# Subdomain Enumeration

**Blog Posts / References / Presentations / Videos:**

1. Subdomain Enumeration Cheatsheet - <https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html>.
2. Practical recon techniques for bug hunters & pen testers - <https://blog.appsecco.com/practical-recon-techniques-for-bug-hunters-pen-testers-at-levelup-0x02-b72c15641972>
3. The Art of Subdomain Enumeration - <https://github.com/appsecco/the-art-of-subdomain-enumeration>.
4. Esoteric sub-domain enumeration techniques - <https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration>
5. Subdomain Enumeration: 2019 Workflow - [https://0xpatrik.com/subdomain-enume ration-2019/](https://0xpatrik.com/subdomain-enumeration-2019/)
6. Awesome Asset Discovery - <https://github.com/redhuntlabs/Awesome-Asset-Discovery#domain--subdomain-discovery>
7. A More Advanced Recon Automation #1 (Subdomains)[ - https://poc-server.com/blog/2019/01/18/advancedrecon-subdomains/](https://poc-server.com/blog/2019/01/18/advanced-recon-subdomains/)
8. Automating the Recon Process[-https://null.co.in/event\_sessions/2618-automating-the-recon-process](https://null.co.in/event_sessions/2618-automating-the-recon-process) - Video
9. OSINT for Proactive Defense - RootConf 2019 - <https://www.slideshare.net/redhuntlabs/osint-for-proactive-defense-rootconf-2019?next_slideshow=1>
10. Empowering red and blue teams with osint c0c0n 2017 - <https://www.slideshare.net/reconvillage/empowering-red-and-blue-teams-with-osint-c0c0n-2017>
11. Video -  OSINT for Proactive Defense - Shubam Mittal - <https://www.youtube.com/watch?time_continue=1301&v=0s2nmOZKQY8>
12. Gathering domains/subdomains with IPRanges of organization - <https://medium.com/@arbazhussain/gathering-domains-subdomains-with-ipranges-of-organization-49362d8a1271>
13. Compherensive Guide - <https://echocipher.github.io/2019/07/24/Subdomain-Recon/>
14. Converter.sh, a bash script to convert domain lists to resolved IP lists without duplicates - <https://gist.github.com/xdavidhu/07457247b9087dea4ddaf52858500cce>
15.

