■ ■ ■ ■ ■ ■
subdomain-enumeration/subdomains-enumeration-tools.md
| 1 | + | --- |
| 2 | + | description: Credit goes to respected owner's |
| 3 | + | --- |
| 4 | + | |
| 5 | + | # Subdomains Enumeration tools |
| 6 | + | |
| 7 | + | ## Summary |
| 8 | + | |
| 9 | + | * [Enumerate all subdomains](broken-reference) |
| 10 | + | * Subbrute |
| 11 | + | * KnockPy |
| 12 | + | * GoogleDorks |
| 13 | + | * EyeWitness |
| 14 | + | * Sublist3r |
| 15 | + | * Subfinder |
| 16 | + | * Findomain |
| 17 | + | * Aquatone (Ruby and Go versions) |
| 18 | + | * AltDNS |
| 19 | + | * MassDNS |
| 20 | + | * Nmap |
| 21 | + | * Dnsdumpster |
| 22 | + | * Subdomain take over |
| 23 | + | * tko-subs |
| 24 | + | * HostileSubBruteForcer |
| 25 | + | * SubOver |
| 26 | + | |
| 27 | + | ## Enumerate all subdomains (only if the scope is \*.domain.ext) |
| 28 | + | |
| 29 | + | ### Using Subbrute |
| 30 | + | |
| 31 | + | ```bash |
| 32 | + | git clone https://github.com/TheRook/subbrute |
| 33 | + | python subbrute.py domain.example.com |
| 34 | + | ``` |
| 35 | + | |
| 36 | + | ### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS" |
| 37 | + | |
| 38 | + | ```bash |
| 39 | + | git clone https://github.com/guelfoweb/knock |
| 40 | + | git clone https://github.com/danielmiessler/SecLists.git |
| 41 | + | knockpy domain.com -w subdomains-top1mil-110000.txt |
| 42 | + | ``` |
| 43 | + | |
| 44 | + | Using EyeWitness and Nmap scans from the KnockPy and enumall scans |
| 45 | + | |
| 46 | + | ```bash |
| 47 | + | git clone https://github.com/ChrisTruncer/EyeWitness.git |
| 48 | + | ./setup/setup.sh |
| 49 | + | ./EyeWitness.py -f filename -t optionaltimeout --open (Optional) |
| 50 | + | ./EyeWitness -f urls.txt --web |
| 51 | + | ./EyeWitness -x urls.xml -t 8 --headless |
| 52 | + | ./EyeWitness -f rdp.txt --rdp |
| 53 | + | ``` |
| 54 | + | |
| 55 | + | ### Using Google Dorks and Google Transparency Report |
| 56 | + | |
| 57 | + | You need to include subdomains ;) https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=\[DOMAIN]g\&incl\_exp=true\&incl\_sub=true |
| 58 | + | |
| 59 | + | ```bash |
| 60 | + | site:*.domain.com -www |
| 61 | + | site:domain.com filetype:pdf |
| 62 | + | site:domain.com inurl:'&' |
| 63 | + | site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin |
| 64 | + | site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf |
| 65 | + | site:*.*.domain.com |
| 66 | + | ``` |
| 67 | + | |
| 68 | + | ### Using Sublist3r |
| 69 | + | |
| 70 | + | ```bash |
| 71 | + | To enumerate subdomains of specific domain and show the results in realtime: |
| 72 | + | python sublist3r.py -v -d example.com |
| 73 | + | |
| 74 | + | To enumerate subdomains and enable the bruteforce module: |
| 75 | + | python sublist3r.py -b -d example.com |
| 76 | + | |
| 77 | + | To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines |
| 78 | + | python sublist3r.py -e google,yahoo,virustotal -d example.com |
| 79 | + | |
| 80 | + | python sublist3r.py -b -d example.com |
| 81 | + | ``` |
| 82 | + | |
| 83 | + | ### Using Subfinder |
| 84 | + | |
| 85 | + | ```powershell |
| 86 | + | go get github.com/subfinder/subfinder |
| 87 | + | ./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY' |
| 88 | + | ./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD" |
| 89 | + | ./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET" |
| 90 | + | ./Subfinder/subfinder --set-config SecurityTrailsKey='KEY' |
| 91 | + | ./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt |
| 92 | + | ``` |
| 93 | + | |
| 94 | + | ### Using Findomain |
| 95 | + | |
| 96 | + | ```powershell |
| 97 | + | $ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux |
| 98 | + | $ chmod +x findomain-linux |
| 99 | + | $ findomain_spyse_token="YourAccessToken" |
| 100 | + | $ findomain_virustotal_token="YourAccessToken" |
| 101 | + | $ findomain_fb_token="YourAccessToken" |
| 102 | + | $ ./findomain-linux -t example.com -o |
| 103 | + | ``` |
| 104 | + | |
