Subdomains Enumeration Cheat Sheet
Wordlists
Linux tools
AltDNS
Description
Subdomain discovery through alterations and permutations
Installation
Usage:
Generate a list of altered subdomains:
./altdns.py -i known-subdomains.txt -o new_subdomains.txtGenerate a list of altered subdomains & resolve them:
./altdns.py -i known-subdomains.txt -o new_subdomains.txt -r -s resolved_subdomains.txtOther options
-w wordlist.txt: Use custom wordlist (default altdns/words.txt)-t 10Number of threads-d $IP: Use custom resolver
Amass
Description
Brute force, Google, VirusTotal, alt names, ASN discovery
Installation
go get -u github.com/OWASP/Amass/...
Usage
Get target’s ASN from http://bgp.he.net/
amass -d target.com -o $outfileGet subdomains from ASN:
amass.netnames -asn $asn
Assets-from-spf
Description
Parse net blocks & domain names from SPF records
Installation
Usage
cd the-art-of-subdomain-enumeration; python assets_from_spf.py target.comOptions
--asn: Enable ASN enumeration
BiLE-suite
Description
HTML parsing, reverse DNS, TLD expansion, horizontal domain correlation
Installation
Usage
List links related to a site:
cd BiLE-suite; perl BiLE.pl target.com targetExtract subdomains from the results of BiLe.pl:
cat target.mine | grep -v "Link from" | cut -d':' -f2 | grep target.com | sort | uniq
Bing
Search engine
Usage
Find subsomains:
site:target.comFind subdomains & exclude specific ones:
site:target.com -site:www.target.com
Censys_subdomain_enum.py
Description
Extract domains & emails from SSL/TLS certs collected by Censys
Installation
Add your CENSYS API ID & SECRET to the-art-of-subdomain-enumeration/censys_subdomain_enum.py
Usage
cd the-art-of-subdomain-enumeration; python censys_enumeration.py target.com
Cloudflare_enum.py
Description
Extract subdomains from Cloudflare
DNS aggregator
Installation
Usage
the-art-of-subdomain-enumeration; python cloudflare_subdomain_enum.py your@cloudflare.email target.com
Crt_enum_psql.py
Description
Query crt.sh postgres interface for subdomains
Installation
Usage
cd python the-art-of-subdomain-enumeration; python crtsh_enum_psql.py target.com
Crt_enum_web.py
Description
Parse crt.sh web page for subdomains
Installation
Usage
cd python the-art-of-subdomain-enumeration; python3 crtsh_enum_web.py target.com
CTFR
Description
Enumerate subdomains using CT logs (crt.sh)
Installation
Usage
cd ctfr; python3 ctfr.py -d target.com -o $outfile
Dig
Description
Zone transfer, DNS lookups & reverse lookups
Installation
Installed by default in Kali, otherwise:
aptitude instal dnsutils
Usage
dig +multi AXFR target.comdig +multi AXFR $ns_server target.com
Domains-from-csp
Description
Extract domain names from Content Security Policy(CSP) headers
Installation
Usage
Parse CSP header for domains:
cd domains-from-csp; python csp_parser.py $URLParse CSP header & resolve the domains:
cd domains-from-csp; python csp_parser.py $URL -r
Dnscan
Description
AXFR, brute force
Install
Usage
Subdomain brute-force of a domain:
dnscan.py -d target.com -o outfile -w $wordlistSubdomain brute-force of domains listed in a file (one by line):
dnscan.py -l $domains_file -o outfile -w $wordlistOther options:
-i $file: Output discovered IP addresses to a text file-r: Recursively scan subdomains-T: TLD expansion
Dnsrecon
Description
DNS zone transfer, DNS cache snooping, TLD expansion, SRV enumeration, DNS records enumeration, brute-force, check for Wildcard resolution, subdomain scraping, PTR record lookup, check DNS server cached records, mDNS records enumeration…
Installation
aptitude install dnsreconon Kali, or:
Usage
Brute-force:
dnsrecon -d target.com -D wordlist.txt -t brtDNS cache snooping:
dnsrecon -t snoop -D wordlist.txt -n 2.2.2.2where 2.2.2.2 is the IP of the target’s NS serverOptions
