CENSYS.py- Extract sub-domains for a given domain using Censys.io APIcensys_subdomain_enum.py- Extract sub-domains for a given domain using Censys.io APIcloudflare_subdomain_enum.py- A script to do DNS enumeration using Cloudflare servicecrtsh_enum_psql.py- Extract sub-domains for a given domain using crt.sh postgres interface(Python)crtsh_enum_psql.sh- Extract sub-domains for a given domain using crt.sh postgres interface(shell script)crtsh_enum_web.py- Extract sub-domains for a given domain using crt.sh by scraping the web page(Python3)hackertarget.py- Multi info script (Traceroute, Ping Test, DNS Lookup, Reverse DNS, Find DNS Host.. etc)san_subdomain_enum.py- Extract domains/sub-domains listed in Subject Alternate Name(SAN) of SSL/TLS cert for a domainvirustotal_subdomain_enum.py- Extract sub-domains for a given domain using VirusTotal APIShoFinder.py- Extract info from Shodan APIsub.sh- Subdomain Detect Script & Active/Nmap hosts scans (sub_alive, nmap_sn)waFFUck.py- Obtain olds ip by Historical DNS data
Altdns, Amass, Anubis, Bluto, Dnsrecon, Dnssearch, Domained, ESD, Knock, Massdns, Recon-ng, Sublist3r
Altdns - Alternative names brute forcing
Amass - Brute force, Google, VirusTotal, alt names
Aquaton-ediscover- Brute force, Riddler, PassiveTotal, Threat Crowd, Google, VirusTotal, Shodan, SSL Certificates, Netcraft, HackerTarget, DNSDB
as3nt - Fast Subdomain Enumeration Tool
BiLE-suite - HTML parsing, alt names, reverse DNS
Blacksheepwall - AXFR, brute force, reverse DNS, Censys, Yandex, Bing, Shodan, Logontube, SSL Certificates, Virus Total
Bluto - AXFR, netcraft, brute force
Brutesubs - Enumall, Sublist3r, Altdns
Cloudflare_enum - Cloudflare DNS
CTFR - SSL Certificates
DNS-Discovery - brute force
DNS Parallel Prober - DNS resolver
Dnscan - AXFR, brute force
Dnsrecon - AXFR, zone walking, brute force, reverse DNS, snoop caching, Google
Dnssearch - brute force
Domained - Sublist3r, enumall, Knockpy, SubBrute, MassDNS, recon-ng
Dr. Robot - Subdomains associated by multiple OSINT results
Enumall - Recon-ng -> Google, Bing, Baidu, Netcraft, brute force
Fierce - AXFR, brute force, reverse DNS
Fierce.pl - Domain Scanner
Findomain - Find subdomains using Certificates Transparency logs
Knock - AXFR, virustotal, brute force
MassDNS - DNS resolver
Pown Recon - Target reconnaissance framework powered by graph theory
Second Order - HTML parsing
sn0int - Semi-automatic OSINT framework
Sonar - AXFR, brute force
SubBrute - Brute force
Sudomy - Subdomain enumeration tool
Sublist3r - Baidu, Yahoo, Google, Bing, Ask, Netcraft, DNSdumpster, VirusTotal, Threat Crowd, SSL Certificates, PassiveDNS
Syborg - Recursive DNS Subdomain Enumerator
TheHarvester - Reverse DNS, brute force, Google, Bing, Dogpile, Yahoo, Baidu, Shodan, Exalead
Vhost-brute - Vhost discovery
VHostScan - Vhost discovery
Virtual-host-discovery - Vhost discovery
https://osintframework.com/
https://hackertarget.com/
http://searchdns.netcraft.com/
https://dnsdumpster.com/
https://www.threatcrowd.org/
https://riddler.io/
https://api.passivetotal.org
https://www.censys.io
https://api.shodan.io
http://www.dnsdb.org/f/
https://www.dnsdb.info/
https://scans.io/
https://findsubdomains.com/
https://securitytrails.com/dns-trails
https://crt.sh/
https://certspotter.com/api/v0/certs?domain=example.com
https://transparencyreport.google.com/https/certificates
https://developers.facebook.com/tools/ct
https://pentest-tools.com/information-gathering/find-subdomains-of-domain
https://intodns.com/
http://www.baidu.com/
http://www.yahoo.com/
http://www.google.com/
http://www.bing.com/
https://www.yandex.ru/
https://www.exalead.com/search/
http://www.dogpile.com/
https://www.zoomeye.org/
https://fofa.so/
https://github.com/
https://gitlab.com/
https://www.virustotal.com
nslookup -norecursive domain.com
nmap -sU -p 53 --script dns-cache-snoop.nse --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={domain1,domain2,domain3}'
https://ask.fm/
http://logontube.com/
http://commoncrawl.org/
http://www.sitedossier.com/