# Subdomain Enumeration

**Blog Posts / References / Presentations / Videos:**

1. Subdomain Enumeration Cheatsheet - <https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html>.
2. Practical recon techniques for bug hunters & pen testers - <https://blog.appsecco.com/practical-recon-techniques-for-bug-hunters-pen-testers-at-levelup-0x02-b72c15641972>
3. The Art of Subdomain Enumeration - <https://github.com/appsecco/the-art-of-subdomain-enumeration>.
4. Esoteric sub-domain enumeration techniques - <https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration>
5. Subdomain Enumeration: 2019 Workflow - [https://0xpatrik.com/subdomain-enume ration-2019/](https://0xpatrik.com/subdomain-enumeration-2019/)
6. Awesome Asset Discovery - <https://github.com/redhuntlabs/Awesome-Asset-Discovery#domain--subdomain-discovery>
7. A More Advanced Recon Automation #1 (Subdomains)[ - https://poc-server.com/blog/2019/01/18/advancedrecon-subdomains/](https://poc-server.com/blog/2019/01/18/advanced-recon-subdomains/)
8. Automating the Recon Process[-https://null.co.in/event\_sessions/2618-automating-the-recon-process](https://null.co.in/event_sessions/2618-automating-the-recon-process) - Video
9. OSINT for Proactive Defense - RootConf 2019 - <https://www.slideshare.net/redhuntlabs/osint-for-proactive-defense-rootconf-2019?next_slideshow=1>
10. Empowering red and blue teams with osint c0c0n 2017 - <https://www.slideshare.net/reconvillage/empowering-red-and-blue-teams-with-osint-c0c0n-2017>
11. Video -  OSINT for Proactive Defense - Shubam Mittal - <https://www.youtube.com/watch?time_continue=1301&v=0s2nmOZKQY8>
12. Gathering domains/subdomains with IPRanges of organization - <https://medium.com/@arbazhussain/gathering-domains-subdomains-with-ipranges-of-organization-49362d8a1271>
13. Compherensive Guide - <https://echocipher.github.io/2019/07/24/Subdomain-Recon/>
14. Converter.sh, a bash script to convert domain lists to resolved IP lists without duplicates - <https://gist.github.com/xdavidhu/07457247b9087dea4ddaf52858500cce>
15.

