Bug Hunter Handbook
  • Introduction
  • Getting Started in InfoSec and Bug Bounties.
  • Presentations
  • Checklists / Guides
  • Useful Twitter Threads
  • List of Vulnerabilities
    • Recon and OSINT
      • Recon
      • Sensitive information using Github
      • Subdomain Enumeration
        • Resolvers
      • Javascript Enumeration
      • After Recon
      • Finding Information Using Public Resources
      • OSINT
      • Cloud
      • Wayback
      • Parameter / Content Discovery
      • Broken Link Highjacking
    • Host Header
    • Injection
      • Other Injection
    • DNS Rebinding
    • Cross Site Scripting (XSS)
      • Weaponizing XSS
      • WAF Bypass
    • Cross Origin Resource Sharing (CORS)
    • Local / Remote File Inclusion (LFI / RFI)
    • Server Side Request Forgery (SSRF)
    • Remote Code Execution (RCE)
    • XML Entity Injecton (XXE)
    • Price Manipulation
    • Directory / Path Traversal
    • Cross Site Request Forgery (CSRF)
      • JSON CSRF
    • Password Reset
    • Login Page Issues
    • Deserialization Attacks
    • File Upload
    • Account Takeover
    • Insecure Direct Object References (IDOR)
    • Open Redirect
    • Business Logic Flaws
    • Rate Limit Bypass / 2FA / OTP Bypass
    • Ruby on Rails
      • Mass Assginment
    • S3 Bucket
    • Race Condition
    • CRLF
    • SSTI
    • Prototype Pollution
  • Approach
  • API Security
  • Mobile Security
  • Fuzzing / Wordlists
  • BugBounty Short Write-ups
  • Burp Suite Tips and Tricks
  • HackerOne Reports
  • Response Manipulation
  • Client Vs Server Side Vulnerabilities
  • DevSecOps
  • Containers
    • Docker
    • Kubernetes
    • Containers
  • AWS
  • Azure
  • Others
    • Code Review
    • Web Sockets
    • Web Cache
    • HTTP Desync Attacks
    • Zone Transfer
    • CSP Bypass
    • Payment Bypasses
    • Http Parameter Pollution
    • Postmessage
    • Others
    • GraphQL
    • Unix / Linux
    • Email Related
    • Dependency confusion
    • Nginx Misconfigs
    • JIRA
    • OAUTH
  • Chaining of Bugs
  • Bug Bounty Automation
  • Mindmaps
  • Oneliner Collections
  • Red Teaming
  • Blue Teamining
  • Recon One Liners
  • Misc
  • Wordpress
  • Fuzzing / FuFF
  • OWASP ZAP
  • Bug List
  • Setting up burp collaborator
  • Admin Panel PwN
  • Credential Stuffing / Dump / HaveibeenPwned?
  • Tools Required
  • Nuclei Template
  • Other BugBounty Repos / Tips
  • Interview
  • Threat Modelling
  • AppSec
Powered by GitBook
On this page

Was this helpful?

  1. List of Vulnerabilities
  2. Recon and OSINT

Subdomain Enumeration

Blog Posts / References / Presentations / Videos:

  1. Subdomain Enumeration Cheatsheet - https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html.

  2. Practical recon techniques for bug hunters & pen testers - https://blog.appsecco.com/practical-recon-techniques-for-bug-hunters-pen-testers-at-levelup-0x02-b72c15641972

  3. The Art of Subdomain Enumeration - https://github.com/appsecco/the-art-of-subdomain-enumeration.

  4. Esoteric sub-domain enumeration techniques - https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration

  5. Subdomain Enumeration: 2019 Workflow - https://0xpatrik.com/subdomain-enume ration-2019/

  6. Awesome Asset Discovery - https://github.com/redhuntlabs/Awesome-Asset-Discovery#domain--subdomain-discovery

  7. A More Advanced Recon Automation #1 (Subdomains) - https://poc-server.com/blog/2019/01/18/advancedrecon-subdomains/

  8. Automating the Recon Process-https://null.co.in/event_sessions/2618-automating-the-recon-process - Video

  9. OSINT for Proactive Defense - RootConf 2019 - https://www.slideshare.net/redhuntlabs/osint-for-proactive-defense-rootconf-2019?next_slideshow=1

  10. Empowering red and blue teams with osint c0c0n 2017 - https://www.slideshare.net/reconvillage/empowering-red-and-blue-teams-with-osint-c0c0n-2017