| 105 | + | ### Using Aquatone - old version (Ruby) |
| 106 | + | |
| 107 | + | ```powershell |
| 108 | + | gem install aquatone |
| 109 | + | |
| 110 | + | Discover subdomains : results in ~/aquatone/example.com/hosts.txt |
| 111 | + | aquatone-discover --domain example.com |
| 112 | + | aquatone-discover --domain example.com --threads 25 |
| 113 | + | aquatone-discover --domain example.com --sleep 5 --jitter 30 |
| 114 | + | aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ |
| 115 | + | |
| 116 | + | Active scans : results in ~/aquatone/example.com/urls.txt |
| 117 | + | aquatone-scan --domain example.com |
| 118 | + | aquatone-scan --domain example.com --ports 80,443,3000,8080 |
| 119 | + | aquatone-scan --domain example.com --ports large |
| 120 | + | aquatone-scan --domain example.com --threads 25 |
| 121 | + | |
| 122 | + | Final results |
| 123 | + | aquatone-gather --domain example.com |
| 124 | + | ``` |
| 125 | + | |
| 126 | + | Alternatively, you can use the [Docker image](https://hub.docker.com/r/txt3rob/aquatone-docker/) provided by txt3rob. |
| 127 | + | |
| 128 | + | ```powershell |
| 129 | + | https://hub.docker.com/r/txt3rob/aquatone-docker/ |
| 130 | + | docker pull txt3rob/aquatone-docker |
| 131 | + | docker run -it txt3rob/aquatone-docker aq example.com |
| 132 | + | ``` |
| 133 | + | |
| 134 | + | ### Using Aquatone - new version (Go) |
| 135 | + | |
| 136 | + | ```powershell |
| 137 | + | # Subfinder version |
| 138 | + | ./Subfinder/subfinder -d $1 -r 8.8.8.8,1.1.1.1 -nW -o /tmp/subresult$1 |
| 139 | + | cat /tmp/subresult$1 | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1 |
| 140 | + | |
| 141 | + | # Amass version |
| 142 | + | ./Amass/amass -active -brute -o /tmp/hosts.txt -d $1 |
| 143 | + | cat /tmp/hosts.txt | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1 |
| 144 | + | ``` |
| 145 | + | |
| 146 | + | ### Using AltDNS |
| 147 | + | |
| 148 | + | It's recommended to use massdns in order to resolve the result of `AltDNS` |
| 149 | + | |
| 150 | + | ```powershell |
| 151 | + | WORDLIST_PERMUTATION="./Altdns/words.txt" |
| 152 | + | python2.7 ./Altdns/altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w $WORDLIST_PERMUTATION |
| 153 | + | ``` |
| 154 | + | |
| 155 | + | Alternatively you can use [goaltdns](https://github.com/subfinder/goaltdns) |
| 156 | + | |
| 157 | + | ### Using MassDNS |
| 158 | + | |
| 159 | + | ```powershell |
| 160 | + | DNS_RESOLVERS="./resolvers.txt" |
| 161 | + | cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt |
| 162 | + | ``` |
| 163 | + | |
| 164 | + | ### Using Nmap |
| 165 | + | |
| 166 | + | ```powershell |
| 167 | + | nmap -sn --script hostmap-crtsh host_to_scan.tld |
| 168 | + | ``` |
| 169 | + | |
| 170 | + | ### Using dnsdumpster |
| 171 | + | |
| 172 | + | ```ps1 |
| 173 | + | git clone https://github.com/nmmapper/dnsdumpster |
| 174 | + | python dnsdumpster.py -d domainname.com |
| 175 | + | ``` |
| 176 | + | |
| 177 | + | ## Subdomain take over |
| 178 | + | |
| 179 | + | Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records. |
| 180 | + | |
| 181 | + | ### Using tko-subs |
| 182 | + | |
| 183 | + | ```powershell |
| 184 | + | go get github.com/anshumanbh/tko-subs |
| 185 | + | ./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv |
| 186 | + | ``` |
| 187 | + | |
| 188 | + | ### Using HostileSubBruteForcer |
| 189 | + | |
| 190 | + | ```bash |
| 191 | + | git clone https://github.com/nahamsec/HostileSubBruteforcer |
| 192 | + | chmod +x sub_brute.rb |
| 193 | + | ./sub_brute.rb |
| 194 | + | ``` |
| 195 | + | |
| 196 | + | ### Using SubOver |
| 197 | + | |
| 198 | + | ```powershell |
| 199 | + | go get github.com/Ice3man543/SubOver |
| 200 | + | ./SubOver -l subdomains.txt |
| 201 | + | ``` |
| 202 | + | |
| 203 | + | ## References |
| 204 | + | |
| 205 | + | * [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/) |
| 206 | + | * [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/) |
| 207 | + | |