Subdomain Enum

Best Tools:

amass enum -passive -d -o

Active needs DNS resolution – takes a long time

amass enum -active -brute -w /hpath/DNS/clean-jhaddix-dns.txt -d -o

Amass get company ASN and scan

amass intel -org EVILCORP -max-dns-queries 2500 | awk -F, ‘{print $1}’ ORS=’,’ | sed ‘s/,$//’ | xargs -P3 -I@ -d ‘,’ amass intel -asn @ -max-dns-queries 2500”

Bruteforce subdmain lists:

./sudomy -d

bash ./ -a

Subdomain enumeration tools


subfinder -d -recursive -silent -t 200 -v -o
subfinder -d -silent | httpx -follow-redirects -status-code -vhost -threads 300 -silent | sort -u | grep “[200]” | cut -d [ -f1 > resolved.txt


python3 -u

python3 -d –quick

fierce -dns

Subdomains from Wayback Machine

gau -subs | cut -d / -f 3 | sort -u

AltDNS – Subdomains of subdomains XD

altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt

Onliner to find (sub)domains related to a kword on pastebin through google -t “site: kword” -b -d -s 0 -e 5 | sed “s/.com\//.com\/raw\//” | xargs curl -s | egrep -ho “[a-zA-Z0-9_.-]+kword[a-zA-Z0-9_.-]+” | sort -fu

dnsrecon -d -D subdomains-top1mil-5000.txt -t brt

Aquatone – Validate subdomains (take screenshots and generate report)

cat hosts.txt | aquatone

Wildcard subdomain

dig a * = dig a # this is a wildcard subdomain

Subdomain enumeration from GitHub

python3 -t “GITHUB-TOKEN” -d

Subdomain bruteforce

dnsrecon -d -D wordlist.txt -t brt

Get url from JS files

python -u

Best subdomain bruteforce list

Subdomain discovery with Burp

Navigate through target main website with Burp:

Without passive scanner
Set forms auto submit
Scope in advanced, any protocol and one keyword ("tesla")
Last step, select all sitemap, Engagement Tools -> Analyze target