.com.subs
subfinder -d target.com -silent | httpx -follow-redirects -status-code -vhost -threads 300 -silent | sort -u | grep[200]| cut -d [ -f1 > resolved.txt
knockpy domain.com
# https://github.com/nsonaniya2010/SubDomainizer
python3 SubDomainizer.py -u https://url.com
python3 domained.py -d example.com --quick
fierce -dns example.com
# Subdomains from Wayback Machine
gau -subs example.com | cut -d / -f 3 | sort -u
# AltDNS - Subdomains of subdomains XD
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
# Onliner to find (sub)domains related to a kword on pastebin through google
# https://github.com/gwen001/pentest-tools/blob/master/google-search.py
google-search.py -t "site:http://pastebin.com kword" -b -d -s 0 -e 5 | sed "s/\.com\//\.com\/raw\//" | xargs curl -s | egrep -ho "[a-zA-Z0-9_\.\-]+kword[a-zA-Z0-9_\.\-]+" | sort -fu
dnsrecon -d example.com -D subdomains-top1mil-5000.txt -t brt
# Aquatone - Validate subdomains (take screenshots and generate report)
cat hosts.txt | aquatone
# Wildcard subdomain
dig a *.domain.com = dig a asdasdasd132123123213.domain.com # this is a wildcard subdomain
# Subdomain enumeration from GitHub
# https://github.com/gwen001/github-search
python3 github-subdomains.py -t "GITHUB-TOKEN" -d example.com
# Subdomain bruteforce
dnsrecon -d target.com -D wordlist.txt -t brt
# Get url from JS files
# https://github.com/Threezh1/JSFinder
python JSFinder.py -u http://www.target.com
# Best subdomain bruteforce list 
https://gist.githubusercontent.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a/raw/96f4e51d96b2203f19f6381c8c545b278eaa0837/all.txt

Subdomain discovery with Burp

Navigate throug target main website with Burp:

  • Without passive scanner

  • Set forms auto submit

  • Scope in advanced, any protocol and one keyword ("tesla")

  • Last step, select all sitemap, Engagement Tools -> Analyze target

Recon - Previous
Domain Enum
Next
Subdomain Takeover
Last updated 3 months ago
Edit on GitHub
Contents
Best Tools
Subdomain enumeration tools
Subdomain discovery with Burp