**Tools:**

1. **Top 7 Subdomain Scanner Tools -** <https://securitytrails.com/blog/subdomain-scanner-find-subdomains>
2. Subdomain list for bruteforcing - <https://twitter.com/Alra3ees/status/1068079409117188096>
3. <https://phonexicum.github.io/infosec/osint.html#subdomain--ip--e-mail-harvesting--enumirate--etc-concrete-tools>
4. <https://twitter.com/plenumlab/status/1068442310147547136>
5. <https://github.com/JannisKirschner/Horn3t>
6. Domain status checker - <https://github.com/unstabl3/recce>
7. Lazyrecon - <https://github.com/plenumlab/lazyrecon>
8. Second-order - <https://github.com/mhmdiaa/second-order>
9. FindDomain - <https://github.com/Edu4rdSHL/findomain>
10. CCrawlDNS - <https://github.com/lgandx/CCrawlDNS>
11. [Subdomainizer - https://github.com/nsonaniya2010/SubDomainizer](https://github.com/nsonaniya2010/SubDomainizer)
12. <https://github.com/Screetsec/Sudomy>
13. Assest Discovery - <https://github.com/chrismaddalena/ODIN>
14. Subdomain list for bruteforcing - <https://twitter.com/Alra3ees/status/1068079409117188096>
15. <https://twitter.com/_sawzeeyy/status/976171883212296192>
16. SubSanner - <https://github.com/cihanmehmet/sub.sh>
17. I got URLS - <https://github.com/xyele/igoturls>&#x20;
18. CC.py - Extracting URLs of a specific target based on the results of "commoncrawl.org" - <https://github.com/si9int/cc.py>
19. <https://github.com/hecvs17/ccrawlen> - Commoncrawl
20. A new generation of tool for discovering subdomains( ip , cdn and so on) - <https://github.com/yanxiu0614/subdomain3>
21. <https://github.com/c0rvax/project-black> - PROJECT BLACK
22. <https://github.com/BitTheByte/Monitorizer/> - Monitoring
23. <https://github.com/ProjectAnte/dnsgen> - dnsgen
24. <https://github.com/sethsec/celerystalk> - all tools combined
25. getallURLS - <https://twitter.com/hacker_/status/1192127358787997701>
26. &#x20;<https://github.com/hakluke/hakrawler> - [hakrawler](https://github.com/hakluke/hakrawler)
27. Resolver - <https://github.com/haxormad/domainresolver>
28. BASSS - <https://github.com/Abss0x7tbh/bass>
29. Censys Subdomain Finder - <https://github.com/christophetd/censys-subdomain-finder>
30. Trademark to discover doamins - <https://github.com/esecuritylab/kostebek>
31. Port Scanner - <https://gist.github.com/s0md3v/9234fc144f61acf5f2c447f605485eb5>
32. <https://github.com/zeropwn/spyse.py>
33. Tools Evaluation - <https://twitter.com/testermoving/status/1226947775033556992>
34. Subdomains Enumeration Cheat Sheet. - <https://twitter.com/Alra3ees/status/1225908724671401984>
35. Fetch known urls from AlienVault's Open Threat Exchange for given hosts - <https://github.com/lc/otxurls>
36. Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. - <https://github.com/lc/gau>
37. Port Scanner - <https://github.com/projectdiscovery/naabu>
38. CTFR - Abusing Certificate Transparency logs for getting HTTPS websites subdomains. -<https://github.com/UnaPibaGeek/ctfr>
39. <https://github.com/rbsec/dnscan>
40. <https://github.com/s0md3v/Silver> - Masscan + nmap
41. <https://rapiddns.io> -- latest
42. suip.biz - no need to install tools
43. <https://github.com/internetwache/CT_subdomains> - hourly update of sub domains.
44. <https://github.com/shmilylty/OneForAll>
45. subscraper
46. Venkon.us - <https://www.venkon.us/subdomain-lister/>
47. Domainbigdata
48. <https://github.com/junnlikestea/vita>
49. <https://subdomainfinder.c99.nl/>
50. <https://github.com/hash3liZer/Subrake>
51. <https://github.com/allyomalley/LiveTargetsFinder>
52. Resolver - <https://github.com/Edu4rdSHL/rusolver>
53. <https://github.com/Fadavvi/Sub-Drill>
54. <https://github.com/jonluca/anubis>
55. <https://github.com/z3dc0ps/0x0p1n3r>
56. <https://rapiddns.io/subdomain/example.com?full=1>
57. <https://github.com/bing0o/SubEnum>
58. <https://github.com/storenth/lazyrecon>
59. Bruteforce - <https://github.com/bp0lr/dmut>
60. <https://github.com/Josue87/gotator>
61. <https://github.com/Cyber-Guy1/Subdomainer>

{% embed url="<https://twitter.com/Alra3ees/status/1175453684567826433>" %}

{% embed url="<https://twitter.com/sprp77/status/1229319801736220674>" %}

{% embed url="<https://twitter.com/soaj1664ashar/status/1066437407954870277>" %}

{% embed url="<https://twitter.com/Random_Robbie/status/1424768789447593985?s=20>" %}

