Pentest Book
Search…
Subdomain Enum

Passive sources

1
# https://github.com/OWASP/Amass
2
# https://github.com/OWASP/Amass/blob/master/examples/config.ini
3
amass enum -passive -d domain.com
4
5
# https://github.com/projectdiscovery/subfinder
6
# https://github.com/projectdiscovery/subfinder#post-installation-instructions
7
subfinder -d domain.com -all -silent
8
9
# https://github.com/tomnomnom/assetfinder
10
assetfinder example.com
11
12
# https://github.com/tomnomnom/waybackurls
13
# https://github.com/tomnomnom/unfurl
14
echo domain.com | waybackurls | unfurl -u domains
15
16
# https://github.com/lc/gau
17
# https://github.com/tomnomnom/unfurl
18
gau --subs example.com | unfurl -u domains
19
20
## Cert Transparency
21
# https://certificate.transparency.dev/
22
# https://crt.sh/
23
# https://github.com/UnaPibaGeek/ctfr
24
python3 ctfr.py -d domain.com
Copied!

Active DNS resolution

1
# Generate custom resolvers list, always
2
# https://github.com/vortexau/dnsvalidator
3
dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 200
4
5
# https://github.com/d3mondev/puredns
6
puredns resolve subdomains.txt -r ~/Tools/resolvers.txt
7
8
## BF
9
# https://github.com/d3mondev/puredns
10
puredns bruteforce ~/Tools/subdomains.txt united.com -r ~/Tools/resolvers.txt
Copied!

Alterations and permutations

1
#https://github.com/Josue87/gotator
2
gotator -sub subdomains/subdomains.txt -perm permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md
Copied!

Crawling

1
# 1st resolve subdomains on valid websites
2
# https://github.com/projectdiscovery/httpx
3
cat subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -silent -retries 2 -title -web-server -tech-detect -location -o webs_info.txt
4
# Clean output
5
cat webs_info.txt | cut -d ' ' -f1 | grep ".domain.com" | sort -u > websites.txt
6
# Crawl them
7
# https://github.com/jaeles-project/gospider
8
gospider -S websites.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt
9
# Clean output
10
# https://github.com/tomnomnom/unfurl
11
cat urls.txt | sed '/^.\{2048\}./d' | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | unfurl -u domains | grep ".domain.com"
Copied!

DNS records

1
# https://github.com/projectdiscovery/dnsx
2
dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains.txt
Copied!

Other techniques

Google Analytics ID

1
# https://github.com/Josue87/AnalyticsRelationships
2
cat subdomains.txt | analyticsrelationships
Copied!

Subdomain discovery with Burp

Navigate through target main website with Burp:
  • Without passive scanner
  • Set forms auto submit
  • Scope in advanced, any protocol and one keyword ("tesla")
  • Last step, select all sitemap, Engagement Tools -> Analyze target