Dns

Footprinting Tools Comprehensive collection of footprinting tools and techniques for reconnaissance and information gathering. WHOIS Lookup Basic WHOIS Queries # Domain WHOIS whois TARGET_DOMAIN # IP WHOIS whois TARGET_IP # ASN WHOIS whois -h whois.radb.net AS12345 # Multiple domains whois TARGET_DOMAIN1 TARGET_DOMAIN2 TARGET_DOMAIN3 # Specific WHOIS server whois -h whois.verisign-grs.com TARGET_DOMAIN # WHOIS with output file whois TARGET_DOMAIN > whois_results.txt # WHOIS with verbose output whois -v TARGET_DOMAIN # WHOIS with quiet output whois -q TARGET_DOMAIN Advanced WHOIS Options # WHOIS with specific fields whois -H TARGET_DOMAIN # WHOIS with JSON output whois -j TARGET_DOMAIN # WHOIS with XML output whois -x TARGET_DOMAIN # WHOIS with CSV output whois -c TARGET_DOMAIN # WHOIS with HTML output whois -h TARGET_DOMAIN # WHOIS with raw output whois -r TARGET_DOMAIN # WHOIS with summary whois -s TARGET_DOMAIN # WHOIS with technical whois -t TARGET_DOMAIN # WHOIS with administrative whois -a TARGET_DOMAIN # WHOIS with billing whois -b TARGET_DOMAIN DNS Enumeration Basic DNS Queries # A record lookup dig TARGET_DOMAIN A # AAAA record lookup dig TARGET_DOMAIN AAAA # CNAME record lookup dig TARGET_DOMAIN CNAME # MX record lookup dig TARGET_DOMAIN MX # NS record lookup dig TARGET_DOMAIN NS # SOA record lookup dig TARGET_DOMAIN SOA # TXT record lookup dig TARGET_DOMAIN TXT # PTR record lookup dig -x TARGET_IP # ANY record lookup dig TARGET_DOMAIN ANY # All record types dig TARGET_DOMAIN ALL Advanced DNS Queries # DNS with specific server dig @8.8.8.8 TARGET_DOMAIN A # DNS with specific port dig @8.8.8.8 -p 53 TARGET_DOMAIN A # DNS with TCP dig @8.8.8.8 +tcp TARGET_DOMAIN A # DNS with UDP dig @8.8.8.8 +notcp TARGET_DOMAIN A # DNS with recursion dig @8.8.8.8 +recurse TARGET_DOMAIN A # DNS without recursion dig @8.8.8.8 +norecurse TARGET_DOMAIN A # DNS with trace dig @8.8.8.8 +trace TARGET_DOMAIN A # DNS with short answer dig @8.8.8.8 +short TARGET_DOMAIN A # DNS with verbose answer dig @8.8.8.8 +verbose TARGET_DOMAIN A # DNS with debug dig @8.8.8.8 +debug TARGET_DOMAIN A DNS Zone Transfer # Zone transfer attempt dig @TARGET_DOMAIN AXFR # Zone transfer with specific server dig @ns1.TARGET_DOMAIN AXFR TARGET_DOMAIN # Zone transfer with multiple servers dig @ns1.TARGET_DOMAIN AXFR TARGET_DOMAIN dig @ns2.TARGET_DOMAIN AXFR TARGET_DOMAIN dig @ns3.TARGET_DOMAIN AXFR TARGET_DOMAIN # Zone transfer with output dig @TARGET_DOMAIN AXFR > zone_transfer.txt # Zone transfer with verbose dig @TARGET_DOMAIN AXFR +verbose # Zone transfer with debug dig @TARGET_DOMAIN AXFR +debug Nslookup Basic Nslookup Queries # A record lookup nslookup TARGET_DOMAIN # AAAA record lookup nslookup -type=AAAA TARGET_DOMAIN # CNAME record lookup nslookup -type=CNAME TARGET_DOMAIN # MX record lookup nslookup -type=MX TARGET_DOMAIN # NS record lookup nslookup -type=NS TARGET_DOMAIN # SOA record lookup nslookup -type=SOA TARGET_DOMAIN # TXT record lookup nslookup -type=TXT TARGET_DOMAIN # PTR record lookup nslookup TARGET_IP # Interactive mode nslookup > set type=A > TARGET_DOMAIN > set type=MX > TARGET_DOMAIN > exit Advanced Nslookup Options # Nslookup with specific server nslookup TARGET_DOMAIN 8.8.8.8 # Nslookup with debug nslookup -debug TARGET_DOMAIN # Nslookup with verbose nslookup -verbose TARGET_DOMAIN # Nslookup with timeout nslookup -timeout=10 TARGET_DOMAIN # Nslookup with retries nslookup -retries=3 TARGET_DOMAIN # Nslookup with port nslookup -port=53 TARGET_DOMAIN # Nslookup with query type nslookup -querytype=A TARGET_DOMAIN # Nslookup with class nslookup -class=IN TARGET_DOMAIN Host Command Basic Host Queries # A record lookup host TARGET_DOMAIN # AAAA record lookup