Footprinting Lab 2

Footprinting lab 2: Subdomain search

My resume of module 02 footprinting form CEH material

Level: easy

Tools to search subdomains

In the official gluide of CEH the tool used for search subdomains is sublist3r, but extist some great tools for complement this fase of footprinting here a list:

• Online tools

  • https://crt.sh/

    to search domains based on CA Certificate Transparency, like also:

    https://certificate.transparency.dev/

    https://transparencyreport.google.com/https/certificates

    for advanced queries in crt.sh check here https://www.randori.com/enumerating-subdomains-with-crt-sh/

  • https://dnsdumpster.com/

    Great online tool for each querie return a list of domains and web server type behind each host

  • google-cse+dorks

  • https://www.virustotal.com

    yeahhh its true, virustotal generate a graph and related files for each subdomain

• Command line tools

  • sublist3r

    Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT

    this tool is presented y any pentesting distro like Kali

  • knockpy

    Knock is a python tool designed to enumerate subdomains on a target domain through a wordlist.

    based on python 2, its a great tool for each subdomain cn suppport virustotal API for better results and get and server side technolgy There is also a version based on python 3 here

  • pdlist

    pdlist is a passive subdomain finder written in python3. This tool can be used effectively to collect information about a domain without ever sending a single packet to any of its hosts. this tool makes use of the pages:

    • threatcrowd
    • urlscan
    • hackertarget
    • dnsdumpster
    • crt.sh
    • certspotter

    for get better results.