Quick Commands
BASH
# Subfinder
subfinder -d target.com -o subs.txt
# Amass (passive)
amass enum -passive -d target.com -o subs.txt
# Assetfinder
assetfinder --subs-only target.com | tee subs.txtCombined Approach
BASH
# Maximum coverage
subfinder -d target.com -silent | anew subs.txt
amass enum -passive -d target.com | anew subs.txt
assetfinder --subs-only target.com | anew subs.txt
findomain -t target.com | anew subs.txtDNS Brute Force
BASH
# Shuffledns
shuffledns -d target.com -w wordlist.txt -r resolvers.txt
# PureDNS
puredns bruteforce wordlist.txt target.com -r resolvers.txt
# Gobuster
gobuster dns -d target.com -w wordlist.txtCertificate Transparency
BASH
# crt.sh
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u
# Certspotter
curl -s "https://api.certspotter.com/v1/issuances?domain=target.com" | jq -r '.[].dns_names[]'Wordlists
BASH
# Common wordlists
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
# Combined from assetnote
https://wordlists.assetnote.io/Resolve & Probe
BASH
# Check which are alive
cat subs.txt | httpx -silent -o alive.txt
# With more info
cat subs.txt | httpx -title -status-code -tech-detect -o results.txtTools Summary
| Tool | Purpose |
|---|---|
| subfinder | Passive subdomain discovery |
| amass | Comprehensive enumeration |
| assetfinder | Quick passive discovery |
| shuffledns | DNS resolver/bruteforce |
| httpx | HTTP probing |
| dnsx | DNS toolkit |
Workflow
BASH
# 1. Passive enumeration
subfinder -d target.com | anew subs.txt
# 2. Resolve
cat subs.txt | dnsx -silent | anew resolved.txt
# 3. HTTP probe
cat resolved.txt | httpx -silent | anew alive.txt
# 4. Screenshot
cat alive.txt | gowitness file -f - -P screenshots/