host -t AAAA TARGET_DOMAIN # CNAME record lookup host -t CNAME TARGET_DOMAIN # MX record lookup host -t MX TARGET_DOMAIN # NS record lookup host -t NS TARGET_DOMAIN # SOA record lookup host -t SOA TARGET_DOMAIN # TXT record lookup host -t TXT TARGET_DOMAIN # PTR record lookup host TARGET_IP # All record types host -a TARGET_DOMAIN Advanced Host Options # Host with specific server host TARGET_DOMAIN 8.8.8.8 # Host with verbose output host -v TARGET_DOMAIN # Host with debug output host -d TARGET_DOMAIN # Host with timeout host -W 10 TARGET_DOMAIN # Host with retries host -r TARGET_DOMAIN # Host with class host -C TARGET_DOMAIN # Host with query type host -t A TARGET_DOMAIN # Host with reverse lookup host -r TARGET_IP Social Engineering Email Harvesting # TheHarvester theHarvester -d TARGET_DOMAIN -b google # TheHarvester with multiple sources theHarvester -d TARGET_DOMAIN -b google,bing,yahoo,baidu,duckduckgo # TheHarvester with output file theHarvester -d TARGET_DOMAIN -b google -f results.html # TheHarvester with limit theHarvester -d TARGET_DOMAIN -b google -l 100 # TheHarvester with proxy theHarvester -d TARGET_DOMAIN -b google -p 127.0.0.1:8080 # TheHarvester with timeout theHarvester -d TARGET_DOMAIN -b google -t 10 # TheHarvester with verbose theHarvester -d TARGET_DOMAIN -b google -v # TheHarvester with quiet theHarvester -d TARGET_DOMAIN -b google -q Social Media Intelligence # Social-Engineer Toolkit setoolkit # Maltego maltego # Recon-ng recon-ng # SpiderFoot spiderfoot -l 127.0.0.1:5001 # OSINT Framework osintframework.com # Shodan shodan search TARGET_DOMAIN # Censys censys.io # VirusTotal virustotal.com # PassiveTotal passivetotal.com Search Engine Queries Google Dorking # Site-specific search site:TARGET_DOMAIN # File type search site:TARGET_DOMAIN filetype:pdf # Directory search site:TARGET_DOMAIN inurl:admin # Login page search site:TARGET_DOMAIN inurl:login # Configuration file search site:TARGET_DOMAIN filetype:conf # Database file search site:TARGET_DOMAIN filetype:db # Backup file search site:TARGET_DOMAIN filetype:bak # Log file search site:TARGET_DOMAIN filetype:log # Error page search site:TARGET_DOMAIN inurl:error # API endpoint search site:TARGET_DOMAIN inurl:api Advanced Search Queries # Intitle search intitle:"index of" TARGET_DOMAIN # Inurl search inurl:admin TARGET_DOMAIN # Intext search intext:"password" site:TARGET_DOMAIN # Filetype search filetype:sql site:TARGET_DOMAIN # Ext search ext:php site:TARGET_DOMAIN # Cache search cache:TARGET_DOMAIN # Related search related:TARGET_DOMAIN # Link search link:TARGET_DOMAIN # Info search info:TARGET_DOMAIN Custom Scripts Python Footprinting Script import socket import dns.resolver import whois import requests import json def footprint_target(domain): results = {} # WHOIS lookup try: w = whois.whois(domain) results['whois'] = { 'registrar': w.registrar, 'creation_date': w.creation_date, 'expiration_date': w.expiration_date, 'name_servers': w.name_servers, 'emails': w.emails } except Exception as e: results['whois'] = {'error': str(e)} # DNS lookup try: dns_results = {} # A records a_records = dns.resolver.resolve(domain, 'A') dns_results['A'] = [str(record) for record in a_records] # AAAA records aaaa_records = dns.resolver.resolve(domain, 'AAAA') dns_results['AAAA'] = [str(record) for record in aaaa_records] # MX records mx_records = dns.resolver.resolve(domain, 'MX') dns_results['MX'] = [str(record) for record in mx_records] # NS records ns_records = dns.resolver.resolve(domain, 'NS') dns_results['NS'] = [str(record) for record in ns_records] # TXT records txt_records = dns.resolver.resolve(domain, 'TXT') dns_results['TXT'] = [str(record) for record in