Subdomain Enumeration

SSL / TLS Certificates

curl -s <https://crt.sh/\\?cn=%.oneplus.com\\&output=json> | jq -r '.[].name_value' | sed 's/\\*\\.//g' | sort -u

curl -s <https://crt.sh/\\?o=OnePlus\\&output=json> | jq -r '.[].common_name' | sed 's/\\*\\.//g' | sort -u

site:*.domain.com -site:www.domain.com

site:*.domain.com: Searches all webpages related to domain.com including its subdomains.
-site:www.domain.com: Exclude www.domain.com from the results.
site:azena.com: Searches for pages from azena.com domain.
site:azena.com -www -store: Searches for pages from azena.com excluding www and store subdomains.
site:azena.com filetype:xlsx: Searches for excel files under the specified domain.
site:azena.com filetype:xlsx password: Looks for excel spreadsheet with the word password.

dnsrecon -t brt -d [DOMAIN]

./sublist3r.py -d [DOMAIN]

~/go/bin/subfinder -d [DOMAIN]

~/go/bin/subfinder -d [DOMAIN] -all

~/go/bin/subfinder -dL oneplus.com -all

assetfinder [DOMAIN]

assetfinder [DOMAIN] | grep [DOMAIN] | sort -u

amass enum -d [DOMAIN]

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u <http://10.10.43.201> -fs [SIZE]

/go/bin/shuffledns -d [DOMAIN] -w [SUBDOMAINS_WORDLIST] -r [RESOLVERS_LIST] -mode bruteforce -m massdns --silent

# Initialize shodan
shodan init [API_KEY]

# Subdomain enum
shodan domain [DOMAIN]

Last updated 6 months ago