--threads 8: Number of threads-n nsserver.com: Use a custom name serverOutput options
--db: SQLite 3 file--xml: XML file--json: JSON file--csv: CSV file
Dnssearch
Description
Subdomain brute-force
Installation
Add ~/go/bin/ to PATH by adding this line to
~/.profile:export PATH=$PATH:/home/mima/go/bin/Usage
dnssearch -domain target.com -wordlist $wordlistOther options
-a bool: Lookup A records (default true)-txt bool: Lookup TXT records (default false)-cname bool: Show CNAME records (default false)-consumers 10: Number of threads (default 8)
Domained
Description
Wrapper for Sublist3r, Knock, Subbrute, Massdns, Recon-ng, Amass & SubFinder
Installation
Usage
Run Sublist3r (+subbrute), enumall, Knock, Amass & SubFinder:
python domained.py -d target.comRun only Amass & Subfinder:
python domained.py -d target.com --quickBrute-force with massdns & subbrute with Seclist wordlist, plus Sublist3r, Amass, enumall & SubFinder:
python domained.py -d target.com --bBruteforce with Jason Haddix’s All.txt wordlist, plus Sublist3r, Amass, enumall & SubFinder:
python domained.py -d target.com -b --bruteallOther options
--notify: Send Pushover or Gmail notifications--noeyewitness: No Eyewitness--fresh: Delete old data from output folder
Fierce
Description
AXFR, brute force, reverse DNS
https://github.com/bbhunter/fierce-domain-scanner (original link not available anymore)
Installation
Installed by default on Kali
Usage
fierce -dns target.com
Gobuster
Description
todo
Installation
Usage
gobuster -m dns -u target.com -w $wordlistOther options:
-i: Show IP addresses-t 50: Number of threads (default 10)
Google
Search engine
Usage
Find subsomains:
site:*.target.comFind subdomains & exclude specific ones:
site:*.target.com -site:www.target.com -site:help.target.com
Knock
Description
AXFR, virustotal, brute-force
Install
Usage
Use default wordlist:
knockpy target.comUse custom wordlist:
knockpy target.com -w $wordlistResolve domain name & get response headers:
knockpy -r target.comorknockpy -r $ipSave scan output in CSV:
knockpy -c target.comExport full report in JSON:
knockpy -j target.com
Ldns-walk
Description
DNSSEC zone walking
Installation
aptitude install ldnsutils
Usage
Detect if DNSSEC NSEC or NSEC3 is used:
ldns-walk target.comldns-walk @nsserver.com target.com
If DNSSEC NSEC is enabled, you’ll get all the domains
If DNSSEC NSEC3 is enabled, use Nsec3walker
Massdns
Description
DNS resolver
Installation
Usage
Resolve domains:
cd massdns; ./bin/massdns -r lists/resolvers.txt -t AAAA -w results.txt domains.txt -o S -w output.txtSubdomain brute-force:
./scripts/subbrute.py wordlist.txt target.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w output.txtGet subdomains with CT logs parser & resolve them with Massdns:
./scripts/ct.py target.com | ./bin/massdns -r lists/resolvers.txt -t A -o S -w output.txtOther options:
-s 5000: Number of concurrent lookups (default 10000)-t A(default),-t AAAA,-t PTR…: Type of DNS records to retrieveOutput options
-o S -w output.txt: Save output as simple text-o F: Save output as full text-o J: Save output as ndjson
Nsec3walker
Description
DNSSEC NSEC3 zone walking
Installation
Usage
Rapid7 Forward DNS dataset (Project Sonar)
Description
Public dataset containing the responses to DNS requests for all forward DNS names known by Rapid7’s Project Sonar
Installation
aptitude install jq pigz
Usage
San_subdomain_enum.py
Description
Extract subdomains listed in Subject Alternate Name(SAN) of SSL/TLS certificates
Installation
git clone https://github.com/appsecco/the-art-of-subdomain-enumeration.git
Usage
cd python the-art-of-subdomain-enumeration; ./san_subdomain_enum.py target.com
Second Order
Description
Second-order subdomain takeover scanner
