Subdomain Hunting

Google fu

site:tesla.com -www #Exclude www from result
site:tesla.com filetype:pdf

dnsrecon

dnsrecon -a -d tesla.com

sublist3r

sublist3r -d tesla.com -t 100

crt.sh

certificate finger printing

amass

(gather intel)
amass intel -d example.com 

(get subdomains)
amass -d example.com -include subdomains 

(specify ip ranges)
amass -d example.com -addr <IP>/<CIDR> 

(scan ASNs)
amass intel -asn <ASN>

(scan domain that response to DNS querires)
amass intel -asn <ASN> -include subdomains -active -o output.txt 

(limit the number of DNS queries)
amass intel -asn <ASN> -max-dns-queries 1000 -o output.txt 

(save result)
-o output.txt 

(To just list subdomains)
amass enum -d tesla.com | grep tesla.com

httprobe

terminal check if website is alive

cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443
cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443

bbot

# subdomains

bbot -t tesla.com -f subdomain-enum

# subdomains (passive only)

bbot -t tesla.com -f subdomain-enum -rf passive

# subdomains + port scan + web screenshots

bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o .

subfinder

./subfinder-linux-amd64 -d tesla.com [-silent]

findomain

./findomain-linux -t tesla.com [--quiet]

OneForAll

python3 oneforall.py --target tesla.com [--dns False] [--req False] [--brute False] run

assetfinder

assetfinder --subs-only <domain>

vita

vita -d tesla.com

theHarvester

theHarvester -d tesla.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye"

gau :

fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.

gau --subs tesla.com | cut -d "/" -f 3 | sort -u

rapiddns + crt.sh

nano d00main.sh
chmod +x d00main.sh

#!/bin/bash
rapiddns() {
  curl -s "https://rapiddns.io/subdomain/$1?full=1" \
    | grep -oE "[\.a-zA-Z0-9-]+\.$1" \
    | sort -u
}

crt() {
  curl -s "https://crt.sh/?q=%25.$1" \
    | grep -oE "[\.a-zA-Z0-9-]+\.$1" \
    | sort -u
}

# Check for the argument and call both functions
if [ $# -eq 1 ]; then
  echo "Subdomains from RapidDNS:"
  rapiddns "$1"
  echo "Subdomains from CRT.sh:"
  crt "$1"
else
  echo "Usage: $0 <domain>"
fi

PreviousCredentials Harvesting NextJavascript Hunting

Last updated 1 year ago

Was this helpful?

(gather intel) amass intel -d example.com (get subdomains) amass -d example.com -include subdomains (specify ip ranges) amass -d example.com -addr <IP>/<CIDR> (scan ASNs) amass intel -asn <ASN> (scan domain that response to DNS querires) amass intel -asn <ASN> -include subdomains -active -o output.txt (limit the number of DNS queries) amass intel -asn <ASN> -max-dns-queries 1000 -o output.txt (save result) -o output.txt (To just list subdomains) amass enum -d tesla.com | grep tesla.com

terminal check if website is alive cat /tmp/domains.txt | httprobe #Test all domains inside the file for port 80 and 443 cat /tmp/domains.txt | httprobe -p http:8080 -p https:8443 #Check port 80, 443 and 8080 and 8443

# subdomains bbot -t tesla.com -f subdomain-enum # subdomains (passive only) bbot -t tesla.com -f subdomain-enum -rf passive # subdomains + port scan + web screenshots bbot -t tesla.com -f subdomain-enum -m naabu gowitness -n my_scan -o .

theHarvester -d tesla.com -b "anubis, baidu, bing, binaryedge, bingapi, bufferoverun, censys, certspotter, crtsh, dnsdumpster, duckduckgo, fullhunt, github-code, google, hackertarget, hunter, intelx, linkedin, linkedin_links, n45ht, omnisint, otx, pentesttools, projectdiscovery, qwant, rapiddns, rocketreach, securityTrails, spyse, sublist3r, threatcrowd, threatminer, trello, twitter, urlscan, virustotal, yahoo, zoomeye"

#!/bin/bash rapiddns() { curl -s "https://rapiddns.io/subdomain/$1?full=1" \ | grep -oE "[\.a-zA-Z0-9-]+\.$1" \ | sort -u } crt() { curl -s "https://crt.sh/?q=%25.$1" \ | grep -oE "[\.a-zA-Z0-9-]+\.$1" \ | sort -u } # Check for the argument and call both functions if [ $# -eq 1 ]; then echo "Subdomains from RapidDNS:" rapiddns "$1" echo "Subdomains from CRT.sh:" crt "$1" else echo "Usage: $0 <domain>" fi