Skip to content

Table of Contents generated with DocToc

Subdomains Enumeration


  • Enumerate all subdomains
    • Subbrute
    • KnockPy
    • GoogleDorks
    • EyeWitness
    • Sublist3r
    • Subfinder
    • Findomain
    • Aquatone (Ruby and Go versions)
    • AltDNS
    • MassDNS
    • Nmap
  • Subdomain take over
    • tko-subs
    • HostileSubBruteForcer
    • SubOver

Enumerate all subdomains (only if the scope is *.domain.ext)

Using Subbrute

git clone

Using KnockPy with Daniel Miessler’s SecLists for subdomain "/Discover/DNS"

git clone
git clone
knockpy -w subdomains-top1mil-110000.txt

Using EyeWitness and Nmap scans from the KnockPy and enumall scans

git clone
./ -f filename -t optionaltimeout --open (Optional)
./EyeWitness -f urls.txt --web
./EyeWitness -x urls.xml -t 8 --headless
./EyeWitness -f rdp.txt --rdp

Using Google Dorks and Google Transparency Report

You need to include subdomains ;)[DOMAIN]g&incl_exp=true&incl_sub=true

site:* -www filetype:pdf inurl:'&' inurl:login,register,upload,logout,redirect,redir,goto,admin ext:php,asp,aspx,jsp,jspa,txt,swf

Using Sublist3r

To enumerate subdomains of specific domain and show the results in realtime:
python -v -d

To enumerate subdomains and enable the bruteforce module:
python -b -d

To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines
python -e google,yahoo,virustotal -d

python -b -d

Using Subfinder

go get
./Subfinder/subfinder --set-config PassivetotalUsername='USERNAME',PassivetotalKey='KEY'
./Subfinder/subfinder --set-config RiddlerEmail="EMAIL",RiddlerPassword="PASSWORD"
./Subfinder/subfinder --set-config CensysUsername="USERNAME",CensysSecret="SECRET"
./Subfinder/subfinder --set-config SecurityTrailsKey='KEY'
./Subfinder/subfinder -d -o /tmp/results_subfinder.txt

Using Findomain

$ wget
$ chmod +x findomain-linux
$ findomain_spyse_token="YourAccessToken"
$ findomain_virustotal_token="YourAccessToken" 
$ findomain_fb_token="YourAccessToken" 
$ ./findomain-linux -t -o

Using Aquatone - old version (Ruby)

gem install aquatone

Discover subdomains : results in ~/aquatone/
aquatone-discover --domain
aquatone-discover --domain --threads 25
aquatone-discover --domain --sleep 5 --jitter 30
aquatone-discover --set-key shodan o1hyw8pv59vSVjrZU3Qaz6ZQqgM91ihQ

Active scans : results in ~/aquatone/
aquatone-scan --domain
aquatone-scan --domain --ports 80,443,3000,8080
aquatone-scan --domain --ports large
aquatone-scan --domain --threads 25

Final results
aquatone-gather --domain

Alternatively, you can use the Docker image provided by txt3rob.
docker pull txt3rob/aquatone-docker
docker run -it txt3rob/aquatone-docker aq

Using Aquatone - new version (Go)

# Subfinder version
./Subfinder/subfinder -d $1 -r, -nW -o /tmp/subresult$1
cat /tmp/subresult$1 | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1

# Amass version
./Amass/amass -active -brute -o /tmp/hosts.txt -d $1
cat /tmp/hosts.txt | ./Aquatone/aquatone -ports large -out /tmp/aquatone$1

Using AltDNS

It's recommended to use massdns in order to resolve the result of AltDNS

python2.7 ./Altdns/ -i /tmp/inputdomains.txt -o /tmp/out.txt -w $WORDLIST_PERMUTATION

Alternatively you can use goaltdns

Using MassDNS

cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt

Using Nmap

nmap -sn --script hostmap-crtsh host_to_scan.tld

Subdomain take over

Check Can I take over xyz by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.

Using tko-subs

go get
./bin/tko-subs -domains=./lists/domains_tkos.txt -data=./lists/providers-data.csv  

Using HostileSubBruteForcer

git clone
chmox +x sub_brute.rb

Using SubOver

go get
./SubOver -l subdomains.txt