Subdomains

Common Subdomain Collection Methods:

Netcraft
Google Dorks
Crawl or Brute Force Fuzzing scripts
Zone Transfers
CLI tools (dnsrecon, subbrute, fierce, nmap, dnsenum, knock, theHarvester, recon-ng)

Common Subdomain Tools:

WFUZZ

wfuzz -c -f sub-fighter -Z -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000 --sc 200,202,204,301,302,307,403 -u "http://target.site/" -H "Host:FUZZ.target.site"

Subbrute

python subbrute.py microsoft.com//default wordlistpython subbrute.py microsoft.com -h -s <my wordlist>

Dnsrecon

dnsrecon -d microsoft.com --threads 4 -g //google enumeration flag

TheHarvester

Pulls from sites like Linkedin, People123, Twitter, Google+, etc theharvester -d cisco.com -b linkedin -l 200 -f /root/Desktop/ciscoresults.html

Netcraft

Will list the subdomains for a domain

PreviousWhatWeb NextDirectory & File Enumeration

Last updated 1 year ago