Can also be leveraged as an HTML parser to enumerate subdomains
Installation
go get github.com/mhmdiaa/second-order
Usage
Create a new copy of the default config.json file:
cp ~/go/src/github.com/mhmdiaa/second-order/config.json ~/go/src/github.com/mhmdiaa/second-order/config-subs-enum.jsonAnd edit
~/go/src/github.com/mhmdiaa/second-order/config-subs-enum.jsonto replace"LogCrawledURLs": falsewith"LogCrawledURLs": truesecond-order -base https://target.com -config config.json -output target.comLook for new subdomains in the resulting folder (./target.com)
Subbrute
Description
Brute-force
Installation
Usage
Test a single domain:
./subbrute.py target.comTest multiple domains:
./subbrute.py target1.com target2.comTest a list of domains:
./subbrute.py -t domains.txtEnumerate subdomains, then their own subdomains:
Other options
-s wordlist.txt: Use a custom subdomains wordlist-p: Print data from DNS records-o outfile.txt: Save output in Greppable format-j JSON: Save output to JSON file-c 10: Number of threads (default 8)-r resolvers.txt: Use a custom list of DNS resolvers
Subfinder
Description
VirusTotal, PassiveTotal, SecurityTrails, Censys, Riddler, Shodan, Bruteforce
Installation:
go get github.com/subfinder/subfinderConfigure API keys:
./subfinder --set-config VirustotalAPIKey=0x41414141
Usage
Scraping:
./subfinder -d target.com -o $outfileScraping & brute-force:
subfinder -b -d target.com -w $wordlist -o $outfileBrute-force only:
./subfinder --no-passive -d target.com -b -w $wordlist -o $outfieOther options:
-t 100: Number of threads (default 10)-r 8.8.8.8,1.1.1.1or-rL resolvers.txt: Use custom resolvers-nW: Exclude wildcard subdomains-recursive: Use recursion-o $outfile -oJ: JSON output
Sublist3r
Description
Baidu, Yahoo, Google, Bing, Ask, Netcraft, DNSdumpster, VirusTotal, Threat Crowd, SSL Certificates, PassiveDNS
Installation
Usage
Scraping:
./sublist3r.py -d target.com -o $outfileBruteforce:
./sublist3r.py -b -d target.com -o $outfileOther options:
-p 80,443: Show only subdomains which have open ports 80 and 443
Theharvester
Description
Tool for gathering subdomain names, e-mail addresses, virtual hosts, open ports/ banners, and employee names from different public sources
Scraping, Brute-force, Reverse DNS, TLD expansion
Scraping sources: Threatcrowd, Crtsh, Google, googleCSE, google-profiles, Bing, Bingapi, Dogpile, PGP, LinkedIn, vhost, Twitter, GooglePlus, Yahoo, Baidu, Shodan, Hunter
Installation
aptitude install theharvester
Usage
Scraping:
theharvester -d target.com -b allOther options:
-h output.html: Save output to HTML file-f output.html: Save output to HTML & XML files-t: Also do TLD expansion discovery-c: Also do subdomain bruteforce-n: Also do a DNS reverse query on all ranges discovered
vhost-brute
Description
vhosts brute-force
Installation
Usage
php vhost-brute.php --ip=$ip --domain=target.com --wordlist=$outfileOther options:
--threads=5: Maximum threads (default 1)--port: Set port--ssl: Force SSL
Virtual-host-discovery
Description
vhosts brute-force
Installation
git clone https://github.com/jobertabma/virtual-host-discovery.git
Usage
cd virtual-host-discover; ruby scan.rb --ip=1.1.1.1 --host=target.com --output output.txtOther options
--ssl=on: Enable SSL--port 8080: Use a custom port--wordlist wordlist.txt: Use a custom wordlist
Virustotal_subdomain_enum.py
Description
Query VirusTotal API for subdomains
DNS aggregator
Installation
git clone https://github.com/appsecco/the-art-of-subdomain-enumeration.git
Usage
python virustotal_subdomain_enum.py target.com 40
Online tools
Search engines
Specialized search engines
Certificate transparency
Public datasets
Online DNS tools & DNS aggregators
Git repositories
Wordlists
Resources
Last updated