Subdomains
Common Subdomain Collection Methods:
Crawl or Brute Force Fuzzing scripts
CLI tools (dnsrecon, subbrute, fierce, nmap, dnsenum, knock, theHarvester, recon-ng)
Common Subdomain Tools:
WFUZZ
wfuzz -c -f sub-fighter -Z -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000 --sc 200,202,204,301,302,307,403 -u "http://target.site/" -H "Host:FUZZ.target.site"
Subbrute
python subbrute.py microsoft.com
//default wordlist
python subbrute.py microsoft.com -h -s <my wordlist>
Dnsrecon
dnsrecon -d microsoft.com --threads 4 -g
//google enumeration flag
TheHarvester
Pulls from sites like Linkedin, People123, Twitter, Google+, etc
theharvester -d cisco.com -b linkedin -l 200 -f /root/Desktop/ciscoresults.html
Netcraft
Will list the subdomains for a domain
Last updated