🌐 Subdomain Enumeration

# Subfinder - passive sources
subfinder -d target.com -o subdomains.txt

# Amass - passive enum
amass enum -passive -d target.com -o subdomains.txt

# assetfinder
assetfinder target.com | tee subdomains.txt

# findomain
findomain -t target.com -u subdomains.txt

# Combine with shuffledns
subfinder -d target.com | shuffledns -d target.com -r resolvers.txt -o passive.txt

# DNS brute force
massdns -r resolvers.txt -t AAAA -o A target.com.subdomains.txt

# alterx (fast generator)
alterx -wordlist subdomains.txt | shuffledns -d target.com -r resolvers.txt

# DNS sweep
for sub in $(cat wordlist.txt); do 
    dig $sub.target.com +short
done

# DNSRecon
dnsrecon -d target.com -t brt -n 8.8.8.8

# crt.sh
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sed 's/\*\.//g' | sort -u

# Censys
python3 censys-search.py target.com

# Certspotter
curl -s https://api.certspotter.com/v1/issuances?domain=target.com | jq '.[].dns_names'

# Chaos
curl -s "https://dns.projectdiscovery.io/dns/target.com/subdomains" | jq

# VirusTotal
curl -s "https://www.virustotal.com/api/v3/domains/target.com/subdomains" | jq

# SecurityTrails
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains" -H "APIKEY: key"

# Shodan
shodan search "hostname:target.com" --fields hostnames

# Recon-ng
recon-ng -r modules
load certspotter
set DOMAIN target.com
run

# Massdns resolution
massdns -r resolvers.txt -t A -o S subdomains.txt | grep -v "0.0.0.0"

# dnsx fast resolution
cat subdomains.txt | dnsx -silent -json | jq -r '.a'

# httpx probe
cat subdomains.txt | httpx -silent -title -tech-detect -o results.json

# Filter alive domains
cat subs.txt | filter-resolved --dns-server 8.8.8.8 > alive.txt