txt_records] results['dns'] = dns_results except Exception as e: results['dns'] = {'error': str(e)} # HTTP headers try: response = requests.get(f'http://{domain}', timeout=10) results['http_headers'] = dict(response.headers) results['http_status'] = response.status_code except Exception as e: results['http_headers'] = {'error': str(e)} # HTTPS headers try: response = requests.get(f'https://{domain}', timeout=10, verify=False) results['https_headers'] = dict(response.headers) results['https_status'] = response.status_code except Exception as e: results['https_headers'] = {'error': str(e)} return results # Usage domain = "TARGET_DOMAIN" results = footprint_target(domain) print(json.dumps(results, indent=2)) Bash Footprinting Script #!/bin/bash DOMAIN="TARGET_DOMAIN" OUTPUT_FILE="footprint_results.txt" echo "=== Footprinting $DOMAIN ===" > "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # WHOIS lookup echo "=== WHOIS Information ===" >> "$OUTPUT_FILE" whois "$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # DNS lookup echo "=== DNS Information ===" >> "$OUTPUT_FILE" echo "A Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" A +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "AAAA Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" AAAA +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "MX Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" MX +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "NS Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" NS +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "TXT Records:" >> "$OUTPUT_FILE" dig "$DOMAIN" TXT +short >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # HTTP headers echo "=== HTTP Headers ===" >> "$OUTPUT_FILE" curl -I "http://$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" # HTTPS headers echo "=== HTTPS Headers ===" >> "$OUTPUT_FILE" curl -I "https://$DOMAIN" >> "$OUTPUT_FILE" echo "" >> "$OUTPUT_FILE" echo "Footprinting completed. Results saved to $OUTPUT_FILE" Information Gathering Company Information # LinkedIn company search linkedin.com/company/TARGET_COMPANY # Glassdoor company search glassdoor.com/Overview/Working-at-TARGET_COMPANY-EI_IE123456.11,23.htm # Crunchbase company search crunchbase.com/organization/TARGET_COMPANY # AngelList company search angel.co/TARGET_COMPANY # Indeed company search indeed.com/cmp/TARGET_COMPANY # Google company search google.com/search?q=TARGET_COMPANY # Bing company search bing.com/search?q=TARGET_COMPANY # Yahoo company search yahoo.com/search?p=TARGET_COMPANY Employee Information # LinkedIn employee search linkedin.com/search/results/people/?company=TARGET_COMPANY # Facebook employee search facebook.com/search/people/?q=TARGET_COMPANY # Twitter employee search twitter.com/search?q=TARGET_COMPANY # Instagram employee search instagram.com/explore/tags/TARGET_COMPANY # GitHub employee search github.com/search?q=TARGET_COMPANY # Stack Overflow employee search stackoverflow.com/users?tab=reputation&filter=all # Reddit employee search reddit.com/search?q=TARGET_COMPANY # Quora employee search quora.com/search?q=TARGET_COMPANY Best Practices Rate Limiting # Add delay between requests sleep 1 # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation curl --proxy http://proxy1:8080 TARGET_URL Stealth Mode # Use random user agents curl -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" TARGET_URL # Use realistic delays sleep 2 # Use smaller wordlists nmap -p 1-1000 TARGET_IP Output Analysis # Save results to file whois TARGET_DOMAIN > results.txt # Filter by specific information grep "Registrar" results.txt grep "Name Server" results.txt grep "Creation Date" results.txt grep "Expiration Date" results.txt # Sort by date sort -k3 -n results.txt Troubleshooting Common Issues # Connection timeout curl --connect-timeout 10 TARGET_URL # Too many requests sleep 5 # Invalid domain dig TARGET_DOMAIN # Permission denied sudo whois TARGET_DOMAIN Performance Optimization # Use appropriate tools nmap -T4 TARGET_IP # Use smaller ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices

