UBG Hacking Team
  • About UBG
  • Site Contributors
    • NanoByt3
    • Exabyte
    • DataMcdataface
  • CTF Writeups
    • HTB Traceback Walkthrough
    • HTB Magic Walkthrough
    • HTB Nest Walkthrough
    • HTB Monteverde Walkthrough
    • HTB Resolute Walkthrough
    • HTB Ellingson Walkthrough
    • HTB Jarvis Walkthrough
  • Blog Posts
    • Certification Reviews
      • PenTest+
      • GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
      • OSCP Guide to pass
      • SANS Guide to pass
      • CCSP Guide to pass
      • CISSP Guide to pass
      • OSWE Exam Blog
      • OSCP Exam Blog
      • CEH Exam Blog
    • Five Offensive Objectives
    • Powershell For Penetration Testers Downloading And Exfiltrating
    • Powershell For Penetration Testers Switching Users
    • Powershell For Penetration Testers Beating Restricted Policies
  • Attacks
    • WebHosting
      • IP's to block
    • Reconnaissance
      • C99 Recon
      • DNS
        • SubDomain lookup
      • Tools/Syntax
      • O365 RealmInfo
    • On-Prem Linux
      • Shell Upgrades
    • On-Prem Windows
      • Service Session Hijack
      • Egress Testing
  • Detection
  • MISC.
    • enable snmp office365
Powered by GitBook
On this page

Was this helpful?

  1. Attacks
  2. Reconnaissance

Tools/Syntax

todo

Subfinder

# Install
go get github.com/subfinder/subfinder

# Basic usage
subfinder -d example.com > example.com.subs

# Recursive
subfinder -d  example.com  -recursive -silent -t 200 -v -o  example.com.subs

# Use censys for even more results
subfinder -d example.com -b -w wordlist.txt -t 100 -sources censys -set-settings CensysPages=2 -v -o example.com.subs

Amass after subfinder

amass enum --passive -d example.com -o example.com.subs 

asset Finder after amass

# Install
go get -u github.com/tomnomnom/assetfinder

# Basic usage
assetfinder [--subs-only] <domain>

GetAllUrls gau

# Install 
GO111MODULE=on go get -u -v github.com/lc/gau

# Extract subdomains from output
gau -subs example.com | cut -d / -f 3 | sort -u
PreviousSubDomain lookupNextO365 RealmInfo

Last updated 4 years ago

Was this helpful?