Subdomain Enumeration

Blog Posts / References / Presentations / Videos:

1. Subdomain Enumeration Cheatsheet - https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html.

2. Practical recon techniques for bug hunters & pen testers - https://blog.appsecco.com/practical-recon-techniques-for-bug-hunters-pen-testers-at-levelup-0x02-b72c15641972

3. The Art of Subdomain Enumeration - https://github.com/appsecco/the-art-of-subdomain-enumeration.

4. Esoteric sub-domain enumeration techniques - https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration

5. Subdomain Enumeration: 2019 Workflow - https://0xpatrik.com/subdomain-enume ration-2019/

6. Awesome Asset Discovery - https://github.com/redhuntlabs/Awesome-Asset-Discovery#domain--subdomain-discovery

7. A More Advanced Recon Automation #1 (Subdomains) - https://poc-server.com/blog/2019/01/18/advancedrecon-subdomains/

8. Automating the Recon Process-https://null.co.in/event_sessions/2618-automating-the-recon-process - Video

9. OSINT for Proactive Defense - RootConf 2019 - https://www.slideshare.net/redhuntlabs/osint-for-proactive-defense-rootconf-2019?next_slideshow=1

10. Empowering red and blue teams with osint c0c0n 2017 - https://www.slideshare.net/reconvillage/empowering-red-and-blue-teams-with-osint-c0c0n-2017

11. Video - OSINT for Proactive Defense - Shubam Mittal - https://www.youtube.com/watch?time_continue=1301&v=0s2nmOZKQY8

12. Gathering domains/subdomains with IPRanges of organization - https://medium.com/@arbazhussain/gathering-domains-subdomains-with-ipranges-of-organization-49362d8a1271

13. Compherensive Guide - https://echocipher.github.io/2019/07/24/Subdomain-Recon/

14. Converter.sh, a bash script to convert domain lists to resolved IP lists without duplicates - https://gist.github.com/xdavidhu/07457247b9087dea4ddaf52858500cce

Tools:

1. Top 7 Subdomain Scanner Tools - https://securitytrails.com/blog/subdomain-scanner-find-subdomains

2. Subdomain list for bruteforcing - https://twitter.com/Alra3ees/status/1068079409117188096

3. https://phonexicum.github.io/infosec/osint.html#subdomain--ip--e-mail-harvesting--enumirate--etc-concrete-tools

4. https://twitter.com/plenumlab/status/1068442310147547136

5. https://github.com/JannisKirschner/Horn3t

6. Domain status checker - https://github.com/unstabl3/recce

7. Lazyrecon - https://github.com/plenumlab/lazyrecon

8. Second-order - https://github.com/mhmdiaa/second-order

9. FindDomain - https://github.com/Edu4rdSHL/findomain

10. CCrawlDNS - https://github.com/lgandx/CCrawlDNS

11. Subdomainizer - https://github.com/nsonaniya2010/SubDomainizer

12. https://github.com/Screetsec/Sudomy

13. Assest Discovery - https://github.com/chrismaddalena/ODIN

14. Subdomain list for bruteforcing - https://twitter.com/Alra3ees/status/1068079409117188096

15. https://twitter.com/_sawzeeyy/status/976171883212296192

16. SubSanner - https://github.com/cihanmehmet/sub.sh

17. I got URLS - https://github.com/xyele/igoturls

18. CC.py - Extracting URLs of a specific target based on the results of "commoncrawl.org" - https://github.com/si9int/cc.py

19. https://github.com/hecvs17/ccrawlen - Commoncrawl

20. A new generation of tool for discovering subdomains( ip , cdn and so on) - https://github.com/yanxiu0614/subdomain3

21. https://github.com/c0rvax/project-black - PROJECT BLACK

22. https://github.com/BitTheByte/Monitorizer/ - Monitoring

23. https://github.com/ProjectAnte/dnsgen - dnsgen

24. https://github.com/sethsec/celerystalk - all tools combined

25. getallURLS - https://twitter.com/hacker_/status/1192127358787997701

26. https://github.com/hakluke/hakrawler - hakrawler

27. Resolver - https://github.com/haxormad/domainresolver

28. BASSS - https://github.com/Abss0x7tbh/bass

29. Censys Subdomain Finder - https://github.com/christophetd/censys-subdomain-finder

30. Trademark to discover doamins - https://github.com/esecuritylab/kostebek

31. Port Scanner - https://gist.github.com/s0md3v/9234fc144f61acf5f2c447f605485eb5

32. https://github.com/zeropwn/spyse.py

33. Tools Evaluation - https://twitter.com/testermoving/status/1226947775033556992

34. Subdomains Enumeration Cheat Sheet. - https://twitter.com/Alra3ees/status/1225908724671401984

35. Fetch known urls from AlienVault's Open Threat Exchange for given hosts - https://github.com/lc/otxurls

36. Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. - https://github.com/lc/gau

37. Port Scanner - https://github.com/projectdiscovery/naabu

38. CTFR - Abusing Certificate Transparency logs for getting HTTPS websites subdomains. -https://github.com/UnaPibaGeek/ctfr

39. https://github.com/rbsec/dnscan

40. https://github.com/s0md3v/Silver - Masscan + nmap

41. https://rapiddns.io -- latest

42. suip.biz - no need to install tools

43. https://github.com/internetwache/CT_subdomains - hourly update of sub domains.