Subdomain Enumeration Tools Comprehensive collection of subdomain enumeration tools and techniques for reconnaissance and web application security testing. Subfinder Basic Subdomain Enumeration # Basic subdomain enumeration subfinder -d TARGET_DOMAIN # With multiple domains subfinder -d TARGET_DOMAIN1,TARGET_DOMAIN2,TARGET_DOMAIN3 # With output file subfinder -d TARGET_DOMAIN -o results.txt # With JSON output subfinder -d TARGET_DOMAIN -o results.json -json # With verbose output subfinder -d TARGET_DOMAIN -v # With silent output subfinder -d TARGET_DOMAIN -silent # With threads subfinder -d TARGET_DOMAIN -t 50 # With timeout subfinder -d TARGET_DOMAIN -timeout 10 # With retries subfinder -d TARGET_DOMAIN -retries 3 Advanced Subfinder Options # With specific sources subfinder -d TARGET_DOMAIN -sources shodan,crtsh,passivetotal # With all sources subfinder -d TARGET_DOMAIN -all # With exclude sources subfinder -d TARGET_DOMAIN -exclude-sources shodan,crtsh # With config file subfinder -d TARGET_DOMAIN -config config.yaml # With proxy subfinder -d TARGET_DOMAIN -proxy http://127.0.0.1:8080 # With rate limit subfinder -d TARGET_DOMAIN -rate-limit 100 # With wildcard detection subfinder -d TARGET_DOMAIN -wildcard # With recursive enumeration subfinder -d TARGET_DOMAIN -recursive Amass Basic Subdomain Enumeration # Basic subdomain enumeration amass enum -d TARGET_DOMAIN # With multiple domains amass enum -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file amass enum -d TARGET_DOMAIN -o results.txt # With JSON output amass enum -d TARGET_DOMAIN -json results.json # With verbose output amass enum -d TARGET_DOMAIN -v # With silent output amass enum -d TARGET_DOMAIN -silent # With threads amass enum -d TARGET_DOMAIN -t 50 # With timeout amass enum -d TARGET_DOMAIN -timeout 10 Advanced Amass Options # With specific sources amass enum -d TARGET_DOMAIN -sources shodan,crtsh,passivetotal # With all sources amass enum -d TARGET_DOMAIN -all # With exclude sources amass enum -d TARGET_DOMAIN -exclude-sources shodan,crtsh # With config file amass enum -d TARGET_DOMAIN -config config.yaml # With proxy amass enum -d TARGET_DOMAIN -proxy http://127.0.0.1:8080 # With rate limit amass enum -d TARGET_DOMAIN -rate-limit 100 # With wildcard detection amass enum -d TARGET_DOMAIN -wildcard # With recursive enumeration amass enum -d TARGET_DOMAIN -recursive # With brute force amass enum -d TARGET_DOMAIN -brute # With wordlist amass enum -d TARGET_DOMAIN -w wordlist.txt Assetfinder Basic Subdomain Enumeration # Basic subdomain enumeration assetfinder TARGET_DOMAIN # With multiple domains assetfinder TARGET_DOMAIN1 TARGET_DOMAIN2 TARGET_DOMAIN3 # With output file assetfinder TARGET_DOMAIN > results.txt # With subs-only assetfinder --subs-only TARGET_DOMAIN # With alive check assetfinder --alive TARGET_DOMAIN # With verbose output assetfinder -v TARGET_DOMAIN Sublist3r Basic Subdomain Enumeration # Basic subdomain enumeration sublist3r -d TARGET_DOMAIN # With multiple domains sublist3r -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file sublist3r -d TARGET_DOMAIN -o results.txt # With verbose output sublist3r -d TARGET_DOMAIN -v # With threads sublist3r -d TARGET_DOMAIN -t 50 # With timeout sublist3r -d TARGET_DOMAIN -t 10 # With specific engines sublist3r -d TARGET_DOMAIN -e google,yahoo,bing # With all