d4Rk's 1337 h4x0r guide
About me
Search…
Introduction
Reconnaissance
Recon
OSINT
Enumeration
Network discovery
Port scanning
Webserver scanning
Exploit detection
Fuzzing
Process monitoring
Exploitation
Shells
Passwords
Web
Buffer overflow
Misc
Privilege escalation
Linux
Windows
Post exploitation
Loot
Pivoting
Standalone Tools
Services
TCP
UDP
Misc
File transfer
Overview
Wget
Pure-FTPd
TFTP
VBScript: Wget clone
Misc
Bash
Burp Suite
Crypto
Ebowla
Firefox extensions
Impacket
Memory forensics
Metasploit Framework (MSF)
MITM
Msfvenom
Pass the Hash (PTH)
PowerShell
PowerShell on Linux
Wireshark
Wordlists and dictionaries
Bug Bounty
Platforms
Tools
Powered By GitBook
Recon

Related

​Bug bounty/Tools​

Subdomain discovery

SSL/TLS Certificates

Find subdomains via ssl-certificates. E.g. using crt.sh​

Google

Exclude default www subdomain and look for any other subdomains.
1
-site:www.domain.com site:*.domain.com
Copied!

dnsrecon

1
dnsrecon -t brt -d <domain>
Copied!

Sublist3r

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Sublist3r​
1
/sublist3r.py -d <domain>
Copied!

Non-public DNS

E.g. private DNS server or specified locally in /etc/hosts

fuff

See also Webserver scanning​
1
ffuf -w <wordlist-file> -H "Host: FUZZ.domain.com" -u http://<ip>
Copied!
Previous
Introduction
Next - Reconnaissance
OSINT
Last modified 6mo ago
Copy link
Edit on GitHub
Contents
Related
Subdomain discovery
SSL/TLS Certificates
Google
dnsrecon
Sublist3r
Non-public DNS
fuff