Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

  1. List of Vulnerabilities
  2. Recon and OSINT

Subdomain Enumeration

PreviousSensitive information using GithubNextResolvers

Last updated 3 years ago

Was this helpful?

Blog Posts / References / Presentations / Videos:

  1. Subdomain Enumeration Cheatsheet - .

  2. Practical recon techniques for bug hunters & pen testers -

  3. The Art of Subdomain Enumeration - .

  4. Esoteric sub-domain enumeration techniques -

  5. Subdomain Enumeration: 2019 Workflow -

  6. Awesome Asset Discovery -

  7. A More Advanced Recon Automation #1 (Subdomains)

  8. Automating the Recon Process - Video

  9. OSINT for Proactive Defense - RootConf 2019 -

  10. Empowering red and blue teams with osint c0c0n 2017 -

  11. Video - OSINT for Proactive Defense - Shubam Mittal -

  12. Gathering domains/subdomains with IPRanges of organization -

  13. Compherensive Guide -

  14. Converter.sh, a bash script to convert domain lists to resolved IP lists without duplicates -

Tools:

  42. suip.biz - no need to install tools

  45. subscraper

  47. Domainbigdata

Twitter Thread / Bugbounty Tips:

  • Sub-Domain Enumeration Oneliner's:

    • OneLiner to get commoncrawl assets -https://twitter.com/fasthm00/status/1145485593687625728

Top 7 Subdomain Scanner Tools -

Subdomain list for bruteforcing -

Domain status checker -

Lazyrecon -

Second-order -

FindDomain -

CCrawlDNS -

Assest Discovery -

Subdomain list for bruteforcing -

SubSanner -

I got URLS -

CC.py - Extracting URLs of a specific target based on the results of "commoncrawl.org" -

- Commoncrawl

A new generation of tool for discovering subdomains( ip , cdn and so on) -

- PROJECT BLACK

- Monitoring

- dnsgen

- all tools combined

getallURLS -

-

Resolver -

BASSS -

Censys Subdomain Finder -

Trademark to discover doamins -

Port Scanner -

Tools Evaluation -

Subdomains Enumeration Cheat Sheet. -

Fetch known urls from AlienVault's Open Threat Exchange for given hosts -

Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. -

Port Scanner -

CTFR - Abusing Certificate Transparency logs for getting HTTPS websites subdomains. -

- Masscan + nmap

-- latest

- hourly update of sub domains.

Venkon.us -

Resolver -

Bruteforce -

- vHost

Certsspotter -

CertSpotter Bash One Liner -

Oneliner Certspotter x Massdns subdomain enum -

Threatcrowd -

Get List of Active Domains -

Need to pull subdomains from Rapid 7's Project Sonar -

Tips from Ben -

Quick Tip from Shubam Mittal -

Thread from Somdev -

Subdomain Bruteforce - Subdomain bruteforce with ffuf on 443 port. It works fine ffuf -u -w jhaddixall.txt -v | grep "| URL | " | awk '{print $4}'34578

Horizontal domain correlation - Free - Free - Free - Free web, not free API. - Not free - Not Free - Not Free