engines sublist3r -d TARGET_DOMAIN -e all # With exclude engines sublist3r -d TARGET_DOMAIN -e google,yahoo -x bing,duckduckgo DNSrecon Basic DNS Enumeration # Basic DNS enumeration dnsrecon -d TARGET_DOMAIN # With multiple domains dnsrecon -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file dnsrecon -d TARGET_DOMAIN -o results.txt # With JSON output dnsrecon -d TARGET_DOMAIN -j results.json # With verbose output dnsrecon -d TARGET_DOMAIN -v # With threads dnsrecon -d TARGET_DOMAIN -t 50 # With timeout dnsrecon -d TARGET_DOMAIN -t 10 # With specific record types dnsrecon -d TARGET_DOMAIN -t A,AAAA,CNAME,MX,NS,SOA,TXT # With all record types dnsrecon -d TARGET_DOMAIN -t all # With brute force dnsrecon -d TARGET_DOMAIN -b # With wordlist dnsrecon -d TARGET_DOMAIN -w wordlist.txt Fierce Basic Subdomain Enumeration # Basic subdomain enumeration fierce -dns TARGET_DOMAIN # With multiple domains fierce -dns TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file fierce -dns TARGET_DOMAIN -file results.txt # With verbose output fierce -dns TARGET_DOMAIN -verbose # With threads fierce -dns TARGET_DOMAIN -threads 50 # With timeout fierce -dns TARGET_DOMAIN -timeout 10 # With wordlist fierce -dns TARGET_DOMAIN -wordlist wordlist.txt # With range fierce -dns TARGET_DOMAIN -range 192.168.1.0/24 # With delay fierce -dns TARGET_DOMAIN -delay 1 DNSenum Basic DNS Enumeration # Basic DNS enumeration dnsenum TARGET_DOMAIN # With multiple domains dnsenum TARGET_DOMAIN1 TARGET_DOMAIN2 # With output file dnsenum TARGET_DOMAIN -o results.txt # With verbose output dnsenum TARGET_DOMAIN -v # With threads dnsenum TARGET_DOMAIN -t 50 # With timeout dnsenum TARGET_DOMAIN -t 10 # With wordlist dnsenum TARGET_DOMAIN -w wordlist.txt # With range dnsenum TARGET_DOMAIN -r 192.168.1.0/24 # With delay dnsenum TARGET_DOMAIN -d 1 Custom Scripts Python Subdomain Enumeration import requests import threading import queue import time import dns.resolver def subdomain_enumeration(domain, wordlist, threads=10, delay=0): def worker(): while True: try: subdomain = wordlist.get() if subdomain is None: break full_domain = f"{subdomain}.{domain}" # DNS resolution try: dns.resolver.resolve(full_domain, 'A') print(f"[DNS] {full_domain}") except: pass # HTTP check try: response = requests.get(f"http://{full_domain}", timeout=5) print(f"[HTTP] {full_domain} - {response.status_code}") except: pass # HTTPS check try: response = requests.get(f"https://{full_domain}", timeout=5) print(f"[HTTPS] {full_domain} - {response.status_code}") except: pass time.sleep(delay) except Exception as e: pass finally: wordlist.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add subdomains to queue with open(wordlist_file, 'r') as f: for line in f: wordlist.put(line.strip()) # Wait for completion wordlist.join() # Usage domain = "TARGET_DOMAIN" wordlist_file = "/usr/share/wordlists/subdomains.txt" wordlist = queue.Queue() subdomain_enumeration(domain, wordlist, threads=20, delay=0.1) Bash Subdomain Enumeration #!/bin/bash DOMAIN="TARGET_DOMAIN" WORDLIST="/usr/share/wordlists/subdomains.txt" THREADS=10 # Function to check subdomain check_subdomain() { local subdomain=$1 local full_domain="${subdomain}.