search

3. Subdomain enumeration

Google dorks (ideas for more of OSINT type investigations):

  • site:testsite.com

  • site:testsite.com -www

  • site:testsite.com -www -store

  • site:testsite.com filetype:pdf password

hashtag
crt.sh

  • find subdomains by certificate ID

  • wildcard search "%.testsite.com"

hashtag
KALI TOOLS COMBO SUBDOMAIN FINDERS

hashtag
subfinder

  • terminal tool in kali

  • usage "subfinder -d testsite.com -o testsite-subfinder"

hashtag
assetfinder

  • assetfinder azena.com | grep azena.com | sort -u > testsite-af

hashtag
amass

  • amass enum -d testsite.com > testsite-amass

COMBINE IN 6D

  • cat testsite-subfinder.txt | sort -u > testsite-subfinder-sorted

  • cat testsite-subfinder-sorted.txt >> testsite-af

  • cat testsite-af.txt | sort -u > sub-asset-finders

  • cat sub-asset-finders.txt >> testsite-amass

  • cat testsite-amass.txt | sort -u > master-testsite-subdomains

hashtag
VALIDATION OF THE ALIVE SUBDOMAINS

  1. cat master-testsite-subdomains | grep testsite.com | sort -u | httprobe //longer time

  2. cat master-testsite-subdomains| grep testsite.com | sort -u | httprobe -prefer-https | grep https > testsite-alive.txt (for testing purposes)

hashtag
gowitness - Screenshots subdomains

  • gowitness file -f azena-alive-https -P azenapics --no-http

Previous2. Directory Enumeration and Brute ForcingNextBug Hunter's Methodology v4 Notes