1 Subdomain Enumeration
1 Subdomain Enumeration
Subdomain
1.1 Recon-ng
Framework like Metasploit for find subdomains
1
2
3
4
5
6
7
recon-ng
use use recon/domain-hosts/
show options
set source example.com
All subdomains store in hosts and to see it:
1
show hosts
If some subdomains are not given IP automatically, run
1
2
use recon/hosts-hosts/resolve
run
1.2 Google Dorks
1
2
3
4
site:*.example.com
#exclude specific domain
site:example.com -site:help.example.com
1.3 Reverse DNS-lookup
If you have IP range of target so first check which host is active then find out domain address of that host IP using custom bash script.
Let say I have IPs of target in onlylps.txt.
1
2
3
4
5
6
#!/bin/bash
while read p; do
echo $p;
host $p
done <onlyIps.txt
This post is licensed under CC BY 4.0 by the author.