Vhost writeup -

https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html
https://blog.appsecco.com/practical-recon-techniques-for-bug-hunters-pen-testers-at-levelup-0x02-b72c15641972
https://github.com/appsecco/the-art-of-subdomain-enumeration
https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration
https://0xpatrik.com/subdomain-enume ration-2019/
https://github.com/redhuntlabs/Awesome-Asset-Discovery#domain--subdomain-discovery
- https://poc-server.com/blog/2019/01/18/advancedrecon-subdomains/
-https://null.co.in/event_sessions/2618-automating-the-recon-process
https://www.slideshare.net/redhuntlabs/osint-for-proactive-defense-rootconf-2019?next_slideshow=1
https://www.slideshare.net/reconvillage/empowering-red-and-blue-teams-with-osint-c0c0n-2017
https://www.youtube.com/watch?time_continue=1301&v=0s2nmOZKQY8
https://medium.com/@arbazhussain/gathering-domains-subdomains-with-ipranges-of-organization-49362d8a1271
https://echocipher.github.io/2019/07/24/Subdomain-Recon/
https://gist.github.com/xdavidhu/07457247b9087dea4ddaf52858500cce
https://securitytrails.com/blog/subdomain-scanner-find-subdomains
https://twitter.com/Alra3ees/status/1068079409117188096
https://phonexicum.github.io/infosec/osint.html#subdomain--ip--e-mail-harvesting--enumirate--etc-concrete-tools
https://twitter.com/plenumlab/status/1068442310147547136
https://github.com/JannisKirschner/Horn3t
https://github.com/unstabl3/recce
https://github.com/plenumlab/lazyrecon
https://github.com/mhmdiaa/second-order
https://github.com/Edu4rdSHL/findomain
https://github.com/lgandx/CCrawlDNS
Subdomainizer - https://github.com/nsonaniya2010/SubDomainizer
https://github.com/Screetsec/Sudomy
https://github.com/chrismaddalena/ODIN
https://twitter.com/Alra3ees/status/1068079409117188096
https://twitter.com/_sawzeeyy/status/976171883212296192
https://github.com/cihanmehmet/sub.sh
https://github.com/xyele/igoturls
https://github.com/si9int/cc.py
https://github.com/hecvs17/ccrawlen
https://github.com/yanxiu0614/subdomain3
https://github.com/c0rvax/project-black
https://github.com/BitTheByte/Monitorizer/
https://github.com/ProjectAnte/dnsgen
https://github.com/sethsec/celerystalk
https://twitter.com/hacker_/status/1192127358787997701
https://github.com/hakluke/hakrawler
hakrawler
https://github.com/haxormad/domainresolver
https://github.com/Abss0x7tbh/bass
https://github.com/christophetd/censys-subdomain-finder
https://github.com/esecuritylab/kostebek
https://gist.github.com/s0md3v/9234fc144f61acf5f2c447f605485eb5
https://github.com/zeropwn/spyse.py
https://twitter.com/testermoving/status/1226947775033556992
https://twitter.com/Alra3ees/status/1225908724671401984
https://github.com/lc/otxurls
https://github.com/lc/gau
https://github.com/projectdiscovery/naabu
https://github.com/UnaPibaGeek/ctfr
https://github.com/rbsec/dnscan
https://github.com/s0md3v/Silver
https://rapiddns.io
https://github.com/internetwache/CT_subdomains
https://github.com/shmilylty/OneForAll
https://www.venkon.us/subdomain-lister/
https://github.com/junnlikestea/vita
https://subdomainfinder.c99.nl/
https://github.com/hash3liZer/Subrake
https://github.com/allyomalley/LiveTargetsFinder
https://github.com/Edu4rdSHL/rusolver
https://github.com/Fadavvi/Sub-Drill
https://github.com/jonluca/anubis
https://github.com/z3dc0ps/0x0p1n3r
https://rapiddns.io/subdomain/example.com?full=1
https://github.com/bing0o/SubEnum
https://github.com/storenth/lazyrecon
https://github.com/bp0lr/dmut
https://github.com/Josue87/gotator
https://github.com/Cyber-Guy1/Subdomainer
https://twitter.com/HusseiN98D/status/1158503813399142401
https://twitter.com/reybango/status/1146862356879826944
https://twitter.com/CreedHackers/status/1067449832946745344
https://twitter.com/janescott_/status/1065995260554170369
https://gist.github.com/yassineaboukir/f70a45dfc4fcac4a0aa0840b9eba4386
https://twitter.com/plenumlab/status/1068442310147547136
https://certspotter.com/api/v0/certs?domain=hackerone.com
curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/*.//g' | uniq
https://twitter.com/plenumlab/status/1068442310147547136
https://threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com
https://twitter.com/0xpatrik/status/1160669104304467978
https://twitter.com/nullenc0de/status/1095030391629598721
https://twitter.com/C1h2e11/status/1163806579474329600
https://twitter.com/upgoingstar/status/1163818517956710400
https://twitter.com/intigriti/status/1194595250049835010
https://twitter.com/s0md3v/status/1202461998283251712
From your experience: what is the fastest and most accurate subdomain brute forcer? #bugbounty #bugbountytips #infosec #bugbounty #pentest -
https://publicwww.com/websites/%22.yahoo.com%22/
https://securitytrails.com/list/apex_domain/tilkee.info
https://sonar.omnisint.io/
#ffuf
@ngkogkos
@joohoi
@Jhaddix
https://FUZZ.rootdomain.com
Get your targets IP ranges using your targets domain (asn+cidr extract): a=$(curl -H'Accept: application/json' http://api.iptoasn.com/v1/as/ip/$(dig +short $domain | head -1)| jq .as_number);echo '!gas'$a''| nc http://whois.radb.net 43 | tr " " "\n" | sed -e '1d' -e '$d'
https://viewdns.info/reversewhois/
https://domaineye.com/reverse-whois
https://reversewhois.io
https://whoxy.com
http://reversewhois.domaintools.com
https://drs.whoisxmlapi.com/reverse-whois-search…
https://domainiq.com
https://medium.com/@meraid.kr/how-i-solved-hackerone-h1-212-ctf-e6d7171a55e6
TimeForA #BugBountyTip I use http://Zone-H.org to find defaced (sub) domains of the website I am testing. This reveals subdomains, potentially defaced /dir/ (if not index). I pursue testing using the data I got. #bugbounty #bugbountytips #pentest #infosec Get CREATIVE RT
👁️