  11. Video - OSINT for Proactive Defense - Shubam Mittal - https://www.youtube.com/watch?time_continue=1301&v=0s2nmOZKQY8

  12. Gathering domains/subdomains with IPRanges of organization - https://medium.com/@arbazhussain/gathering-domains-subdomains-with-ipranges-of-organization-49362d8a1271

  13. Compherensive Guide - https://echocipher.github.io/2019/07/24/Subdomain-Recon/

  14. Converter.sh, a bash script to convert domain lists to resolved IP lists without duplicates - https://gist.github.com/xdavidhu/07457247b9087dea4ddaf52858500cce

Tools:

  1. Top 7 Subdomain Scanner Tools - https://securitytrails.com/blog/subdomain-scanner-find-subdomains

  2. Subdomain list for bruteforcing - https://twitter.com/Alra3ees/status/1068079409117188096

  3. https://phonexicum.github.io/infosec/osint.html#subdomain--ip--e-mail-harvesting--enumirate--etc-concrete-tools

  4. https://twitter.com/plenumlab/status/1068442310147547136

  5. https://github.com/JannisKirschner/Horn3t

  6. Domain status checker - https://github.com/unstabl3/recce

  7. Lazyrecon - https://github.com/plenumlab/lazyrecon

  8. Second-order - https://github.com/mhmdiaa/second-order

  9. FindDomain - https://github.com/Edu4rdSHL/findomain

  10. CCrawlDNS - https://github.com/lgandx/CCrawlDNS

  11. Subdomainizer - https://github.com/nsonaniya2010/SubDomainizer

  12. https://github.com/Screetsec/Sudomy

  13. Assest Discovery - https://github.com/chrismaddalena/ODIN

  14. Subdomain list for bruteforcing - https://twitter.com/Alra3ees/status/1068079409117188096

  15. https://twitter.com/_sawzeeyy/status/976171883212296192

  16. SubSanner - https://github.com/cihanmehmet/sub.sh

  17. I got URLS - https://github.com/xyele/igoturls

  18. CC.py - Extracting URLs of a specific target based on the results of "commoncrawl.org" - https://github.com/si9int/cc.py

  19. https://github.com/hecvs17/ccrawlen - Commoncrawl

  20. A new generation of tool for discovering subdomains( ip , cdn and so on) - https://github.com/yanxiu0614/subdomain3

  21. https://github.com/c0rvax/project-black - PROJECT BLACK

  22. https://github.com/BitTheByte/Monitorizer/ - Monitoring

  23. https://github.com/ProjectAnte/dnsgen - dnsgen

  24. https://github.com/sethsec/celerystalk - all tools combined

  25. getallURLS - https://twitter.com/hacker_/status/1192127358787997701

  26. https://github.com/hakluke/hakrawler - hakrawler

  27. Resolver - https://github.com/haxormad/domainresolver

  28. BASSS - https://github.com/Abss0x7tbh/bass

  29. Censys Subdomain Finder - https://github.com/christophetd/censys-subdomain-finder

  30. Trademark to discover doamins - https://github.com/esecuritylab/kostebek

  31. Port Scanner - https://gist.github.com/s0md3v/9234fc144f61acf5f2c447f605485eb5

  32. https://github.com/zeropwn/spyse.py

  33. Tools Evaluation - https://twitter.com/testermoving/status/1226947775033556992

  34. Subdomains Enumeration Cheat Sheet. - https://twitter.com/Alra3ees/status/1225908724671401984

  35. Fetch known urls from AlienVault's Open Threat Exchange for given hosts - https://github.com/lc/otxurls

  36. Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl. - https://github.com/lc/gau

  37. Port Scanner - https://github.com/projectdiscovery/naabu

  38. CTFR - Abusing Certificate Transparency logs for getting HTTPS websites subdomains. -https://github.com/UnaPibaGeek/ctfr

  39. https://github.com/rbsec/dnscan

  40. https://github.com/s0md3v/Silver - Masscan + nmap

  41. https://rapiddns.io -- latest

  42. suip.biz - no need to install tools

  43. https://github.com/internetwache/CT_subdomains - hourly update of sub domains.

