Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
AIO Recon Tools
Domain Enum
Subdomain Enum
Subdomain Takeover
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Subdomain Enum

Best Tools

1
# https://github.com/OWASP/Amass
2
amass enum -passive -d example.com -o example.com.subs.txt
3
# Active needs DNS resolution - takes a long time
4
amass enum -active -brute -w /hpath/DNS/clean-jhaddix-dns.txt -d example.com -o example.com.subs.brute.txt
5
# Amass get company ASN and scan
6
amass intel -org EVILCORP -max-dns-queries 2500 | awk -F, '{print $1}' ORS=',' | sed 's/,$//' | xargs -P3 [email protected] -d ',' amass intel -asn @ -max-dns-queries 2500''
7
# Bruteforce subdmain lists here
8
# https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
9
10
# https://github.com/Screetsec/Sudomy
11
./sudomy -d example.com
12
13
# https://github.com/cihanmehmet/sub.sh
14
bash ./sub.sh -a example.com
Copied!

Subdomain enumeration tools

1
assetfinder example.com
2
3
subfinder -d example.com -recursive -silent -t 200 -v -o example.com.subs
4
subfinder -d target.com -silent | httpx -follow-redirects -status-code -vhost -threads 300 -silent | sort -u | grep[200]| cut -d [ -f1 > resolved.txt
5
6
knockpy domain.com
7
8
# https://github.com/nsonaniya2010/SubDomainizer
9
python3 SubDomainizer.py -u https://url.com
10
11
python3 domained.py -d example.com --quick
12
13
fierce -dns example.com
14
15
# Subdomains from Wayback Machine
16
gau -subs example.com | cut -d / -f 3 | sort -u
17
18
# AltDNS - Subdomains of subdomains XD
19
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
20
21
# Onliner to find (sub)domains related to a kword on pastebin through google
22
# https://github.com/gwen001/pentest-tools/blob/master/google-search.py
23
google-search.py -t "site:http://pastebin.com kword" -b -d -s 0 -e 5 | sed "s/\.com\//\.com\/raw\//" | xargs curl -s | egrep -ho "[a-zA-Z0-9_\.\-]+kword[a-zA-Z0-9_\.\-]+" | sort -fu
24
25
dnsrecon -d example.com -D subdomains-top1mil-5000.txt -t brt
26
27
# Aquatone - Validate subdomains (take screenshots and generate report)
28
cat hosts.txt | aquatone
29
30
# Wildcard subdomain
31
dig a *.domain.com = dig a asdasdasd132123123213.domain.com # this is a wildcard subdomain
32
33
# Subdomain enumeration from GitHub
34
# https://github.com/gwen001/github-search
35
python3 github-subdomains.py -t "GITHUB-TOKEN" -d example.com
36
37
# Subdomain bruteforce
38
dnsrecon -d target.com -D wordlist.txt -t brt
39
40
# Get url from JS files
41
# https://github.com/Threezh1/JSFinder
42
python JSFinder.py -u http://www.target.com
43
44
# Best subdomain bruteforce list
45
https://gist.githubusercontent.com/jhaddix/f64c97d0863a78454e44c2f7119c2a6a/raw/96f4e51d96b2203f19f6381c8c545b278eaa0837/all.txt
Copied!

Subdomain discovery with Burp

Navigate throug target main website with Burp:
  • Without passive scanner
  • Set forms auto submit
  • Scope in advanced, any protocol and one keyword ("tesla")
  • Last step, select all sitemap, Engagement Tools -> Analyze target
Recon - Previous
Domain Enum
Next
Subdomain Takeover
Last modified 1mo ago
Export as PDF
Copy link
Contents
Best Tools
Subdomain enumeration tools
Subdomain discovery with Burp