Recon
Exclude default
www
subdomain and look for any other subdomains.-site:www.domain.com site:*.domain.com
dnsrecon -t brt -d <domain>
/sublist3r.py -d <domain>
E.g. private DNS server or specified locally in
/etc/hosts
ffuf -w <wordlist-file> -H "Host: FUZZ.domain.com" -u http://<ip>
Last modified 1yr ago