0% found this document useful (0 votes)

70 views3 pages

Reconsubdomains

The document outlines various techniques and tools for subdomain enumeration, live host filtering, vulnerability scanning, and web application security assessments. It includes commands for tools like subfinder, amass, httprobe, nmap, and nikto, as well as methods for Google dorking and GitHub reconnaissance. The document serves as a comprehensive guide for conducting security assessments on subdomains and identifying potential vulnerabilities.

Uploaded by

sajibaf839

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

70 views3 pages

Reconsubdomains

Uploaded by

sajibaf839

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as TXT, PDF, TXT or read online on Scribd

You are on page 1/ 3

🔵 All Subdomain 🔵

subfinder -d terget.com -o subfinder.txt

shodanx subdomain -d target.com -ra -o shodax.txt
amass enum -active -norecursive -noalts -d rwa.com -o amass.txt
gobuster dns -d certinia.txt -w /usr/share/wordlists/subdomain_megalist.txt -o
gobuster.txt
curl -s https://crt.sh/\?q\=%.certinia.com\&output\=json | jq -r '.[].name_value' |
sed 's/\*\.//g' | sort -u | tee -a subs_domain.txt

curl -s
https://otx.alienvault.com/api/v1/indicators/hostname/domain.com/passive_dns | jq -
r '.passive_dns[]?.hostname' | grep -E ^[a-zA-Z0-9.-]+.domain.com$ | tee
alienvault_subs.txt

curl -s "https://urlscan.io/api/v1/search/?q=domain:certinia.com&size=10000" | jq -
r '.results[].page.domain' | tee urlscan_subs.txt

curl -s
"http://web.archive.org/cdx/search/cdx?url=*.certinia.com/*&output=json&collapse=ur
lkey" | jq -r '.[1:][].[2]' | grep -Eo "^[a-zA-Z0-9.-]+\.certinia\.com$" | sort -u
| tee webarchive_subs.txt

🔴 Filtering live hosts with httprobe 🔴

cat subs_domain.txt | httprobe -td -title -sc -ip > httprobe_domain.com.txt

cat httprobe_domain.com.txt | awk '{print $1}' > live_subs_domain.com.txt

cat live_subs_domain.com.txt | grep -Ei 'asp|php|jsp|jsx|aspx'

httprobe -l live_subs_domain.com.txt -ports

80,443,8080,8443,8000,8888,8081,8181,3366,5432,6379,27017,15672,10000,9090,5900 --
threads 80
-o alive.txt

🟠 Nmap: 🟠
naabu -l live_subs_domain.com.txt -c 50 -nmaps -o naabuports.txt
sudo nmap -sV -sC -iL live_subs_domain.com.txt --script=vuln

🟢 Nikto: 🟢
nikto -h alive_subdomains.txt -output nikto_results.txt

🍩 Subdomain Takeover: 🍩
subzy run --targets live_subs_domain.com.txt --concurrency 100 --hide_fails --
verify_ssl

🔗 Broken Link Hijacking: 🔗

socialhunter -f alive_subdomains.txt

📸 Screenshotting 📸
eyewitness --web -f alive_subdomains.txt --threads 5 -d screenshots

-----------------------------------------
Nuclei Automated Live Subdomains Spray (with rate limit)
nuclei -l subdomain.txt -rl 10 -bs 2 -as -silent -s critical,high,medium

Finding WAF (web application firewall)

cat httpx_domain.com.txt | grep 403
✅ Subdomains without WAF ✅
cat httpx_domain.com.txt | grep -v -E 'cloudfront|imperva|cloudflare' >
nowaf_subs_domain.com.txt

📍 Visit All Non-WAF Subdomains Manually 📍

cat nowaf_subs_domain.com.txt | grep 403 | awk '{print $1}'

🎯 Prepare the List of 403 Subdomains for Fuzzing 🎯

cat nowaf_subs_domain.com.txt | grep 403 | awk '{print $1}' >
403_subs_domain.com.txt

403 Fuzzing
Default Wordlist Fuzzing
dirsearch -u https://sub.domain.com -x 403,404,500,400,502,503,429 --random-agent

Extension based Fuzzing

dirsearch -u https://sub.domain.com -e
xml,json,sql,db,log,yml,yaml,bak,txt,tar.gz,zip -x 403,404,500,400,502,503,429 --
random-agent

