Recon Subdomains like a PRO

Consider this one of the better cheat sheets for subdomain reconnaissance that you will be able to use to get everything you can get on your juicy targets.

A good part of my cybersecurity journey like probably, all other folks in the field, is to realize especially in the bug bounty hunting that there are hundreds and thousands of tools and frameworks and ways to do ANY THING you would like to do. At first you might be wow-ed of how many they are and jump from flower to flower because X seems to be better than Y and Y better than Z and so on and so forth. Then you get on the side of hey I need to use all of them or hey I need to use some of them, or hey those seem to be the best. Truth is that after going through all this phases particularly about recon I think a combination of multiple if not all the types of recon you do in subdomain enumeration is to go with literally doing everything you can to get all the endpoints.

Why?

It's actually quite simple, I personally do not believe there is actually one tool to find them all or one ring to rule them all as Tolkien would tell us. Maybe there are some good recon frameworks that combine the best, maybe there are some recon AIO solutions already made, who knows?

This being said I decided to list in here every type of recon that I find useful, I use in my personal projects and if you want to take some of it all of it or none of it it's up to you.

Project Discovery Tools - AIO

subfinder -d redacted.com -all | anew subs.txt; shuffledns -d redacted.com -r resolvers.txt -w n0kovo_subdomains_huge.txt | anew subs.txt; dnsx -l subs.txt -r resolvers.txt | anew resolved.txt; naabu -l resolved.txt -nmap -rate 5000 | anew ports.txt; httpx -l ports .txt | anew alive.txt; katana -list alive.txt -kf all -jc | anew urls.txt; nuclei -l urls.txt -es info, unknown -ept ssl -ss template-spray | anew nuclei.txt

Subdomain Enumeration

subfinder -d target.com -silent | dnsx -silent | cut -d ' ' -f1 | grep --color 'api|dev|stg|test|admin|demo|stage|pre|vpn'

1. bufferover.run - enumeration

curl -s https://dns.bufferover.run/dns?q=.target.com | jq -r .FDNS_A[] | cut -d',' -f2 | sort -u 

2. Riddler.io - enumeration

curl -s "https://riddler.io/search/exportcsv?q=pld:target.com" | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u 

3. RedHunt Labs Recon API

curl --request GET --url 'https://reconapi.redhuntlabs.com/community/v1/domains/subdomains?domain=<target.com>&page_size=1000' --header 'X-BLOBR-KEY: API_KEY' | jq '.subdomains[]' -r

4. Archive.org - enumeration

curl -s "http://web.archive.org/cdx/search/cdx?url=.target.com/&output=text&fl=original&collapse=urlkey" | sed -e 's_https*://__' -e "s//.*//" | sort -u

5. Certspotter - enumeration

curl -s "https://api.certspotter.com/v1/issuances?domain=target.com&include_subdomains=true&expand=dns_names" | jq .[].dns_names | grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" | sort -u

6. Nmap - enumeration

nmap --script hostmap-crtsh.nse target.com

7. JLDC

curl -s "https://jldc.me/anubis/subdomains/target.com" | grep -Po "((http|https)://)?(([\w.-]).([\w]).([A-z]))\w+" | sort -u

8. CRT.sh - enumeration

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/*.//g' | sort -u

9. Threatminer Enumeration

curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | sed 's/*.//g' | sort -u

10. Anubis Enumeration

curl -s "https://jldc.me/anubis/subdomains/target.com" | jq -r '.' | grep -o "\w.*target.com"

11. ThreatCrowd Enumeration

curl -s "https://www.threatcrowd.org/searchApi/v2/domain/report/?domain=target.com" | jq -r '.subdomains' | grep -o "\w.*target.com"

12. HackerTarget

curl -s "https://api.hackertarget.com/hostsearch/?q=target.com"

13. AlienVault

curl -s "https://otx.alienvault.com/api/v1/indicators/domain/tesla.com/url_list?limit=100&page=1" | grep -o '"hostname": *"[^"]*' | sed 's/"hostname": "//' | sort -u

14. Censys

censys subdomains target.com