Finding SubDomains

crt.sh

When you have a domain name, you can use crt.sh to find subdomains

%.domain.com

crt.sh | Certificate Searchcrt.sh

Phonebook.cz

Phonebook.cz - Intelligence Xphonebook.cz

dnsrecon

dnsrecon -d domain.com

dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml

dnsscan

GitHub - rbsec/dnscanGitHub

Nmap

nmap --script dns-brute --script-args dns-brute.domain=foo.com,dns-brute.threads=6,dns-brute.hostlist=./hostfile.txt,newtargets -sS -p 80
nmap --script dns-brute www.foo.com

GoBuster

gobuster dns -d google.com -w ~/wordlists/subdomains.txt

Resources

Discovering Subdomains | @BugcrowdBugcrowd

• Pentest-Tools Subdomain Finder – https://pentest-tools.com/information-gathering/find-subdomains-of-domain#

• Spyse – https://spyse.com/

• Shodan – https://shodan.io

• Wayback Machine – https://web.archive.org/