search

Subdomain enumeration

hashtag
Via manual OSINT

hashtag
CRT.SH

A simple request to https://crt.sh/arrow-up-right (a website which lists valid TLS/SSL certificates for publically accessible websites) using the domain name of our target website could yield results.

hashtag
Google Dorking

The Google search engine lets us use "dorks", which are additional characters or formatting that allow us to narrow down our search. A good example would be the "site:" dork, which will only show us results relevant to the specific domain name we gave it. Knowing this, combining our known domain with a wildcard operator would yield results. Example : site:"*.laposte.fr"

hashtag
Via automated tools

hashtag
DNSRecon

dnsrecon -t brt -d target.whatever

hashtag
Sublist3r

sublist3r.py -d target.whatever

hashtag
Fuff

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.target.whatever" -u http://target_ip -fs {size_of_the_average_response}
PreviousSQLMapNextDirectory enumeration

Last updated