Recon
Related
Subdomain discovery
SSL/TLS Certificates
Find subdomains via ssl-certificates. E.g. using crt.sh
Google
Exclude default www
subdomain and look for any other subdomains.
-site:www.domain.com site:*.domain.com
dnsrecon
dnsrecon -t brt -d <domain>
Sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Sublist3r
/sublist3r.py -d <domain>
Non-public DNS
E.g. private DNS server or specified locally in /etc/hosts
fuff
See also Webserver scanning
ffuf -w <wordlist-file> -H "Host: FUZZ.domain.com" -u http://<ip>
Last updated