Subdomain Enum

Best Tools

amass enum -passive -d -o
# Active needs DNS resolution - takes a long time
amass enum -active -brute -w /hpath/DNS/clean-jhaddix-dns.txt -d -o
# Amass get company ASN and scan
amass intel -org EVILCORP -max-dns-queries 2500 | awk -F, '{print $1}' ORS=',' | sed 's/,$//' | xargs -P3 [email protected] -d ',' amass intel -asn @ -max-dns-queries 2500''
# Bruteforce subdmain lists here
./sudomy -d
bash ./ -a

Subdomain enumeration tools

subfinder -d -recursive -silent -t 200 -v -o
subfinder -d -silent | httpx -follow-redirects -status-code -vhost -threads 300 -silent | sort -u | grep[200]| cut -d [ -f1 > resolved.txt
python3 -u
python3 -d --quick
fierce -dns
# Subdomains from Wayback Machine
gau -subs | cut -d / -f 3 | sort -u
# AltDNS - Subdomains of subdomains XD
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
# Onliner to find (sub)domains related to a kword on pastebin through google
# -t "site: kword" -b -d -s 0 -e 5 | sed "s/\.com\//\.com\/raw\//" | xargs curl -s | egrep -ho "[a-zA-Z0-9_\.\-]+kword[a-zA-Z0-9_\.\-]+" | sort -fu
dnsrecon -d -D subdomains-top1mil-5000.txt -t brt
# Aquatone - Validate subdomains (take screenshots and generate report)
cat hosts.txt | aquatone
# Wildcard subdomain
dig a * = dig a # this is a wildcard subdomain
# Subdomain enumeration from GitHub
python3 -t "GITHUB-TOKEN" -d
# Subdomain bruteforce
dnsrecon -d -D wordlist.txt -t brt
# Get url from JS files
python -u
# Best subdomain bruteforce list

Subdomain discovery with Burp

Navigate throug target main website with Burp:

  • Without passive scanner

  • Set forms auto submit

  • Scope in advanced, any protocol and one keyword ("tesla")

  • Last step, select all sitemap, Engagement Tools -> Analyze target