Preface
The idea is as follows:
Public intelligence: certificates, DNS records, on-site URLs. Non-public intelligence: subdomain enumeration, DNS zone transfer, client-side APIs, hosted platforms like GitHub, and companies that can collect user browsing data.
Search Engines
You can also use other search engines. This approach isn’t very effective, but here’s a basic Google dork:
site:target.com
Use the - minus sign to exclude known subdomains:
site:target.com-www-blog
Certificates
Certificate Transparency logs
Chrome requires all SSL certificates issued in 2017 to support Certificate Transparency, so you can query CT logs to discover subdomains for HTTPS-enabled sites.
crt.sh censys.io google facebook
Subject Alternative Name
From the Subject Alternative Name field in multi-domain certificates, you can find other domains owned by the same organization.
DNS Zone Transfer
dig AXFR@nameserver domain
dnsenum domain
Frontend
Crawl URLs crossdomain.xml
Public Info (China)
MIIT (ICP备案). Link below. If you can’t fetch the captcha, open the captcha image in a new window via right click. http://www.miitbeian.gov.cn/publish/query/indexFirst.action
Industrial and commercial web supervision (涉网信息) http://szcert.ebs.org.cn
NSEC
NSEC: ldnsutil
ldns-walk @nameserver domain
NSEC3: nsec3walker
collect inscuredns.com > insecuredns.com.collect
unhash insecuredns.com.collect > insecuredns.com.collect.unhash
CertDB
https://certdb.com/search?q=dvb.corpinter.net
Private DNS Records in Domain Registrars
Add the domain, then check the imported DNS records.
https://www.cloudflare.com/
https://www.dnspod.cn/
http://www.dnspod.cn/proxy_diagnose/recordscan/doc88.com?callback=a
Public Threat Intelligence / OSINT
VirusTotal is an online service for scanning malicious samples or URLs, and it has its own DNS dataset.
HackerTarget can do reverse IP lookups to find related domains, but the results are not complete: https://hackertarget.com/reverse-ip-lookup/
You can use HackerTarget’s paid services to see more complete data: https://hackertarget.com/domain-profiler/
DNSdumpster is a free domain analysis site (a HackerTarget project) that can query related subdomains or neighbor domains.
ViewDNS is a collection of DNS tools for looking up various DNS information.
FindSubDomains can retrieve additional subdomains and IP information.
Scanning Tools
NMap
nmap --script dns-brute --script-args dns-brute.domain=target.com,dns-brute.threads=6,dns-
brute.hostlist=dict.lst
Other Tools
SubBrute - An open-source DNS crawler that can brute-force subdomains with a dictionary; also available as a Python library.
Sublist3r - An open-source project that integrates SubBrute and can collect public domain data online.
subDomainsBrute - A pure subdomain brute-force script. Dictionary-based, fast scanning speed, multi-threaded.
bugcrowd-levelup-subdomain-enumeration - Tools used by Bharath in a Bugcrowd Levelup talk, including subdomain enumeration scripts and CT log query scripts.
DNSrecon - DNS enumeration script.
Fierce.pl Domain Scanner - A Perl subdomain brute-force script.
AQUATONE - A powerful domain tool that can find sites with the same fingerprint across subdomains.
theHarvester - A social engineering tool with subdomain discovery features.
MassDNS - A DNS resolution tool that can be used for subdomain brute forcing.
Alt-DNS - Generates permutations/wordlist candidates from known domains or keywords to brute-force subdomains.
Unnamed domain brute-force script based on recon-ng and Alt-DNS
Domain Analyzer - A domain analysis tool that can be used to find subdomains.
Smart DNS Brute Forcer - An academic tool from the University of Luxembourg that generates domains using Markov chain models.
XRay - An intelligence-gathering tool with subdomain collection features.
DiscoverSubdomain - An automated subdomain collection tool integrating multiple methods.
GetAltName - Extracts other domains from SAN.
Teemo - A comprehensive domain and email recon tool, though it lacks an SSL collection path.
Sanitiz3r - A straightforward domain brute-force script that can detect HTTP services.
CC BY-NC-SA 4.0