crash.software
Projects
Pull Requests
Issues
Builds
Cipherops
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY Cipherops Commits 392011a7
🤬
  • ■ ■ ■ ■ ■
    SUMMARY.md
    skipped 22 lines
    23 23  ***
    24 24   
    25 25  * [ℹ Recon Tips](overview/recon-tips/README.md)
    26  - * [Subdomain Enumeration](overview/recon-tips/subdomain-enumeration.md)
    27 26   * [One Liner from Awesome bug bounty](overview/recon-tips/one-liner-from-awesome-bug-bounty.md)
    28 27   * [Best Recon Technique For Active Subdomain Enumeration](recon-tips/best-recon-technique-for-active-subdomain-enumeration.md)
    29 28   * [Mastering the Art of Information Gathering](recon-tips/mastering-the-art-of-information-gathering.md)
    skipped 19 lines
    49 48   
    50 49  ***
    51 50   
     51 +* [🌆 Subdomain Enumeration](subdomain-enumeration/README.md)
     52 + * [Subdomains Enumeration tools](subdomain-enumeration/subdomains-enumeration-tools.md)
    52 53  * [☁ Cloud Pen-Testing Checklist](cloud-pen-testing-checklist/README.md)
    53 54   * [Cloud Pen-testing Part-1](cloud-pen-testing-checklist/cloud-pen-testing-part-1.md)
    54 55   * [Cloud Pen-testing Part-2](cloud-pen-testing-checklist/cloud-pen-testing-part-2.md)
    skipped 18 lines
  • ■ ■ ■ ■
    overview/recon-tips/subdomain-enumeration.md subdomain-enumeration/README.md
    1  -# Subdomain Enumeration
     1 +# Subdomain Enumeration
    2 2   
    3 3  ## <mark style="color:green;">Subdomain Enumeration Tools</mark>
    4 4   
    skipped 162 lines
  • ■ ■ ■ ■ ■ ■
    subdomain-enumeration/subdomains-enumeration-tools.md
     1 +---
     2 +description: Credit goes to respected owner's
     3 +---
     4 + 
     5 +# Subdomains Enumeration tools
     6 + 
     7 +## Summary
     8 + 
     9 +* [Enumerate all subdomains](broken-reference)
     10 + * Subbrute
     11 + * KnockPy
     12 + * GoogleDorks
     13 + * EyeWitness
     14 + * Sublist3r
     15 + * Subfinder
     16 + * Findomain
     17 + * Aquatone (Ruby and Go versions)
     18 + * AltDNS
     19 + * MassDNS
     20 + * Nmap
     21 + * Dnsdumpster
     22 +* Subdomain take over
     23 + * tko-subs
     24 + * HostileSubBruteForcer
     25 + * SubOver
     26 + 
     27 +## Enumerate all subdomains (only if the scope is \*.domain.ext)
     28 + 
     29 +### Using Subbrute
     30 + 
     31 +```bash
     32 +git clone https://github.com/TheRook/subbrute
     33 +python subbrute.py domain.example.com
     34 +```
     35 + 
     36 +### Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"
     37 + 
     38 +```bash
     39 +git clone https://github.com/guelfoweb/knock
     40 +git clone https://github.com/danielmiessler/SecLists.git
     41 +knockpy domain.com -w subdomains-top1mil-110000.txt
     42 +```
     43 + 
     44 +Using EyeWitness and Nmap scans from the KnockPy and enumall scans
     45 + 
     46 +```bash
     47 +git clone https://github.com/ChrisTruncer/EyeWitness.git
     48 +./setup/setup.sh
     49 +./EyeWitness.py -f filename -t optionaltimeout --open (Optional)
     50 +./EyeWitness -f urls.txt --web
     51 +./EyeWitness -x urls.xml -t 8 --headless
     52 +./EyeWitness -f rdp.txt --rdp
     53 +```
     54 + 
     55 +### Using Google Dorks and Google Transparency Report
     56 + 
     57 +You need to include subdomains ;) https://www.google.com/transparencyreport/https/ct/?hl=en-US#domain=\[DOMAIN]g\&incl\_exp=true\&incl\_sub=true
     58 + 
     59 +```bash
     60 +site:*.domain.com -www
     61 +site:domain.com filetype:pdf
     62 +site:domain.com inurl:'&'
     63 +site:domain.com inurl:login,register,upload,logout,redirect,redir,goto,admin
     64 +site:domain.com ext:php,asp,aspx,jsp,jspa,txt,swf
     65 +site:*.*.domain.com
     66 +```
     67 + 
     68 +### Using Sublist3r
     69 + 
     70 +```bash
     71 +To enumerate subdomains of specific domain and show the results in realtime:
     72 +python sublist3r.py -v -d example.com
     73 + 
     74 +To enumerate subdomains and enable the bruteforce module:
     75 +python sublist3r.py -b -d example.com
     76 + 
     77 +To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
     78 +python sublist3r.py -e google,yahoo,virustotal -d example.com
     79 + 
     80 +python sublist3r.py -b -d example.com
     81 +```
     82 + 
     83 +### Using Subfinder
     84 + 
     85 +```powershell
     86 +go get github.com/subfinder/subfinder