**Twitter Thread / Bugbounty Tips:**

* <https://twitter.com/HusseiN98D/status/1158503813399142401> - vHost
* <https://twitter.com/reybango/status/1146862356879826944>
* Sub-Domain Enumeration Oneliner's:
  * [*https://twitter.com/CreedHackers/status/1067449832946745344*](https://twitter.com/CreedHackers/status/1067449832946745344)
  * [*https://twitter.com/janescott\_/status/1065995260554170369*](https://twitter.com/janescott_/status/1065995260554170369)
  * [*https://gist.github.com/yassineaboukir/f70a45dfc4fcac4a0aa0840b9eba4386*](https://gist.github.com/yassineaboukir/f70a45dfc4fcac4a0aa0840b9eba4386)
  * [*https://twitter.com/plenumlab/status/1068442310147547136*](https://twitter.com/plenumlab/status/1068442310147547136)
  * *Certsspotter -*  [*https://certspotter.com/api/v0/certs?domain=hackerone.com*](https://certspotter.com/api/v0/certs?domain=hackerone.com)
  * CertSpotter Bash One Liner - [curl https://certspotter.com/api/v0/certs\\?domain\\=example.com | jq '.\[\].dns\_names\[\]' | sed 's/\\"//g' | sed 's/\*.//g' | uniq](https://intercept9.gitlab.io/osint,recon/2017/09/08/ttp-for-subdomain-enuemration.html)
  * *Oneliner Certspotter x Massdns subdomain enum -* [*https://twitter.com/plenumlab/status/1068442310147547136*](https://twitter.com/plenumlab/status/1068442310147547136)
  * *Threatcrowd -* [*https://threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com*](https://threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com)
  * Get List of Active Domains - <https://twitter.com/0xpatrik/status/1160669104304467978>
  * Need to pull subdomains from Rapid 7's Project Sonar - <https://twitter.com/nullenc0de/status/1095030391629598721>
  * OneLiner to get commoncrawl assets -<https://twitter.com/fasthm00/status/1145485593687625728>
  * Tips from Ben - <https://twitter.com/C1h2e11/status/1163806579474329600>
  * Quick Tip from Shubam Mittal - <https://twitter.com/upgoingstar/status/1163818517956710400>
  * <https://twitter.com/intigriti/status/1194595250049835010>
  * [TimeForA #BugBountyTip I use http://Zone-H.org to find defaced (sub) domains of the website I am testing. This reveals subdomains, potentially defaced /dir/ (if not index). I pursue testing using the data I got. #bugbounty #bugbountytips #pentest #infosec Get CREATIVE RT![👁️](https://abs-0.twimg.com/emoji/v2/svg/1f441.svg) ](https://twitter.com/HusseiN98D/status/1194645713851957248)
  * Thread from Somdev - <https://twitter.com/s0md3v/status/1202461998283251712>
  * [From your experience: what is the fastest and most accurate subdomain brute forcer? #bugbounty #bugbountytips #infosec #bugbounty #pentest - ](https://twitter.com/HusseiN98D/status/1193623919623884803)
  * <https://publicwww.com/websites/%22.yahoo.com%22/>
  * <https://securitytrails.com/list/apex_domain/tilkee.info>
  * <https://sonar.omnisint.io/>

{% embed url="<https://twitter.com/bhavukjain1/status/1288834983755276289>" %}

{% embed url="<https://twitter.com/Jhaddix/status/975089650552356864>" %}

{% embed url="<https://twitter.com/zer0pwn/status/1297897435751211009?s=20>" %}

Subdomain Bruteforce - [#ffuf](https://twitter.com/hashtag/ffuf?src=hashtag_click)[@ngkogkos](https://twitter.com/ngkogkos)[@joohoi](https://twitter.com/joohoi)[@Jhaddix](https://twitter.com/Jhaddix) Subdomain bruteforce with ffuf on 443 port. It works fine ffuf -u [https://FUZZ.rootdomain.com](https://t.co/lgJRG9rq6y?amp=1) -w jhaddixall.txt -v | grep "| URL | " | awk '{print $4}'34578

* [Get your targets IP ranges using your targets domain (asn+cidr extract): a=$(curl -H'Accept: application/json' http://api.iptoasn.com/v1/as/ip/$(dig +short $domain | head -1)| jq .as\_number);echo '!gas'$a''| nc http://whois.radb.net 43 | tr " " "\n" | sed -e '1d' -e '$d'](https://twitter.com/absshax/status/1176193027154382848?s=20)

Horizontal domain correlation [https://viewdns.info/reversewhois/](https://t.co/lZaXVJ43ul?amp=1) - Free [https://domaineye.com/reverse-whois](https://t.co/JwWvl2RKHB?amp=1) - Free [https://reversewhois.io](https://t.co/jS4EIQ9fol?amp=1) - Free [https://whoxy.com](https://t.co/MYlMokDfMg?amp=1) - Free web, not free API. [http://reversewhois.domaintools.com](https://t.co/wSM7XaWIrb?amp=1) - Not free [https://drs.whoisxmlapi.com/reverse-whois-search…](https://t.co/ZtsHI270rf?amp=1) - Not Free [https://domainiq.com](https://t.co/j3aulYZsAe?amp=1) - Not Free

[<br>](https://twitter.com/GochaOqradze/status/1224345381519024128)Vhost writeup - <https://medium.com/@meraid.kr/how-i-solved-hackerone-h1-212-ctf-e6d7171a55e6>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gowthams.gitbook.io/bughunter-handbook/list-of-vulnerabilities-bugs/recon-and-osint/subdomain-enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.