Passive Subdomain Enumeration
VirusTotal
Certificates
Censys
crt.sh
export TARGET="example.com"
export PORT="443"
openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "${TARGET}:${PORT}" | openssl x509 -noout -text | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\.||g' | tr -d ',' | sort -ucurl -s
Issue the request with minimal output
https://crt.sh/?q=&output=json
Ask for the json output
jq -r '.[]' "(.name_value)\n(.common_name)"' sort -u
Process the json output and print certificate's name value and common name one per line
sort -u
Sort alphabetically the output provided and removes duplicates
OpenSSL
export TARGET="example.com"
export PORT="443"
openssl s_client -ign_eof 2>/dev/null <<<$'HEAD / HTTP/1.0\r\n\r' -connect "${TARGET}:${PORT}" | openssl x509 -noout -text | grep 'DNS' | sed -e 's|DNS:|\n|g' -e 's|^\.||g' | tr -d ',' | sort -uAutomating Passive Subdomain Enumeration
TheHarvester
TheHarvester is a simple-to-use yet powerful and effective tool for early-stage penetration testing and red team engagements. We can use it to gather information to help identify a company's attack surface. The tool collects emails, names, subdomains, IP addresses, and URLs from various public data sources for passive information gathering. For now, we will use the following modules:
Baidu search engine.
Bufferoverun
Uses data from Rapid7's Project Sonar - www.rapid7.com/research/project-sonar/
Comodo Certificate search.
Online vulnerability scanners and network intelligence to help organizations.
Otx
AlienVault Open Threat Exchange - https://otx.alienvault.com
DNS query tool, which makes querying subdomains or sites using the same IP easy.
Fast subdomains enumeration tool for penetration testers
Open source threat intelligence.
Data mining for threat intelligence.
Trello
Search Trello boards (Uses Google search)
A sandbox for the web that is a URL and website scanner.
Vhost
Bing virtual hosts search.
Domain search.
A Chinese version of Shodan.
Create a file called sources.txt with the follwing contents:
baidu
bufferoverun
crtsh
hackertarget
otx
projectdiscovery
rapiddns
sublist3r
threatcrowd
trello
urlscan
vhost
virustotal
zoomeyeExecute the following commands to gather information from these sources.
export TARGET="example.com"
cat sources.txt | while read source; do theHarvester -d "${TARGET}" -b $source -f "${source}_${TARGET}";doneExtract all the subdomains found and sort them via the following command:
cat *.json | jq -r '.hosts[]' 2>/dev/null | cut -d':' -f 1 | sort -u > "${TARGET}_theHarvester.txt”Merge all the passive reconnaissance files:
cat example.com_*.txt | sort -u > example.com_subdomains_passive.txt
cat example.com_subdomains_passive.txt
whois
domain
Exemplo: whois example.com
Responde a DNS internos
Querying: A Records
nslookup
domain
Exemplo: nslookup example.com
Responde a DNS internos
dig
domain
Exemplo: dig example.com
Responde a DNS internos
Querying: A Records for a Subdomain
nslookup
-query=A
domain
Exemplo: nslookup -query=A example.com
Responde a DNS internos
dig
a
domain
Exemplo: dig a example.com
Responde a DNS internos
Querying: PTR Records for an IP Address
nslookup
-query=PTR
IP
Exemplo: nslookup -query=PTR 180.xxx.xxx.xxx
dig
-x
IP
Exemplo: dig -x 180.xxx.xxx.xxx
Querying: ANY Existing Records
nslookup
-query=ANY
domain
Exemplo: nslookup -query=ANY example.com
dig
any
domain
Exemplo: dig any example.com
Querying: TXT Records
nslookup
-query=TXT
domain
Exemplo: nslookup -query=TXT example.com
dig
txt
domain
Exemplo: dig txt example.com
Querying: MX Records
nslookup
-query=MX
domain
Exemplo: nslookup -query=MX example.com
dig
mx
domain
Exemplo: dig mx example.com
Last updated