**Tools:**

1. **Top 7 Subdomain Scanner Tools -** <https://securitytrails.com/blog/subdomain-scanner-find-subdomains>
2. Subdomain list for bruteforcing - <https://twitter.com/Alra3ees/status/1068079409117188096>
3. <https://phonexicum.github.io/infosec/osint.html#subdomain--ip--e-mail-harvesting--enumirate--etc-concrete-tools>
4. <https://twitter.com/plenumlab/status/1068442310147547136>
5. <https://github.com/JannisKirschner/Horn3t>
6. Domain status checker - <https://github.com/unstabl3/recce>
7. Lazyrecon - <https://github.com/plenumlab/lazyrecon>
8. Second-order - <https://github.com/mhmdiaa/second-order>
9. FindDomain - <https://github.com/Edu4rdSHL/findomain>
10. CCrawlDNS - <https://github.com/lgandx/CCrawlDNS>
11. [Subdomainizer - https://github.com/nsonaniya2010/SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer)
12. <https://github.com/Screetsec/Sudomy>
13. Assest Discovery - <https://github.com/chrismaddalena/ODIN>
14. Subdomain list for bruteforcing - <https://twitter.com/Alra3ees/status/1068079409117188096>
15. <https://twitter.com/_sawzeeyy/status/976171883212296192>
16. SubSanner - <https://github.com/cihanmehmet/sub.sh>
17. I got URLS - <https://github.com/xyele/igoturls>&#x20;
18. CC.py - Extracting URLs of a specific target based on the results of "commoncrawl.org" - <https://github.com/si9int/cc.py>
19. <https://github.com/hecvs17/ccrawlen> - Commoncrawl
20. A new generation of tool for discovering subdomains( ip , cdn and so on) - <https://github.com/yanxiu0614/subdomain3>
21. <https://github.com/c0rvax/project-black> - PROJECT BLACK
22. <https://github.com/BitTheByte/Monitorizer/> - Monitoring
23. <https://github.com/ProjectAnte/dnsgen> - dnsgen
24. <https://github.com/sethsec/celerystalk> - all tools combined
25. getallURLS - <https://twitter.com/hacker_/status/1192127358787997701>
26. &#x20;<https://github.com/hakluke/hakrawler> - [hakrawler](https://github.com/hakluke/hakrawler)
27. Resolver - <https://github.com/haxormad/domainresolver>
28. BASSS - <https://github.com/Abss0x7tbh/bass>
29. Censys Subdomain Finder - <https://github.com/christophetd/censys-subdomain-finder>
30. Trademark to discover doamins - <https://github.com/esecuritylab/kostebek>
31. Port Scanner - <https://gist.github.com/s0md3v/9234fc144f61acf5f2c447f605485eb5>
32. <https://github.com/zeropwn/spyse.py>
33. Tools Evaluation - <https://twitter.com/testermoving/status/1226947775033556992>
34. Subdomains Enumeration Cheat Sheet. - <https://twitter.com/Alra3ees/status/1225908724671401984>
35. Fetch known urls from AlienVault's Open Threat Exchange for given hosts - <https://github.com/lc/otxurls>
36. Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. - <https://github.com/lc/gau>
37. Port Scanner - <https://github.com/projectdiscovery/naabu>
38. CTFR - Abusing Certificate Transparency logs for getting HTTPS websites subdomains. -<https://github.com/UnaPibaGeek/ctfr>
39. <https://github.com/rbsec/dnscan>
40. <https://github.com/s0md3v/Silver> - Masscan + nmap
41. <https://rapiddns.io> -- latest
42. suip.biz - no need to install tools
43. <https://github.com/internetwache/CT_subdomains> - hourly update of sub domains.
44. <https://github.com/shmilylty/OneForAll>
45. subscraper
46. Venkon.us - <https://www.venkon.us/subdomain-lister/>
47. Domainbigdata
48. <https://github.com/junnlikestea/vita>
49. <https://subdomainfinder.c99.nl/>
50. <https://github.com/hash3liZer/Subrake>
51. <https://github.com/allyomalley/LiveTargetsFinder>
52. Resolver - <https://github.com/Edu4rdSHL/rusolver>
53. <https://github.com/Fadavvi/Sub-Drill>
54. <https://github.com/jonluca/anubis>
55. <https://github.com/z3dc0ps/0x0p1n3r>
56. <https://rapiddns.io/subdomain/example.com?full=1>
57. <https://github.com/bing0o/SubEnum>
58. <https://github.com/storenth/lazyrecon>
59. Bruteforce - <https://github.com/bp0lr/dmut>
60. <https://github.com/Josue87/gotator>
61. <https://github.com/Cyber-Guy1/Subdomainer>

{% embed url="<https://twitter.com/Alra3ees/status/1175453684567826433>" %}

{% embed url="<https://twitter.com/sprp77/status/1229319801736220674>" %}

{% embed url="<https://twitter.com/soaj1664ashar/status/1066437407954870277>" %}

{% embed url="<https://twitter.com/Random_Robbie/status/1424768789447593985?s=20>" %}

