Subdomain Enumeration
Enumerating subdomains with Sublist3r and Amass
Last updated
Enumerating subdomains with Sublist3r and Amass
Last updated
When doing bug bounties or various types of assessment, you may need to find subdomains to understand the organisations internet footprint. To do this, start with their top level domain name, like google.com and then using the tools below you can find related subdomains.
python3 sublist3r.py -v -b -o /<output_file> -d <URL>
The -v flag makes the output more verbose and shows results in real time
The -b flag enables brute force mode to search for more subdomains
The -o flag allows you to choose an output file and location
The -d flag is where you input the initial top level domain name
amass enum -d <URL> -p 80,443,8080,8443 -active
The enum option tells amass to perform enumerations and network mapping
The -d flag is where you input the initial top level domain name
The -p flag checks if the given ports are open (80, 443, 8080 and 8443 are common web ports)
The -active flag forces DNS zone transfers and certificate name grabs for better enumeration
