Subdomain enumeration
Methods to discover the subdomain of a root domain.
Certificate Transparency (CT) logs
Google dorks
dnsrecon
Basic command:
$ dnsrecon -t brt -d <domain>Flags
-t: brt - Brute force domains and hosts using a given dictionary
-d : Domain to brute-force
sublist3r
sublist3r enumerates subdomains by utilizing many search engines such as Google, Yahoo, etc. and other services such as Netcraft, VirusTotal, etc.
Basic command:
$ sublist3r -d <domain>Flags
-d: Domain to brute-force
ffuf
Ffuf can be utilized to fuzz the virtual hosts of an IP address. The HTTP Host header can be modified with different values to discover open virtual hosts.
$ ffuf -w ~/wordlists/namelist.txt -H "Host: FUZZ.domain.com" -u <target_url>Flags
-w: Path to wordlist
-H: HTTP header to append to request
-u: Target URL
fs flag
Some web server may return a default status code and content for multiple virtual host addresses. These addresses will return a valid response to ffuf, causing it to be picked up as an active host. This may pollute the results, as these hosts may not actually be a functioning service.
The -fs flag can be used to filter out response sizes (of a fixed and predictable value), to remove the invalid default responses.
$ ffuf ... -fs <response_size>amass
Basic command for subdomain enumeration:
$ amass enum -d <domain>
Last updated