🎃
Jackmeister's Playbook
  • Welcome
  • Web Pentest
    • Mind Maps
    • Server Site Attacks
      • php type juggling
      • SSTI
      • SQL
        • PSG SQL
        • SQL Database Uses
        • SQL Injection
        • Blind SQL injection
        • SQLITE injection
      • psy shell
    • Recon
      • DNS Hunting
      • Web Tech Hunting
      • Credentials Harvesting
      • Subdomain Hunting
      • Javascript Hunting
    • Directory Brute Forcing
    • File Upload Tricks
      • PHP htaccess and ASP web.config bypass
      • PHP Exiftool edit and upload
      • PHP Extensions payloads / Cheatsheet
      • PHP disable_functions bypass
    • Client Site Attacks
      • Case Study - XSS-GPT
      • XSS
        • XSS All in one
        • XSS cookie stealing
        • Payloads / Cheatsheet
      • Javascript Crafting
      • PDF
    • CMS / Framework
      • apache / xampp
      • Django
      • Manegto
      • Joomla
      • Jenkins
      • Flask jinja2
      • tomcat
      • Drupal
      • nodejs
      • wordpress
    • Google Dorking
    • API
    • Command Injection
      • Command Injection Payloads/Cheatsheet
    • Rewrite URL
    • HTTP Request Smuggling (CL.TE)
  • Network Pentest
    • Linux
      • Internal Port Scanning
      • Privileges Escalation
      • Finding files
      • OVA2ROOT
    • Window
      • AV Evading
      • Chrome Password Extract
      • Internal Port Scanning
      • Privileges Escalation
      • ALL IN ONE
      • THM Priv Esc
      • Post Compromise
    • Port Forwarding
      • Playground Setup
    • Exploit Hunting
      • Searchsploit
    • tty-interactive-shell
    • Active Directory (AD)
      • Crackmapexec
  • Wireless Pentest
    • Airgeddon
    • Evil Twin
    • Aircrack
  • Vulnerability Assessment
    • Nmap
    • Nessus
  • General
    • Kiosk Escaping
    • Credential Bruteforcing
  • System Hardening
  • Phishing
    • Gophish
    • Mailing Server
    • SMS Server
    • DNS Server
Powered by GitBook
On this page

Was this helpful?

  1. Web Pentest
  2. Recon

Subdomain Hunting

Google fu

site:tesla.com -www #Exclude www from result
site:tesla.com filetype:pdf

dnsrecon

dnsrecon -a -d tesla.com

sublist3r

sublist3r -d tesla.com -t 100

crt.sh

certificate finger printing

amass

(gather intel)
amass intel -d example.com 

(get subdomains)
amass -d example.com -include subdomains 

(specify ip ranges)
amass -d example.com -addr <IP>/<CIDR> 

(scan ASNs)
amass intel -asn <ASN>

(scan domain that response to DNS querires)
amass intel -asn <ASN> -include subdomains -active -o output.txt 

(limit the number of DNS queries)
amass intel -asn <ASN> -max-dns-queries 1000 -o output.txt 

(save result)
-o output.txt 

(To just list subdomains)
amass enum -d tesla.com | grep tesla.com 

httprobe

terminal check if website is alive

cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443

bbot

# subdomains

bbot -t tesla.com -f subdomain-enum

# subdomains (passive only)

bbot -t tesla.com -f subdomain-enum -rf passive

# subdomains + port scan + web screenshots

bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o .

subfinder

./subfinder-linux-amd64 -d tesla.com [-silent]

findomain

./findomain-linux -t tesla.com [--quiet]

OneForAll

python3 oneforall.py --target tesla.com [--dns False] [--req False] [--brute False] run

assetfinder

assetfinder --subs-only <domain>

vita

vita -d tesla.com

theHarvester

theHarvester -d tesla.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye"

gau :

fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.

gau --subs tesla.com | cut -d "/" -f 3 | sort -u

rapiddns + crt.sh

nano d00main.sh
chmod +x d00main.sh
#!/bin/bash
rapiddns() {
  curl -s "https://rapiddns.io/subdomain/$1?full=1" \
    | grep -oE "[\.a-zA-Z0-9-]+\.$1" \
    | sort -u
}

crt() {
  curl -s "https://crt.sh/?q=%25.$1" \
    | grep -oE "[\.a-zA-Z0-9-]+\.$1" \
    | sort -u
}

# Check for the argument and call both functions
if [ $# -eq 1 ]; then
  echo "Subdomains from RapidDNS:"
  rapiddns "$1"
  echo "Subdomains from CRT.sh:"
  crt "$1"
else
  echo "Usage: $0 <domain>"
fi
PreviousCredentials HarvestingNextJavascript Hunting

Last updated 1 year ago

Was this helpful?