🌟 Next step 🌟
JavaScript analysis 🌐 ---ok

💜 Google Dorking 💜
site:http://drive.google.com inurl:folder
site:http://drive.google.com inurl:open
site:http://docs.google.com inurl:d
site:http://drive.google.com "confidential"
site:http://docs.google.com filetype:docx

site:tesla.com inurl:folder
site:tesla.com inurl:open
site:tesla.com filetype:pdf
site:tesla.com filetype:docx
site:tesla.com inurl:/docs/
site:tesla.com inurl:/files/
site:tesla.com filetype:pptx
site:tesla.com filetype:xlsx

filetype:ini "password" site:orgfiletype:txt "credentials" site:gov

filetype:yaml "secret_key" -examples
filetype:key "PRIVATE KEY"
filetype:pem "PRIVATE KEY"
filetype:log "debug" "error"
filetype:log "Stack trace" site:edu
filetype:log "unable to connect"
filetype:log "authentication failed"
filetype:json "db_password" -github
filetype:db "database" site:org
filetype:sql "INSERT INTO" "VALUES" site:edu
filetype:dump "database" site:gov
"index of" "backup.sql"
filetype:conf "db_user" site:org
filetype:config "ftp" site:gov
filetype:xml "web.config" site:edu
"index of" "settings.json"
filetype:env "SECRET_KEY"
"index of" "api_key"
filetype:json "api_token"
filetype:txt "api_secret"
"admin login" filetype:php
"index of" "server-status"
filetype:php "mysql_connect" site:gov
"admin dashboard" "login"
filetype:pdf "not for distribution" site:gov
filetype:xlsx "confidential report" site:edu
filetype:doc "salary" "employee"
filetype:docx "restricted access"
filetype:xlsx | filetype:xls "username" "password" site:gov
filetype:xlsx | filetype:xls "username" site:gov
filetype:xlsx | filetype:xls "database" site:gov
filetype:xlsx | filetype:xls "financial" site:gov
filetype:xlsx | filetype:xls "password" site:gov
site:dropbox.com "password"
site:box.com "confidential"
site:drive.google.com "important"
site:onedrive.live.com "restricted"
site:pastebin.com "password"
site:github.com "SECRET_KEY"
site:gitlab.com "PRIVATE_KEY"
site:bitbucket.org "db_password"

