DNS#
dnsenum --dnsserver 8.8.8.8 --enum -p 0 -s 0 --threads 12 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt domain.namegobuster dns -d domain.name -w /usr/share/SecLists/Discovery/DNS/namelist.txtProjectDiscovery Tools#
Install the tool manager
sudo apt update && sudo apt install golang-go -y
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latestExport go tools in PATH. Append this at the end of ~/.bashrc or ~/.zshrc
export GOPATH="$HOME/go"
export PATH="$PATH:$GOPATH/bin"Install all tools. Documentation is here
sudo apt update && sudo apt install massdns libcap-dev -y
pdtm -iaSubfinder#
OSINT. It finds subdomains from multiple sources
Should config subfinder a little more. Add some provider API keys
vim ~/.config/subfinder/config.yaml
vim ~/.config/subfinder/provider-config.yamlsubfinder -d domain.name -all | tee -a domains.txtAssetfinder#
Not a
ProjectDiscoverytool. Find subdomains and other related domains through OSINT
Install
go get -u github.com/tomnomnom/assetfinderassetfinder domain.name -subs-only | tee -a domains.txtShuffleDNS#
This tool try to brute force subdomains by resolving them using multiple resolvers. If the domain resolves, it means that it exists. You can think of this tool’s functionality like gobuster dns
Download resolvers ip list. Not necessarily needed, you can just use 8.8.8.8 but just in case, use other resolvers too for better result
wget https://github.com/trickest/resolvers/raw/refs/heads/main/resolvers.txtBruteforce subdomain of a domain name. Need a subdomain wordlist, resolver list
shuffledns -d domain.com -w /usr/share/wordlists/seclists/Discovery/DNS/shubs-subdomains.txt -r resolvers.txt -mode bruteforce | tee -a ./domains.txtValidate if domains exists by simply resolving the whole domain in a list domains.txt
shuffledns -list ./domains.txt -r resolvers.txt -mode resolve | tee -a domains.txtAlterx#
This tool take a list of domain names and create some permutations like from
api.domain.nametodev-api.domain.nameDoes not resolve. Should pipe this intodnsxto confirm
Should config this a little more
vim ~/.config/alterx/config.yaml
vim ~/.config/alterx/permutation*.yamlcat domains.txt | alterx | tee -a altered_DN.txtDnsX#
This tool try to resolve the domain name. If the domain resolves, it means that it exists.
cat altered_DN.txt | dnsx | tee -a all_domains.txtSubzy#
Not a
ProjectDiscoverytool. This tool find subdomains that we can takeover
subzy run --targets domains.txtHttpx#
This tool do a simple
GETto the target domain(s) and return a status code like200,302,404, etc It can also spit more info like title, content length, etc. We can find which domains are live with status code200. Sometimes, a404doesn’t mean that it’s not live, do directory brute force.
cat all_domains.txt | httpx -sc > status.txt
cat status.txt | grep '200'cat all_domains.txt | httpx -sc -cl -location > httpx.txtEyewitness#
Not a
ProjectDiscoverytool This tool do aGETon the website, take a screenshot, then spits out a report Helps us find interesting targets to begin hacking
eyewitness -f interesting_domains.txt -d eyewitnessShodan#
Get list of IP from domain name, then search on shodan
for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done
for i in $(cat ip-addresses.txt);do shodan host $i;doneRegistered SSL Certs#
curl -s 'https://crt.sh/?q=domain.name&output=json' | jq . > domains.jsonSelect and sort any certs that have the word dev in name_value field
curl -s 'https://crt.sh/?q=domain.name&output=json' | jq -r '.[]
| select(.name_value | contains("dev")) | .name_value' | sort -u