44. https://github.com/shmilylty/OneForAll

45. subscraper

46. Venkon.us - https://www.venkon.us/subdomain-lister/

47. Domainbigdata

48. https://github.com/junnlikestea/vita

49. https://subdomainfinder.c99.nl/

50. https://github.com/hash3liZer/Subrake

51. https://github.com/allyomalley/LiveTargetsFinder

52. Resolver - https://github.com/Edu4rdSHL/rusolver

53. https://github.com/Fadavvi/Sub-Drill

54. https://github.com/jonluca/anubis

55. https://github.com/z3dc0ps/0x0p1n3r

56. https://rapiddns.io/subdomain/example.com?full=1

57. https://github.com/bing0o/SubEnum

58. https://github.com/storenth/lazyrecon

59. Bruteforce - https://github.com/bp0lr/dmut

60. https://github.com/Josue87/gotator

61. https://github.com/Cyber-Guy1/Subdomainer

Twitter Thread / Bugbounty Tips:

• https://twitter.com/HusseiN98D/status/1158503813399142401 - vHost

• https://twitter.com/reybango/status/1146862356879826944

• Sub-Domain Enumeration Oneliner's:

  • https://twitter.com/CreedHackers/status/1067449832946745344

  • https://twitter.com/janescott_/status/1065995260554170369

  • https://gist.github.com/yassineaboukir/f70a45dfc4fcac4a0aa0840b9eba4386

  • https://twitter.com/plenumlab/status/1068442310147547136

  • Certsspotter - https://certspotter.com/api/v0/certs?domain=hackerone.com

  • CertSpotter Bash One Liner - curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/*.//g' | uniq

  • Oneliner Certspotter x Massdns subdomain enum - https://twitter.com/plenumlab/status/1068442310147547136

  • Threatcrowd - https://threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com

  • Get List of Active Domains - https://twitter.com/0xpatrik/status/1160669104304467978

  • Need to pull subdomains from Rapid 7's Project Sonar - https://twitter.com/nullenc0de/status/1095030391629598721

  • OneLiner to get commoncrawl assets -https://twitter.com/fasthm00/status/1145485593687625728

  • Tips from Ben - https://twitter.com/C1h2e11/status/1163806579474329600

  • Quick Tip from Shubam Mittal - https://twitter.com/upgoingstar/status/1163818517956710400

  • https://twitter.com/intigriti/status/1194595250049835010

  • TimeForA #BugBountyTip I use http://Zone-H.org to find defaced (sub) domains of the website I am testing. This reveals subdomains, potentially defaced /dir/ (if not index). I pursue testing using the data I got. #bugbounty #bugbountytips #pentest #infosec Get CREATIVE RT
  • Thread from Somdev - https://twitter.com/s0md3v/status/1202461998283251712

  • From your experience: what is the fastest and most accurate subdomain brute forcer? #bugbounty #bugbountytips #infosec #bugbounty #pentest -

  • https://publicwww.com/websites/%22.yahoo.com%22/

  • https://securitytrails.com/list/apex_domain/tilkee.info

  • https://sonar.omnisint.io/

Subdomain Bruteforce - #ffuf@ngkogkos@joohoi@Jhaddix Subdomain bruteforce with ffuf on 443 port. It works fine ffuf -u https://FUZZ.rootdomain.com -w jhaddixall.txt -v | grep "| URL | " | awk '{print $4}'34578

• Get your targets IP ranges using your targets domain (asn+cidr extract): a=$(curl -H'Accept: application/json' http://api.iptoasn.com/v1/as/ip/$(dig +short $domain | head -1)| jq .as_number);echo '!gas'$a''| nc http://whois.radb.net 43 | tr " " "\n" | sed -e '1d' -e '$d'

Horizontal domain correlation https://viewdns.info/reversewhois/ - Free https://domaineye.com/reverse-whois - Free https://reversewhois.io - Free https://whoxy.com - Free web, not free API. http://reversewhois.domaintools.com - Not free https://drs.whoisxmlapi.com/reverse-whois-search… - Not Free https://domainiq.com - Not Free

Vhost writeup - https://medium.com/@meraid.kr/how-i-solved-hackerone-h1-212-ctf-e6d7171a55e6