subdomain-enumlisted

# Subdomain Enumeration ## Passive Enumeration (no direct target contact) ```bash # Certificate Transparency curl -s "https://crt.sh/?q=%.target.com&output=json" | jq -r '.[].name_value' | sort -u # Subfinder — multi-source passive subfinder -d target.com -all -o passive.txt # Amass passive amass enum -passive -d target.com -o amass-passive.txt # OSINT sources assetfinder --subs-only target.com findomain -t target.com # GitHub search curl "https://api.github.com/search/code?q=target.com&type=code" \ -H "Authorization: token GITHUB_TOKEN" | jq '.items[].html_url' ``` ## Active Enumeration (DNS queries to target) ```bash # DNS brute force with PureDNS (fast, handles wildcard) puredns bruteforce /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt \ target.com -r resolvers.txt -o active.txt # Gobuster DNS gobuster dns -d target.com \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt \ -t 50 -o gobuster.txt ``` ## Permutation (discover missed subdomains) ```bash # Gotator — permutation from discovered subdomains gotator -sub passive.txt -perm /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt \ -depth 1 -numbers 3 > permutations.txt puredns resolve permutations.txt -r resolvers.txt -o resolved-permutations.txt ``` ## Live Host Filtering ```bash # Combine all results cat passive.txt active.txt resolved-permutations.txt | sort -u > all-subdomains.txt # Resolve and check HTTP httpx -l all-subdomains.txt -status-code -title -