Subdomain Discovery

Crt.sh identities to txt

curl -fsSL "https://crt.sh/?CN=%25.<domain>&exclude=expired" | pup 'td :contains(".<domain>") text{}' | sort -u > domain.txt

#ADD HTTPS TO SITES
sed 's/^/https:\/\//' domain.txt > httpsSites.txt

#ADD HTTP TO SITES
sed 's/^/htts:\/\//' domain.txt > httpSites.txt

Amass

# Find subdomains 
amass enum -d <domain> -src -ip
amass enum -df <domain list> -src -ip
# Can pass in hashcat masks with -wm (bruteforce) or -awm (alterations) 
amass enum -d <domain> -src -ip -brute
amass enum -d <domain> -src -ip -brute -wm ?a?a,?d?d?d -awm ?a?a?a


# Gather Related Domains
amass intel -asn <ASN Number> -active

# Reverse Whois
amass intel -whois -d <domain>


# Pull out domain names 
awk -F' ' '{print $2}' amass.txt > domains.txt

#make a graph
amass viz -d3 -df domains.txt

Google Dork

-site:www.<domain>.com  site:*<domain>.com

WFuzz

wfuzz -c -Z -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --sc 200,202,204,301,302,307,403,404 -u FUZZ.domain.com

GoBuster

gobuster vhost -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://domain.com