Subdomain Discovery

How to find subdomains.

bbot

A recursive Internet scanner that will find information from various sources, such as Shodan, SecurityTrails, crt and many other solid data repositories.

https://github.com/blacklanternsecurity/bbot

bbot -t <Base_Domain> -f subdomain-enum | tee output.txt

bbot can be messy. To clean up the output, use the following command:

cat /root/.bbot/scans/{scan_name}/output.txt | grep -F '[DNS_NAME]'| awk '{print $2}'

SubreconGPT

Find more subdomains with GPT

https://github.com/jhaddix/SubreconGPT

chaos -d <URL> | python subrecongpt.py --apikey YOUR_OPENAI_API_KEY

Find subdomains in dmarc

Parse subdomains from dmarc.live

https://github.com/Tedixx/dmarc-subdomains

python dmarc-subdomains.py -domain <URL>

PreviousEmail Address Discovery NextData Discovery

Last updated 6 months ago