Recon

Related
​Bug bounty/Tools​
Subdomain discovery
SSL/TLS Certificates
Find subdomains via ssl-certificates.
E.g. using crt.sh​
Google
Exclude default www subdomain and look for any other subdomains.
-site:www.domain.com site:*.domain.com
dnsrecon
dnsrecon -t brt -d <domain>
Sublist3r
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT.
Sublist3r​
/sublist3r.py -d <domain>
Non-public DNS
E.g. private DNS server or specified locally in /etc/hosts
fuff
See also Webserver scanning​
ffuf -w <wordlist-file> -H "Host: FUZZ.domain.com" -u http://<ip>

Last modified 11mo ago