${DOMAIN}" # DNS resolution if nslookup "$full_domain" > /dev/null 2>&1; then echo "[DNS] $full_domain" fi # HTTP check if curl -s -o /dev/null -w "%{http_code}" "http://$full_domain" | grep -q "200\|301\|302\|403\|401"; then echo "[HTTP] $full_domain" fi # HTTPS check if curl -s -o /dev/null -w "%{http_code}" "https://$full_domain" | grep -q "200\|301\|302\|403\|401"; then echo "[HTTPS] $full_domain" fi } # Export function for parallel export -f check_subdomain export DOMAIN # Run parallel subdomain check cat "$WORDLIST" | parallel -j "$THREADS" check_subdomain {} Wordlists Common Subdomain Wordlists # SecLists subdomain wordlists /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt /usr/share/wordlists/SecLists/Discovery/DNS/dns-Jhaddix.txt # Custom subdomain wordlists /usr/share/wordlists/custom/subdomains.txt /usr/share/wordlists/custom/api-subdomains.txt /usr/share/wordlists/custom/admin-subdomains.txt # Generate custom wordlists echo "www,mail,ftp,admin,api,dev,test,staging,prod" | tr ',' '\n' > custom_subdomains.txt Creating Custom Wordlists # Extract subdomains from certificate transparency logs curl -s "https://crt.sh/?q=%.TARGET_DOMAIN&output=json" | jq -r '.[].name_value' | sort -u > crt_subdomains.txt # Extract subdomains from DNS records dig @8.8.8.8 TARGET_DOMAIN ANY | grep -oP 'IN\s+\w+\s+\K[^\s]+' | sort -u > dns_subdomains.txt # Combine multiple wordlists cat wordlist1.txt wordlist2.txt wordlist3.txt | sort -u > combined_wordlist.txt # Remove empty lines and duplicates grep -v '^$' wordlist.txt | sort -u > clean_wordlist.txt API-based Enumeration Shodan API # Using Shodan CLI shodan domain TARGET_DOMAIN # Using Shodan API curl -s "https://api.shodan.io/dns/domain/TARGET_DOMAIN?key=YOUR_API_KEY" | jq -r '.data[].subdomain' | sort -u Censys API # Using Censys API curl -s "https://censys.io/api/v1/search/certificates" \ -H "Authorization: Basic YOUR_API_KEY" \ -d '{"query": "TARGET_DOMAIN", "fields": ["parsed.names"]}' | jq -r '.result.hits[].parsed.names[]' | sort -u VirusTotal API # Using VirusTotal API curl -s "https://www.virustotal.com/vtapi/v2/domain/report" \ -d "apikey=YOUR_API_KEY" \ -d "domain=TARGET_DOMAIN" | jq -r '.subdomains[]' | sort -u Passive vs Active Enumeration Passive Enumeration # Using only passive sources subfinder -d TARGET_DOMAIN -sources crtsh,passivetotal,shodan # Using only passive DNS dnsrecon -d TARGET_DOMAIN -t A,AAAA,CNAME,MX,NS,SOA,TXT # Using only certificate transparency curl -s "https://crt.sh/?q=%.TARGET_DOMAIN&output=json" | jq -r '.[].name_value' | sort -u Active Enumeration # Using brute force amass enum -d TARGET_DOMAIN -brute # Using wordlist subfinder -d TARGET_DOMAIN -w wordlist.txt # Using recursive enumeration subfinder -d TARGET_DOMAIN -recursive Best Practices Rate Limiting # Add delay between requests subfinder -d TARGET_DOMAIN -rate-limit 100 # Use fewer threads subfinder -d TARGET_DOMAIN -t 10 # Use proxy rotation subfinder -d TARGET_DOMAIN -proxy http://proxy1:8080 Stealth Mode # Use random user agents subfinder -d TARGET_DOMAIN -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # Use realistic delays subfinder -d TARGET_DOMAIN -rate-limit 50 # Use smaller wordlists subfinder -d TARGET_DOMAIN -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt Output Analysis # Save results to file subfinder -d TARGET_DOMAIN -o results.txt # Filter by status code grep "200" results.txt grep "403" results.txt grep "301\|302" results.txt # Sort by response size sort -k3 -n results.txt Troubleshooting Common Issues # Connection timeout subfinder -d TARGET_DOMAIN -t 5 # Too many requests subfinder -d TARGET_DOMAIN -rate-limit 50 # Invalid SSL certificate subfinder -d TARGET_DOMAIN -k # Authentication required subfinder -d TARGET_DOMAIN -u admin -p password Performance Optimization # Use appropriate thread count subfinder -d TARGET_DOMAIN -t 20 # Use smaller wordlists for initial scan subfinder -d TARGET_DOMAIN -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt # Use specific sources subfinder -d TARGET_DOMAIN -sources crtsh,passivetotal Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate wordlists for the target Document findings properly Follow responsible disclosure practices