🔹GitHub Recon🔹

Sub Domain Recon
No ratings yet
Sub Domain Recon
2 pages
Amassive Leap in Host Discovery
No ratings yet
Amassive Leap in Host Discovery
23 pages
Recon Methdology and Notes....
No ratings yet
Recon Methdology and Notes....
4 pages
Bash Script for Domain Recon
No ratings yet
Bash Script for Domain Recon
5 pages
Awesome One-Liner Bug Bounty
No ratings yet
Awesome One-Liner Bug Bounty
14 pages
Bug Bounty Cheatsheet & Tools
100% (1)
Bug Bounty Cheatsheet & Tools
30 pages
Web Attack Cheat Sheet
No ratings yet
Web Attack Cheat Sheet
42 pages
Bug Bounty Reconnaissance Workflow Guide
No ratings yet
Bug Bounty Reconnaissance Workflow Guide
50 pages
Recon
No ratings yet
Recon
3 pages
Subdomain Enumeration Tools Guide
No ratings yet
Subdomain Enumeration Tools Guide
13 pages
Awesome One-Liner Bug Bounty
No ratings yet
Awesome One-Liner Bug Bounty
7 pages
Network Pentest Checklist
No ratings yet
Network Pentest Checklist
28 pages
Recon Techniques 1715701265
No ratings yet
Recon Techniques 1715701265
3 pages
Scanvulnerability
No ratings yet
Scanvulnerability
1 page
Advanced Bug Bounty Reconnaissance Methodology
No ratings yet
Advanced Bug Bounty Reconnaissance Methodology
7 pages
Onliners by NurHabib
No ratings yet
Onliners by NurHabib
6 pages
Web Attack Cheat Sheet
No ratings yet
Web Attack Cheat Sheet
42 pages
Bug Bounty Cheatsheet
100% (2)
Bug Bounty Cheatsheet
31 pages
M0chan Bug Bounty Cheatsheet
No ratings yet
M0chan Bug Bounty Cheatsheet
43 pages
Recon To Master - The Complete Bug Bounty Checklist - by Coffinxp - Jul, 2025 - InfoSec Write-Ups
No ratings yet
Recon To Master - The Complete Bug Bounty Checklist - by Coffinxp - Jul, 2025 - InfoSec Write-Ups
1 page
Advanced Web Recon Techniques
No ratings yet
Advanced Web Recon Techniques
71 pages
Document 12
No ratings yet
Document 12
2 pages
Bug Bounty CHK
No ratings yet
Bug Bounty CHK
2 pages
Bugbounty Cheetsheet
No ratings yet
Bugbounty Cheetsheet
33 pages
Subdomain Enumeration Is A Crucial Phase in Cybersecurity, Particularly During Reconnaissance and Vulnerability Assessment Processes.
No ratings yet
Subdomain Enumeration Is A Crucial Phase in Cybersecurity, Particularly During Reconnaissance and Vulnerability Assessment Processes.
19 pages
Comprehensive Bug Bounty Tools Guide
No ratings yet
Comprehensive Bug Bounty Tools Guide
1 page
Cybersecurity Recon Guide
100% (1)
Cybersecurity Recon Guide
49 pages
Bash Script for Subdomain Reconnaissance
No ratings yet
Bash Script for Subdomain Reconnaissance
7 pages
Bug Bounty Commands
No ratings yet
Bug Bounty Commands
2 pages
9 Best Subdomain & Directory Enumeration Tools Akash@ALPHA
No ratings yet
9 Best Subdomain & Directory Enumeration Tools Akash@ALPHA
7 pages
Information Gathering Web Edition Module Cheat Sheet
No ratings yet
Information Gathering Web Edition Module Cheat Sheet
5 pages
Information Gathering - Web Edition Module
No ratings yet
Information Gathering - Web Edition Module
11 pages
Subdomain Enumeration Techniques
No ratings yet
Subdomain Enumeration Techniques
17 pages
Bug Bounty Cheatsheet
100% (1)
Bug Bounty Cheatsheet
19 pages
Cloud Attack Methods for Red Teams
No ratings yet
Cloud Attack Methods for Red Teams
42 pages
Ethical Hacking Guide
No ratings yet
Ethical Hacking Guide
7 pages
Recon For Web Pen-Testing
100% (1)
Recon For Web Pen-Testing
17 pages
Jason Haddix Methodology
67% (3)
Jason Haddix Methodology
64 pages
Vulnerability Scanning Techniques Guide
No ratings yet
Vulnerability Scanning Techniques Guide
46 pages
The Art of Gathering Information
No ratings yet
The Art of Gathering Information
26 pages
OSINT CheatSheet
No ratings yet
OSINT CheatSheet
8 pages
Bug Bounty Cheatsheet
100% (1)
Bug Bounty Cheatsheet
32 pages
Attacking Organizations With Big Scope May 2025 HitBxPhdays
No ratings yet
Attacking Organizations With Big Scope May 2025 HitBxPhdays
56 pages
OSCP
No ratings yet
OSCP
86 pages
???? ????? ??????????? 1
No ratings yet
???? ????? ??????????? 1
11 pages
Lec 3
No ratings yet
Lec 3
10 pages
Pentesting Cheatsheet
No ratings yet
Pentesting Cheatsheet
51 pages
DNS Footprinting Report
No ratings yet
DNS Footprinting Report
10 pages
