Websites
Firefox extension:
Wappalyzer
whatweb - command line.
whatweb https://domain.com
whois - command line.
whois domain.com
httprobe: github.com/tomnomnom/httprobe
amass: github.com/owasp-amass/amass
Subdomains
- subfinder: github.com/projectdiscovery/subfinder
- Sublist3r: github.com/aboul3la/Sublist3r
- OneForAll: github.com/shmilylty/OneForAll
- bbot: github.com/blacklanternsecurity/bbot
- Finalrecon: github.com/thewhiteh4t/FinalRecon
- Sudomy: github.com/screetsec/Sudomy
- msdnsscan: github.com/dievus/msdnsscan
- assetfinder: github.com/tomnomnom/assetfinder
- gowitness: github.com/sensepost/gowitness
More subdomain tools:
github.com/topics/subdomain-enumeration
Command Examples:
subfinder -d domain.com
sublist3r -d domain.com
bbot -t z3r0r3z.com -f subdomain-enum -rf passive
bbot -s -t z3r0r3z.com -f subdomain-enum -rf passive
assetfinder --subs-only domain.com >> domain-com-subdom.txt
assetfinder domain.com | grep domain.com | sort -u
assetfinder domain.com | grep domain.com > domain.txt
cat domain.txt | grep dev
cat domain.txt | grep sta
cat domain.txt | grep admin
amass enum -d domain.com
cat domain.txt | sort -u | httprobe -s -p https:443
gowitness single https://domain.com
gowitness file -f ./alive_gowitness.txt -P captures_gowitness/ --no-httpbbot example - partial output:
bbot -t z3r0r3z.com -f subdomain-enum -rf passive
[INFO] Loaded defaults from /home/kali/.local/pipx/venvs/bbot/lib/python3.11/site-packages/bbot/defaults.yml
[INFO] Creating BBOT config at /home/kali/.config/bbot/bbot.yml
[INFO] Creating BBOT secrets at /home/kali/.config/bbot/secrets.yml
[INFO]
[INFO] ### MODULES ###
[....] (Too much to paste here)
[INFO] Finishing scan
[INFO] asn: +---------+------------------+--------------+----------------+-------------------------+-----------+
[INFO] asn: | ASN | Subnet | Host Count | Name | Description | Country |
[INFO] asn: +=========+==================+==============+================+=========================+===========+
[INFO] asn: | AS63410 | 109.150.165.0/22 | 6 | PRIVATECOSYSTEMS | PrivateEcoSystems Petworks | US |
[INFO] asn: +---------+------------------+--------------+----------------+-------------------------+-----------+
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | Module | Produced | Consumed |
[INFO] aggregate: +=================+====================+==============================+
[INFO] aggregate: | certspotter | 4 (4 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | leakix | 4 (4 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | columbus | 3 (3 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | crt | 3 (3 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | massdns | 3 (3 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | dnsdumpster | 2 (2 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | hackertarget | 2 (2 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | otx | 2 (2 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | wayback | 2 (2 DNS_NAME) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | CNAME | 2 (2 DNS_NAME) | 0 |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | azure_tenant | 1 (1 AZURE_TENANT) | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | speculate | 1 (1 DNS_NAME) | 4 (3 DNS_NAME, 1 IP_ADDRESS) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | A | 1 (1 IP_ADDRESS) | 0 |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | anubisdb | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | azure_realm | 0 | 5 (5 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | digitorus | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | dnscommonsrv | 0 | 5 (5 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | myssl | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | nsec | 0 | 3 (3 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | rapiddns | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | riddler | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | sitedossier | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | subdomaincenter | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | threatminer | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | urlscan | 0 | 1 (1 DNS_NAME) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | ipneighbor | 0 | 1 (1 IP_ADDRESS) |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | PTR | 0 | 0 |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | SOA | 0 | 0 |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | NS | 0 | 0 |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | AAAA | 0 | 0 |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] aggregate: | host | 0 | 0 |
[INFO] aggregate: +-----------------+--------------------+------------------------------+
[INFO] output.csv: Saved CSV output to /home/kali/.bbot/scans/scheming_kyle/output.csv
[INFO] output.human: Saved TXT output to /home/kali/.bbot/scans/scheming_kyle/output.txt
[INFO] output.json: Saved JSON output to /home/kali/.bbot/scans/scheming_kyle/output.ndjson
[INFO] output.subdomains: Saved subdomains to /home/kali/.bbot/scans/scheming_kyle/subdomains.txt
[SUCC] Scan scheming_kyle completed in 40 seconds with status FINISHED
[INFO] Saved word cloud (9 words) to /home/kali/.bbot/scans/scheming_kyle/wordcloud.tsvSet up go to run in bash/zsh:
nano ~/.bashrc
nano ~/.zshrc
export GOPATH=$HOME/go
export GOROOT=/usr/lib/go
export PATH=$PATH:$GOROOT/bin:$GOPATH/bin
source ~/.bashrc
source ~/.zshrcSet up go to run in fish:
vim ~/.config/fish/config.fish
set -x GOPATH $HOME/go
set -x PATH $PATH $GOPATH/bin
source ~/.config/fish/config.fish