subdomain-enumeration

DNS information

• https://domain.glass

• dig any "$domain"

Cloud information gather

• Grayhatwarfare

Websites to enumerate subdomains

• https://crt.sh

• https://ui.ctsearch.entrust.com/ui/ctsearchui

Filter out the result

curl -s https://crt.sh/?q\="$domain"\&output\=json | jq ".[].common_name,.[].name_value"| cut -d'"' -f2 | sed 's/\\n/\n/g' | sed 's/\*.//g'| sed -r 's/([A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4})//g' | sort -u

Domain to IP

For i in $(cat subdomain.list);do host $i|grep "has address"|grep "$domain" |cut -d" "-f1,4;done

SHODAN search

for i in $(catip-addresses.txt);do shodan host $i; done

NOTE: Identify which software/technologies are used by companies (Record TXT)