Subdomain Enumeration

Gobuster

gobuster -m dns -w /path/to/wordlist.txt -u domain.com -i -q >> Subdomains.tmp
cat Subdomains.tmp | grep Found |x cut -d " " -f 2 > Subdomains.txt
rm Subdomains.tmp

SSL Scan

for i in $(cat wildcards.txt); do sslscan --no-colour --show-certificate $i | grep -E "Altnames:" | tee -a ssldomains.txt; done
cat ssldomains.txt | sed 's/DNS:/&\n/g' | cut -d "," -f 1 | sort -u > ssldomains.tmp
cat wildcards.txt >> ssldomains.tmp
cat ssldomains.tmp | sort -u > ssldomains.txt
rm ssldomains.tmp

Amass

amass --passive -d DOMAIN.com

MassDNS

./bin/massdns -r resolvers.txt -t AAAA -w results.txt domains.txt

DNSdumpster

https://github.com/PaulSec/API-dnsdumpster.com