👑Find Subdomains

sublist3r -d bbc.com -o sublist3r.txt && subfinder -d bbc.com -o subfinder.txt && assetfinder --subs-only bbc.com > assetfinder.txt && findomain -t bbc.com -u findomain.txt && curl -s "https://crt.sh/?q=%25.bbc.com&output=json" | jq -r '.[].name_value' | tee /home/kali/target/crt.txt && cat sublist3r.txt crt.txt assetfinder.txt subfinder.txt findomain.txt > subdomains.txt && sort -u subdomains.txt > sort.txt && cat sort.txt | httpx -silent -threads 50 | tee livesubdomains.txt && rm sublist3r.txt crt.txt assetfinder.txt subfinder.txt findomain.txt subdomains.txt sort.txt && cat livesubdomains.txt | wc -l && cat livesubdomains.txt | httpx -mc 301,302,200 -title -probe -status-code -content-length -tech-detect -fr -o technologies.txt
cat livesubdomains.txt | nuclei -t /home/kali/nuclei-templates/subdomains-check-templates --retries 2 -o subdomains_check_nuclei.txt && cat livesubdomains.txt | nuclei -t /home/kali/target/all_freaking_nuclei_templates -o all_freaking_nuclei.txt && cat livesubdomains.txt | nuclei -t cves/ -o cves_nuclei.txt && cat livesubdomains.txt | nuclei -t exposures/ -o exposures_nuclei.txt && cat livesubdomains.txt | nuclei -t vulnerabilities/ -o vulnerabilities_nuclei.txt && cat livesubdomains.txt | nuclei -t exposed-panels/ -o exposed-panels_nuclei.txt && cat livesubdomains.txt | nuclei -t misconfiguration/ -o misconfiguration_nuclei.txt

My OneLiner 72

Configure Domain Name and File Path


sublist3r -d target.com -o sublist3r.txt && subfinder -d target.com -o subfinder.txt && assetfinder --subs-only target.com > assetfinder.txt && findomain -t target.com -u findomain.txt && curl -s "https://crt.sh/?q=%25.target.com&output=json" | jq -r '.[].name_value' | tee /home/kali/target.com/crt.txt && cat sublist3r.txt crt.txt assetfinder.txt subfinder.txt findomain.txt > subdomains.txt && sort -u subdomains.txt > sort.txt && cat sort.txt | httprobe -prefer-https | uniq > live.txt && cat live.txt | httpx -silent -threads 50 -o livesubdomains.txt && rm sublist3r.txt crt.txt assetfinder.txt subfinder.txt findomain.txt subdomains.txt sort.txt && cat livesubdomains.txt | wc -l && cat livesubdomains.txt | while read domains;do dig $domains;done | grep CNAME | tee CNAME_Records.txt && cat livesubdomains.txt | while read domains;do dig $domains;done | grep IN | tee DNS_Records.txt && curl -s "https://rapiddns.io/subdomain/target.com?full=1#result" | grep "<td><a" | cut -d '"' -f 2 | cut -d '/' -f3 | sed 's/?t=cname//g' | sed 's/#result//g' | sed 's/\.$//' | sort -u | httprobe -prefer-https | tee Check_Origin_IP.txt && dnsx -l livesubdomains.txt -silent -a -resp-only | httprobe -prefer-https | anew Check_Origin_IP.txt && dnsx -l livesubdomains.txt -silent -a -resp-only -o ip.txt && naabu -tp 1000 -l ip.txt | httprobe -prefer-https | anew ipwithports.txt && cat livesubdomains.txt | httpx -mc 301,302,200 -title -probe -status-code -content-length -tech-detect -fr && cat livesubdomains.txt | nuclei -as -o nucleiresult.txt

Active Scanning Find Hidden Subdomain

knockpy -d zara.com --recon --bruteforce
ffuf -u https://FUZZ.zara.com  -w /home/kali/Downloads/best-dns-wordlist.txt
Google Dork: site:*.domain.com -www
Google Search: https://crt.sh
Google Search: https://subdomainfinder.c99.nl

-------------------------------------------------------------

Passive Scanning

sublist3r -d zara.com -o sublist3r.txt
subfinder -d zara.com -o subfinder.txt
assetfinder --subs-only zara.com > assetfinder.txt
crtsh -q zara.com -o > crt.txt
findomain -t zara.com -u findomain.txt
cat crt.txt assetfinder.txt subfinder.txt sublist3r.txt findomain.txt > subdomains.txt
sort -u subdomains.txt > sort.txt
cat subdomains.txt | anew sub.txt
cat sort.txt | httprobe -prefer-https | uniq > live.txt
cat sub.txt | httprobe -prefer-https | anew live.txt
cat live.txt | httpx -o livesubdomains.txt 
cat livesubdomains.txt | httpx -mc 302,200 -title -probe -status-code -content-length -tech-detect -fr

Passive Scanning OneLiner

sublist3r -d zara.com -o sublist3r.txt && subfinder -d zara.com -o subfinder.txt && assetfinder --subs-only zara.com > assetfinder.txt && crtsh -q zara.com -o > crt.txt && findomain -t zara.com -u findomain.txt && cat crt.txt assetfinder.txt subfinder.txt sublist3r.txt findomain.txt > subdomains.txt && sort -u subdomains.txt > sort.txt && cat sort.txt | httprobe -prefer-https | uniq > live.txt && cat live.txt | httpx-toolkit -o livesubdomains.txt && cat livesubdomains.txt | httpx-toolkit -mc 302,200 -title -probe -status-code -content-length -tech-detect -fr && dnsx -l livesubdomains.txt -silent -a -resp-only -o ip.txt && naabu -tp 1000 -l ip.txt -o ipwithports.txt && cat livesubdomains.txt | nuclei -o nucleiresult.txt

-------------------------------------------------------------

DNS IP Scanning

dnsx -l livesubdomains.txt -silent -a -resp-only -o ip.txt 
naabu -tp 1000 -l ip.txt -o ipwithports.txt
cat livesubdomains.txt | nuclei -o nucleiresult.txt

DNS IP Scanning OneLiner

dnsx -l livesubdomains.txt -silent -a -resp-only -o ip.txt && naabu -tp 1000 -l ip.txt -o ipwithports.txt && cat livesubdomains.txt | nuclei -o nucleiresult.txt
PreviousLFI POCNextFind HTML Injection (CWE-79)

Last updated