Reconnaissance - Phase-2
No ratings yet
Reconnaissance - Phase-2
9 pages
Recon Cheat Sheet: For Further Information Visit
No ratings yet
Recon Cheat Sheet: For Further Information Visit
2 pages
3 CSF
No ratings yet
3 CSF
26 pages
Subdomain Enumeration
No ratings yet
Subdomain Enumeration
44 pages
The Bug Hunters Methodology v4.01 Recon
100% (1)
The Bug Hunters Methodology v4.01 Recon
73 pages
Penetration Testing: OSINT & Scanning Techniques
No ratings yet
Penetration Testing: OSINT & Scanning Techniques
38 pages
EJPT
No ratings yet
EJPT
3 pages
Junior Penetration Tester
No ratings yet
Junior Penetration Tester
17 pages
OpenShift Container Platform 4.17 Installing An On-Premise Cluster With The Agent-Based Installer
No ratings yet
OpenShift Container Platform 4.17 Installing An On-Premise Cluster With The Agent-Based Installer
94 pages
Complete Bundle Digital Image Processing Using MATLAB Rafael C Gonzalez HQ File
No ratings yet
Complete Bundle Digital Image Processing Using MATLAB Rafael C Gonzalez HQ File
407 pages
SAP HANA Master Guide en
No ratings yet
SAP HANA Master Guide en
80 pages
Question Bank XML
No ratings yet
Question Bank XML
5 pages
Creative Nomad II MG: User Guide
No ratings yet
Creative Nomad II MG: User Guide
56 pages
ARM Microcontroller Basics
No ratings yet
ARM Microcontroller Basics
27 pages
Order Status by Region & Product
No ratings yet
Order Status by Region & Product
18 pages
Tuples Relational Calculus Guide
No ratings yet
Tuples Relational Calculus Guide
14 pages
Citra Log
No ratings yet
Citra Log
38 pages
CEAC Privacy Impact Assessment Update
No ratings yet
CEAC Privacy Impact Assessment Update
17 pages
IoT Based Car Parking System Documentation
No ratings yet
IoT Based Car Parking System Documentation
3 pages
Final Project Report
No ratings yet
Final Project Report
106 pages
DB 1t Isep Gpi - White
No ratings yet
DB 1t Isep Gpi - White
2 pages
BSC Proposal - Abubakar Sani
No ratings yet
BSC Proposal - Abubakar Sani
14 pages
KA7552A Power Supply Utech
No ratings yet
KA7552A Power Supply Utech
6 pages
Milestone 5 Validation and Testing
No ratings yet
Milestone 5 Validation and Testing
6 pages
03 Simscale Assignment Report - Example
No ratings yet
03 Simscale Assignment Report - Example
9 pages
OSY Msbte 22516 Importabt Questions With Answers
No ratings yet
OSY Msbte 22516 Importabt Questions With Answers
14 pages
Loan Prediction System
100% (1)
Loan Prediction System
32 pages
Introduction to Cryptography Basics
No ratings yet
Introduction to Cryptography Basics
12 pages
BSECE 2019 Revised Curriculum OFFICIAL
100% (1)
BSECE 2019 Revised Curriculum OFFICIAL
3 pages
Google Workspace Acceptable Use Policy
No ratings yet
Google Workspace Acceptable Use Policy
2 pages
Solution of Discrete Time State Equations: EE-601: Linear System Theory
No ratings yet
Solution of Discrete Time State Equations: EE-601: Linear System Theory
42 pages
Shipment Status Not Change To Interfaced
No ratings yet
Shipment Status Not Change To Interfaced
4 pages
Мой друг компьютер 02-2015
No ratings yet
Мой друг компьютер 02-2015
36 pages
Technical Seminar Report
No ratings yet
Technical Seminar Report
14 pages
Understanding Karnaugh Maps for Logic Simplification
No ratings yet
Understanding Karnaugh Maps for Logic Simplification
32 pages
HP Laptop Block Diagram
No ratings yet
HP Laptop Block Diagram
33 pages
Me 311 Lecture Notes 01 (2024f)
No ratings yet
Me 311 Lecture Notes 01 (2024f)
184 pages
Bus Stand Design Program-1
No ratings yet
Bus Stand Design Program-1
3 pages

Reconsubdomains

Uploaded by

Reconsubdomains

Uploaded by

🔵 All Subdomain 🔵

subfinder -d terget.com -o subfinder.txt

🔴 Filtering live hosts with httprobe 🔴

cat httprobe_domain.com.txt | awk '{print $1}' > live_subs_domain.com.txt

cat live_subs_domain.com.txt | grep -Ei 'asp|php|jsp|jsx|aspx'

httprobe -l live_subs_domain.com.txt -ports

🔗 Broken Link Hijacking: 🔗

Finding WAF (web application firewall)

📍 Visit All Non-WAF Subdomains Manually 📍

🎯 Prepare the List of 403 Subdomains for Fuzzing 🎯

Extension based Fuzzing

filetype:ini "password" site:orgfiletype:txt "credentials" site:gov

You might also like