Basic Subdomain Enumeration guide

Gobuster

1
gobuster -m dns -w /path/to/wordlist.txt -u domain.com -i -q >> Subdomains.tmp
2
cat Subdomains.tmp | grep Found |x cut -d " " -f 2 > Subdomains.txt
3
rm Subdomains.tmp
Copied!

SSL Scan

1
for i in $(cat wildcards.txt); do sslscan --no-colour --show-certificate $i | grep -E "Altnames:" | tee -a ssldomains.txt; done
2
cat ssldomains.txt | sed 's/DNS:/&\n/g' | cut -d "," -f 1 | sort -u > ssldomains.tmp
3
cat wildcards.txt >> ssldomains.tmp
4
cat ssldomains.tmp | sort -u > ssldomains.txt
5
rm ssldomains.tmp
Copied!

Amass

1
amass --passive -d DOMAIN.com
Copied!

MassDNS

1
./bin/massdns -r resolvers.txt -t AAAA -w results.txt domains.txt
Copied!

DNSdumpster

Last modified 2yr ago