Rachit Arora

Subdomain Enumeration

Apr 01, 2023

Using subfinder

subfinder -d hltv.org -all -cs | tee  domains.txt
Cleaning up urls
cat domains.txt | cut -d "," -f 1 | tee domains.txt
Getting hosts of the domain
 cat domains.txt | xargs -I{} host {} | tee -a host.txt
Using HTTPX
cat domains.txt | httpx -wc -sc -cl -ct -asn -web-server -o httpxout.txt -p 8000,8080,8443,443,8008,3000,5000,9090,900,7070,9200,15672,9000 -threads 75 -location

Using ASN, you can go to ipinfo and get all the ip ranges.

Net:10.200.11.0/24
asn:ASN
Reverse who is
crt.sh
Crt.sh/?O=Paypal,%20inc.&output=json
Finding ASN’s
amass intel -asn ASN | tee -a asn.txt
Using tlsx

We can give a range of ip addr, it will give us the domains that are there on that

echo 173.0.84.0/24 |tlsx -san -cn -silent
Using WaybackURLs
waybackurls example.com

Have any questions

Do you have any questions? Feel free to reach out to me on twitter or on LinkedIn.