Pentest Book
Search…
/home/six2dez/.pentest-book
Contribute/Donate
Recon
Public info gathering
Root domains
Subdomain Enum
Subdomain Takeover
Webs recon
Network Scanning
Host Scanning
Packet Scanning
Enumeration
Files
SSL/TLS
Ports
Web Attacks
Web Technologies
Cloud
Exploitation
Payloads
Reverse Shells
File transfer
Post Exploitation
Linux
Pivoting
Windows
Mobile
General
Android
iOS
Others
Burp Suite
Password cracking
VirtualBox
Code review
Pentesting Web checklist
Internal Pentest
Web fuzzers review
Recon suites review
Subdomain tools review
Random
Master assessment mindmaps
BugBounty
Exploiting
tools everywhere
Powered By GitBook
Subdomain Enum

Passive sources

1
# https://github.com/OWASP/Amass
2
# https://github.com/OWASP/Amass/blob/master/examples/config.ini
3
amass enum -passive -d domain.com
4
​
5
# https://github.com/projectdiscovery/subfinder
6
# https://github.com/projectdiscovery/subfinder#post-installation-instructions
7
subfinder -d domain.com -all -silent
8
​
9
# https://github.com/tomnomnom/assetfinder
10
assetfinder example.com
11
​
12
# https://github.com/tomnomnom/waybackurls
13
# https://github.com/tomnomnom/unfurl
14
echo domain.com | waybackurls | unfurl -u domains
15
​
16
# https://github.com/lc/gau
17
# https://github.com/tomnomnom/unfurl
18
gau --subs example.com | unfurl -u domains
19
​
20
## Cert Transparency
21
# https://certificate.transparency.dev/
22
# https://crt.sh/
23
# https://github.com/UnaPibaGeek/ctfr
24
python3 ctfr.py -d domain.com
Copied!

Active DNS resolution

1
# Generate custom resolvers list, always
2
# https://github.com/vortexau/dnsvalidator
3
dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 200
4
​
5
# https://github.com/d3mondev/puredns
6
puredns resolve subdomains.txt -r ~/Tools/resolvers.txt
7
​
8
## BF
9
# https://github.com/d3mondev/puredns
10
puredns bruteforce ~/Tools/subdomains.txt united.com -r ~/Tools/resolvers.txt
Copied!

Alterations and permutations

1
#https://github.com/Josue87/gotator
2
gotator -sub subdomains/subdomains.txt -perm permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md
Copied!

Crawling

1
# 1st resolve subdomains on valid websites
2
# https://github.com/projectdiscovery/httpx
3
cat subdomains.txt | httpx -follow-host-redirects -random-agent -status-code -silent -retries 2 -title -web-server -tech-detect -location -o webs_info.txt
4
# Clean output
5
cat webs_info.txt | cut -d ' ' -f1 | grep ".domain.com" | sort -u > websites.txt
6
# Crawl them
7
# https://github.com/jaeles-project/gospider
8
gospider -S websites.txt --js -t 20 -d 2 --sitemap --robots -w -r > urls.txt
9
# Clean output
10
# https://github.com/tomnomnom/unfurl
11
cat urls.txt | sed '/^.\{2048\}./d' | grep -Eo 'https?://[^ ]+' | sed 's/]$//' | unfurl -u domains | grep ".domain.com"
Copied!

DNS records

1
# https://github.com/projectdiscovery/dnsx
2
dnsx -retry 3 -a -aaaa -cname -ns -ptr -mx -soa -resp -silent -l subdomains.txt
Copied!

Other techniques

Google Analytics ID

1
# https://github.com/Josue87/AnalyticsRelationships
2
cat subdomains.txt | analyticsrelationships
Copied!

Subdomain discovery with Burp

Navigate through target main website with Burp:
  • Without passive scanner
  • Set forms auto submit
  • Scope in advanced, any protocol and one keyword ("tesla")
  • Last step, select all sitemap, Engagement Tools -> Analyze target
Recon - Previous
Root domains
Next
Subdomain Takeover
Last modified 1mo ago
Export as PDF
Copy link
Edit on GitHub
Contents
Passive sources
Active DNS resolution
Alterations and permutations
Crawling
DNS records
Other techniques
Google Analytics ID
Subdomain discovery with Burp