  44. https://github.com/shmilylty/OneForAll

  45. subscraper

  46. Venkon.us - https://www.venkon.us/subdomain-lister/

  47. Domainbigdata

  48. https://github.com/junnlikestea/vita

  49. https://subdomainfinder.c99.nl/

  50. https://github.com/hash3liZer/Subrake

  51. https://github.com/allyomalley/LiveTargetsFinder

  52. Resolver - https://github.com/Edu4rdSHL/rusolver

  53. https://github.com/Fadavvi/Sub-Drill

  54. https://github.com/jonluca/anubis

  55. https://github.com/z3dc0ps/0x0p1n3r

  56. https://rapiddns.io/subdomain/example.com?full=1

  57. https://github.com/bing0o/SubEnum

  58. https://github.com/storenth/lazyrecon

  59. Bruteforce - https://github.com/bp0lr/dmut

  60. https://github.com/Josue87/gotator

  61. https://github.com/Cyber-Guy1/Subdomainer

Twitter Thread / Bugbounty Tips:

  • https://twitter.com/HusseiN98D/status/1158503813399142401 - vHost

  • https://twitter.com/reybango/status/1146862356879826944

  • Sub-Domain Enumeration Oneliner's:

    • https://twitter.com/CreedHackers/status/1067449832946745344

    • https://twitter.com/janescott_/status/1065995260554170369

    • https://gist.github.com/yassineaboukir/f70a45dfc4fcac4a0aa0840b9eba4386

    • https://twitter.com/plenumlab/status/1068442310147547136

    • Certsspotter - https://certspotter.com/api/v0/certs?domain=hackerone.com

    • CertSpotter Bash One Liner - curl https://certspotter.com/api/v0/certs\?domain\=example.com | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/*.//g' | uniq

    • Oneliner Certspotter x Massdns subdomain enum - https://twitter.com/plenumlab/status/1068442310147547136

    • Threatcrowd - https://threatcrowd.org/searchApi/v2/domain/report/?domain=hackerone.com

    • Get List of Active Domains - https://twitter.com/0xpatrik/status/1160669104304467978

    • Need to pull subdomains from Rapid 7's Project Sonar - https://twitter.com/nullenc0de/status/1095030391629598721

    • OneLiner to get commoncrawl assets -https://twitter.com/fasthm00/status/1145485593687625728

    • Tips from Ben - https://twitter.com/C1h2e11/status/1163806579474329600

    • Quick Tip from Shubam Mittal - https://twitter.com/upgoingstar/status/1163818517956710400

    • https://twitter.com/intigriti/status/1194595250049835010

    • Thread from Somdev - https://twitter.com/s0md3v/status/1202461998283251712

    • From your experience: what is the fastest and most accurate subdomain brute forcer? #bugbounty #bugbountytips #infosec #bugbounty #pentest -

    • https://publicwww.com/websites/%22.yahoo.com%22/

    • https://securitytrails.com/list/apex_domain/tilkee.info

    • https://sonar.omnisint.io/

Subdomain Bruteforce - #ffuf@ngkogkos@joohoi@Jhaddix Subdomain bruteforce with ffuf on 443 port. It works fine ffuf -u https://FUZZ.rootdomain.com -w jhaddixall.txt -v | grep "| URL | " | awk '{print $4}'34578

  • Get your targets IP ranges using your targets domain (asn+cidr extract): a=$(curl -H'Accept: application/json' http://api.iptoasn.com/v1/as/ip/$(dig +short $domain | head -1)| jq .as_number);echo '!gas'$a''| nc http://whois.radb.net 43 | tr " " "\n" | sed -e '1d' -e '$d'

Horizontal domain correlation https://viewdns.info/reversewhois/ - Free https://domaineye.com/reverse-whois - Free https://reversewhois.io - Free https://whoxy.com - Free web, not free API. http://reversewhois.domaintools.com - Not free https://drs.whoisxmlapi.com/reverse-whois-search… - Not Free https://domainiq.com - Not Free

Vhost writeup - https://medium.com/@meraid.kr/how-i-solved-hackerone-h1-212-ctf-e6d7171a55e6

PreviousSensitive information using GithubNextResolvers

Last updated 3 years ago

Was this helpful?

TimeForA #BugBountyTip I use http://Zone-H.org to find defaced (sub) domains of the website I am testing. This reveals subdomains, potentially defaced /dir/ (if not index). I pursue testing using the data I got. #bugbounty #bugbountytips #pentest #infosec Get CREATIVE RT

👁️