     87 +./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY'
     88 +./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD"
     89 +./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET"
     90 +./Subfinder/subfinder --set-config SecurityTrailsKey='KEY'
     91 +./Subfinder/subfinder -d example.com -o /tmp/results_subfinder.txt
     92 +```
     93 + 
     94 +### Using Findomain
     95 + 
     96 +```powershell
     97 +$ wget https://github.com/Edu4rdSHL/findomain/releases/latest/download/findomain-linux
     98 +$ chmod +x findomain-linux
     99 +$ findomain_spyse_token="YourAccessToken"
     100 +$ findomain_virustotal_token="YourAccessToken"
     101 +$ findomain_fb_token="YourAccessToken"
     102 +$ ./findomain-linux -t example.com -o
     103 +```
     104 + 
     105 +### Using Aquatone - old version (Ruby)
     106 + 
     107 +```powershell
     108 +gem install aquatone
     109 + 
     110 +Discover subdomains : results in ~/aquatone/example.com/hosts.txt
     111 +aquatone-discover --domain example.com
     112 +aquatone-discover --domain example.com --threads 25
     113 +aquatone-discover --domain example.com --sleep 5 --jitter 30
     114 +aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ
     115 + 
     116 +Active scans : results in ~/aquatone/example.com/urls.txt
     117 +aquatone-scan --domain example.com
     118 +aquatone-scan --domain example.com --ports 80,443,3000,8080
     119 +aquatone-scan --domain example.com --ports large
     120 +aquatone-scan --domain example.com --threads 25
     121 + 
     122 +Final results
     123 +aquatone-gather --domain example.com
     124 +```
     125 + 
     126 +Alternatively, you can use the [Docker image](https://hub.docker.com/r/txt3rob/aquatone-docker/) provided by txt3rob.
     127 + 
     128 +```powershell
     129 +https://hub.docker.com/r/txt3rob/aquatone-docker/
     130 +docker pull txt3rob/aquatone-docker
     131 +docker run -it txt3rob/aquatone-docker aq example.com
     132 +```
     133 + 
     134 +### Using Aquatone - new version (Go)
     135 + 
     136 +```powershell
     137 +# Subfinder version
     138 +./Subfinder/subfinder -d $1 -r 8.8.8.8,1.1.1.1 -nW -o /tmp/subresult$1
     139 +cat /tmp/subresult$1 | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1
     140 + 
     141 +# Amass version
     142 +./Amass/amass -active -brute -o /tmp/hosts.txt -d $1
     143 +cat /tmp/hosts.txt | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1
     144 +```
     145 + 
     146 +### Using AltDNS
     147 + 
     148 +It's recommended to use massdns in order to resolve the result of `AltDNS`
     149 + 
     150 +```powershell
     151 +WORDLIST_PERMUTATION="./Altdns/words.txt"
     152 +python2.7 ./Altdns/altdns.py -i /tmp/inputdomains.txt -o /tmp/out.txt -w $WORDLIST_PERMUTATION
     153 +```
     154 + 
     155 +Alternatively you can use [goaltdns](https://github.com/subfinder/goaltdns)
     156 + 
     157 +### Using MassDNS
     158 + 
     159 +```powershell
     160 +DNS_RESOLVERS="./resolvers.txt"
     161 +cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt
     162 +```
     163 + 
     164 +### Using Nmap
     165 + 
     166 +```powershell
     167 +nmap -sn --script hostmap-crtsh host_to_scan.tld
     168 +```
     169 + 
     170 +### Using dnsdumpster
     171 + 
     172 +```ps1
     173 +git clone https://github.com/nmmapper/dnsdumpster
     174 +python dnsdumpster.py -d domainname.com
     175 +```
     176 + 
     177 +## Subdomain take over
     178 + 
     179 +Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.
     180 + 
     181 +### Using tko-subs
     182 + 
     183 +```powershell
     184 +go get github.com/anshumanbh/tko-subs
     185 +./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv
     186 +```
     187 + 
     188 +### Using HostileSubBruteForcer
     189 + 
     190 +```bash
     191 +git clone https://github.com/nahamsec/HostileSubBruteforcer
     192 +chmod +x sub_brute.rb
     193 +./sub_brute.rb
     194 +```
     195 + 
     196 +### Using SubOver
     197 + 
     198 +```powershell
     199 +go get github.com/Ice3man543/SubOver
     200 +./SubOver -l subdomains.txt
     201 +```
     202 + 
     203 +## References
     204 + 
     205 +* [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/)
     206 +* [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/)
     207 + 
Please wait...
Page is in error, reload to recover