Head to https://chaos.projectdiscovery.io/

DNS#

dnsenum --dnsserver 8.8.8.8 --enum -p 0 -s 0 --threads 12 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt domain.name
gobuster dns -d domain.name -w /usr/share/SecLists/Discovery/DNS/namelist.txt

Vhost Bruteforce (No DNS)#

Brute force subdomains, no DNS. Mostly for CTF

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -u http://$target/ -H "Host: FUZZ.$target_domain"
gobuster vhost -k -t 12 --append-domain -u http://domain.name -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt

ProjectDiscovery Tools#

Install the tool manager

sudo apt update && sudo apt install golang-go -y
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

Export go tools in PATH. Append this at the end of ~/.bashrc or ~/.zshrc

export GOPATH="$HOME/go"
export PATH="$PATH:$GOPATH/bin"

Install all tools. Documentation is here

sudo apt update && sudo apt install massdns libpcap-dev -y
pdtm -ia

Subfinder#

OSINT. It finds subdomains from multiple sources

Should config subfinder a little more. Add some provider API keys

vim ~/.config/subfinder/config.yaml
vim ~/.config/subfinder/provider-config.yaml
subfinder -d domain.name -all | tee -a domains.txt

Assetfinder#

Not a ProjectDiscovery tool. Find subdomains and other related domains through OSINT

Install

go get -u github.com/tomnomnom/assetfinder
assetfinder domain.name -subs-only | tee -a domains.txt

Alterx#

This tool take a list of domain names and create some permutations like from api.domain.name to dev-api.domain.name Does not resolve. Should pipe this into #DnsX or #ShuffleDNS to resolve Personally, I don’t even bother using alterx. Most of them are gonna be out of scope anyways.

We can config this tool at these files.

vim ~/.config/alterx/config.yaml
vim ~/.config/alterx/permutation*.yaml
cat domains.txt | alterx | tee -a altered_DN.txt

ShuffleDNS#

This tool try to brute force subdomains by resolving them using multiple resolvers. If the domain resolves, it means that it exists. You can think of this tool’s functionality like gobuster dns

Download resolvers ip list. Not necessarily needed, you can just use 8.8.8.8 but just in case, use other resolvers too for better result

wget https://github.com/trickest/resolvers/raw/refs/heads/main/resolvers.txt

Bruteforce subdomain of a domain name. Need a subdomain wordlist, resolver list

shuffledns -d domain.com -w /usr/share/wordlists/seclists/Discovery/DNS/shubs-subdomains.txt -r resolvers.txt -mode bruteforce | tee -a ./domains.txt

Validate if domains exists by simply resolving the whole domain in a list domains.txt

shuffledns -list ./domains.txt -r resolvers.txt -mode resolve | tee -a domains.txt

DnsX#

This tool try to resolve the domain name. If the domain resolves, it means that it exists.

cat altered_DN.txt | dnsx | tee -a all_domains.txt

Shodan#

Get list of IP from domain name, then search on shodan

for i in $(cat subdomainlist);do host $i | grep "has address" | grep inlanefreight.com | cut -d" " -f4 >> ip-addresses.txt;done

for i in $(cat ip-addresses.txt);do shodan host $i;done

Registered SSL Certs#

curl -s 'https://crt.sh/?q=domain.name&output=json' | jq . > domains.json

Select and sort any certs that have the word dev in name_value field

curl -s 'https://crt.sh/?q=domain.name&output=json' | jq -r '.[]
 | select(.name_value | contains("dev")) | .name_value' | sort -u
Backward 2. Web Pentesting Assets Enumeration Forward