**Twitter Thread / Bugbounty Tips:**

* <https://twitter.com/HusseiN98D/status/1158503813399142401> - vHost
* <https://twitter.com/reybango/status/1146862356879826944>
* Sub-Domain Enumeration Oneliner's:
  * [*https://twitter.com/CreedHackers/status/1067449832946745344*](https://twitter.com/CreedHackers/status/1067449832946745344)
  * [*https://twitter.com/janescott\_/status/1065995260554170369*](https://twitter.com/janescott_/status/1065995260554170369)
  * [*https://gist.github.com/yassineaboukir/f70a45dfc4fcac4a0aa0840b9eba4386*](https://gist.github.com/yassineaboukir/f70a45dfc4fcac4a0aa0840b9eba4386)
  * [*https://twitter.com/plenumlab/status/1068442310147547136*](https://twitter.com/plenumlab/status/1068442310147547136)
  * *Certsspotter -*  [*https://certspotter.com/api/v0/certs?domain=hackerone.com*](https://certspotter.com/api/v0/certs?domain=hackerone.com)
  * CertSpotter Bash One Liner - [curl https://certspotter.com/api/v0/certs\\?domain\\=example.com | jq '.\[\].dns\_names\[\]' | sed 's/\\"//g' | sed 's/\*.//g' | uniq](https://intercept9.gitlab.io/osint,recon/2017/09/08/ttp-for-subdomain-enuemration.html)
  * *Oneliner Certspotter x Massdns subdomain enum -* [*https://twitter.com/plenumlab/status/1068442310147547136*](https://twitter.com/plenumlab/status/1068442310147547136)
  * *Threatcrowd -* [*https://threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com*](https://threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com)
  * Get List of Active Domains - <https://twitter.com/0xpatrik/status/1160669104304467978>
  * Need to pull subdomains from Rapid 7's Project Sonar - <https://twitter.com/nullenc0de/status/1095030391629598721>
  * OneLiner to get commoncrawl assets -<https://twitter.com/fasthm00/status/1145485593687625728>
  * Tips from Ben - <https://twitter.com/C1h2e11/status/1163806579474329600>
  * Quick Tip from Shubam Mittal - <https://twitter.com/upgoingstar/status/1163818517956710400>
  * <https://twitter.com/intigriti/status/1194595250049835010>
  * [TimeForA #BugBountyTip I use http://Zone-H.org to find defaced (sub) domains of the website I am testing. This reveals subdomains, potentially defaced /dir/ (if not index). I pursue testing using the data I got. #bugbounty #bugbountytips #pentest #infosec Get CREATIVE RT![👁️](https://abs-0.twimg.com/emoji/v2/svg/1f441.svg) ](https://twitter.com/HusseiN98D/status/1194645713851957248)
  * Thread from Somdev - <https://twitter.com/s0md3v/status/1202461998283251712>
  * [From your experience: what is the fastest and most accurate subdomain brute forcer? #bugbounty #bugbountytips #infosec #bugbounty #pentest - ](https://twitter.com/HusseiN98D/status/1193623919623884803)
  * <https://publicwww.com/websites/%22.yahoo.com%22/>
  * <https://securitytrails.com/list/apex_domain/tilkee.info>
  * <https://sonar.omnisint.io/>

{% embed url="<https://twitter.com/bhavukjain1/status/1288834983755276289>" %}

{% embed url="<https://twitter.com/Jhaddix/status/975089650552356864>" %}

{% embed url="<https://twitter.com/zer0pwn/status/1297897435751211009?s=20>" %}

Subdomain Bruteforce - [#ffuf](https://twitter.com/hashtag/ffuf?src=hashtag_click)[@ngkogkos](https://twitter.com/ngkogkos)[@joohoi](https://twitter.com/joohoi)[@Jhaddix](https://twitter.com/Jhaddix) Subdomain bruteforce with ffuf on 443 port. It works fine ffuf -u [https://FUZZ.rootdomain.com](https://t.co/lgJRG9rq6y?amp=1) -w jhaddixall.txt -v | grep "| URL | " | awk '{print $4}'34578

* [Get your targets IP ranges using your targets domain (asn+cidr extract): a=$(curl -H'Accept: application/json' http://api.iptoasn.com/v1/as/ip/$(dig +short $domain | head -1)| jq .as\_number);echo '!gas'$a''| nc http://whois.radb.net 43 | tr " " "\n" | sed -e '1d' -e '$d'](https://twitter.com/absshax/status/1176193027154382848?s=20)

Horizontal domain correlation [https://viewdns.info/reversewhois/](https://t.co/lZaXVJ43ul?amp=1) - Free [https://domaineye.com/reverse-whois](https://t.co/JwWvl2RKHB?amp=1) - Free [https://reversewhois.io](https://t.co/jS4EIQ9fol?amp=1) - Free [https://whoxy.com](https://t.co/MYlMokDfMg?amp=1) - Free web, not free API. [http://reversewhois.domaintools.com](https://t.co/wSM7XaWIrb?amp=1) - Not free [https://drs.whoisxmlapi.com/reverse-whois-search…](https://t.co/ZtsHI270rf?amp=1) - Not Free [https://domainiq.com](https://t.co/j3aulYZsAe?amp=1) - Not Free

[<br>](https://twitter.com/GochaOqradze/status/1224345381519024128)Vhost writeup - <https://medium.com/@meraid.kr/how-i-solved-hackerone-h1-212-ctf-e6d7171a55e6>