# Subdomain Hunting #### Google fu ``` site:tesla.com -www #Exclude www from result site:tesla.com filetype:pdf ``` #### dnsrecon ``` dnsrecon -a -d tesla.com ``` #### sublist3r ```bash sublist3r -d tesla.com -t 100 ``` #### crt.sh ``` certificate finger printing ``` #### amass ```bash (gather intel) amass intel -d example.com (get subdomains) amass -d example.com -include subdomains (specify ip ranges) amass -d example.com -addr / (scan ASNs) amass intel -asn (scan domain that response to DNS querires) amass intel -asn -include subdomains -active -o output.txt (limit the number of DNS queries) amass intel -asn -max-dns-queries 1000 -o output.txt (save result) -o output.txt (To just list subdomains) amass enum -d tesla.com | grep tesla.com ``` #### httprobe ```bash terminal check if website is alive cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443 cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443 ``` #### bbot ```bash # subdomains bbot -t tesla.com -f subdomain-enum # subdomains (passive only) bbot -t tesla.com -f subdomain-enum -rf passive # subdomains + port scan + web screenshots bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o . ``` #### subfinder ``` ./subfinder-linux-amd64 -d tesla.com [-silent] ``` #### findomain ``` ./findomain-linux -t tesla.com [--quiet] ``` #### OneForAll ``` python3 oneforall.py --target tesla.com [--dns False] [--req False] [--brute False] run ``` #### assetfinder ``` assetfinder --subs-only ``` #### vita ``` vita -d tesla.com ``` #### theHarvester ``` theHarvester -d tesla.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye" ``` #### gau : fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. ``` gau --subs tesla.com | cut -d "/" -f 3 | sort -u ``` #### rapiddns + crt.sh ```bash nano d00main.sh chmod +x d00main.sh ``` ```bash #!/bin/bash rapiddns() { curl -s "https://rapiddns.io/subdomain/$1?full=1" \ | grep -oE "[\.a-zA-Z0-9-]+\.$1" \ | sort -u } crt() { curl -s "https://crt.sh/?q=%25.$1" \ | grep -oE "[\.a-zA-Z0-9-]+\.$1" \ | sort -u } # Check for the argument and call both functions if [ $# -eq 1 ]; then echo "Subdomains from RapidDNS:" rapiddns "$1" echo "Subdomains from CRT.sh:" crt "$1" else echo "Usage: $0 " fi ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jackmeister.gitbook.io/jackmeister-playbook/web-pentest/recon/subdomain-hunting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.