| description |
|---|
MITRE ATT&CK, Reconnaissance, Technique T1590 |
Subdomain enumeration is the process of finding valid resolvable subdomains for a companies domain(s). The more you can find, the more you can hack.
site:*.$domain -www)# Passive subdomain enumeration
dome.py -m passive -d $domain
# Active enumeration
dome.py -m active -d $domain{% embed url="https://github.com/v4d1/Dome" %}
# Passively enumerate subdomains
sublist3r.py -d $domain
# Enumerate subdomains and utilize the 'brute force' module
sublist3r.py -b -d $domain{% embed url="https://github.com/aboul3la/Sublist3r" %}
# Enumerate subdomains
dnsrecon -d $domain
# Enumerate subdomains and perform a zone transfer
dnsrecon -a -d $domain{% embed url="https://github.com/darkoperator/dnsrecon" %}
# Retrieve the target domains ASN number
amass enum -d $domain{% embed url="https://github.com/OWASP/Amass" %}
# Actively enumerate subdomains
gobuster dns --domain $domain --wordlist $wordlist{% embed url="https://github.com/OJ/gobuster" %}
Hurricane Electric Internet Services is a fast way to identify what company owns what IP
SecurityTrails Another good site for verifying IP addresses and netblocks belonging to an organization
NetblockTool can be used to gather IP ranges, points of contact, and even netblocks belonging to your target’s subsidiaries
Basic usage
python3 NetblockTool.py -v [COMPANY]Extract ranges owned by the target company’s subsidiaries
python3 NetblockTool.py -v Company -s{% embed url="https://www.netspi.com/blog/technical/network-penetration-testing/netblocktool" %}
{% embed url="https://securitytrails.com/blog/identify-ip-ranges-company-owns" %} {% endembed %}
{% embed url="https://securitytrails.com" %}
{% embed url="https://crt.sh" %}
{% embed url="https://dnsdumpster.com" %}
{% embed url="https://www.netspi.com/blog/technical/network-penetration-testing/netblocktool/" %}