Subdomain Hunting

Google fu

site:tesla.com -www #Exclude www from result
site:tesla.com filetype:pdf

dnsrecon

dnsrecon -a -d tesla.com

sublist3r

sublist3r -d tesla.com -t 100

crt.sh

certificate finger printing

amass

(gather intel)
amass intel -d example.com 

(get subdomains)
amass -d example.com -include subdomains 

(specify ip ranges)
amass -d example.com -addr <IP>/<CIDR> 

(scan ASNs)
amass intel -asn <ASN>

(scan domain that response to DNS querires)
amass intel -asn <ASN> -include subdomains -active -o output.txt 

(limit the number of DNS queries)
amass intel -asn <ASN> -max-dns-queries 1000 -o output.txt 

(save result)
-o output.txt 

(To just list subdomains)
amass enum -d tesla.com | grep tesla.com 

httprobe

terminal check if website is alive

cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443

bbot

# subdomains

bbot -t tesla.com -f subdomain-enum

# subdomains (passive only)

bbot -t tesla.com -f subdomain-enum -rf passive

# subdomains + port scan + web screenshots

bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o .

subfinder

./subfinder-linux-amd64 -d tesla.com [-silent]

findomain

./findomain-linux -t tesla.com [--quiet]

OneForAll

python3 oneforall.py --target tesla.com [--dns False] [--req False] [--brute False] run

assetfinder

assetfinder --subs-only <domain>

vita

vita -d tesla.com

theHarvester

theHarvester -d tesla.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye"

gau :

fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.

gau --subs tesla.com | cut -d "/" -f 3 | sort -u

rapiddns + crt.sh

nano d00main.sh
chmod +x d00main.sh

#!/bin/bash
rapiddns() {
  curl -s "https://rapiddns.io/subdomain/$1?full=1" \
    | grep -oE "[\.a-zA-Z0-9-]+\.$1" \
    | sort -u
}

crt() {
  curl -s "https://crt.sh/?q=%25.$1" \
    | grep -oE "[\.a-zA-Z0-9-]+\.$1" \
    | sort -u
}

# Check for the argument and call both functions
if [ $# -eq 1 ]; then
  echo "Subdomains from RapidDNS:"
  rapiddns "$1"
  echo "Subdomains from CRT.sh:"
  crt "$1"
else
  echo "Usage: $0 <domain>"
fi