Enumeration

Network Enumeration Tools Comprehensive collection of network enumeration tools and techniques for reconnaissance and penetration testing. Nmap Basic Network Scanning # Basic host discovery nmap -sn TARGET_NETWORK # Ping scan nmap -PE TARGET_IP # TCP SYN scan nmap -sS TARGET_IP # TCP connect scan nmap -sT TARGET_IP # UDP scan nmap -sU TARGET_IP # Comprehensive scan nmap -sS -sU -O -A -v TARGET_IP # Scan multiple targets nmap TARGET_IP1 TARGET_IP2 TARGET_IP3 # Scan network range nmap 192.168.1.0/24 # Scan from file nmap -iL targets.txt Advanced Nmap Options # Stealth scan nmap -sS -f TARGET_IP # Fragment packets nmap -sS -f -D RND:10 TARGET_IP # Decoy scan nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Source port scan nmap -sS --source-port 53 TARGET_IP # Timing template nmap -T0 TARGET_IP # Paranoid nmap -T1 TARGET_IP # Sneaky nmap -T2 TARGET_IP # Polite nmap -T3 TARGET_IP # Normal nmap -T4 TARGET_IP # Aggressive nmap -T5 TARGET_IP # Insane # Port range nmap -p 1-1000 TARGET_IP nmap -p 80,443,8080,8443 TARGET_IP nmap -p- TARGET_IP # All ports # Service detection nmap -sV TARGET_IP # OS detection nmap -O TARGET_IP # Script scanning nmap -sC TARGET_IP # Custom scripts nmap --script vuln TARGET_IP nmap --script safe TARGET_IP nmap --script auth TARGET_IP nmap --script discovery TARGET_IP nmap --script exploit TARGET_IP nmap --script malware TARGET_IP nmap --script intrusive TARGET_IP nmap --script version TARGET_IP nmap --script vuln,exploit TARGET_IP # Output formats nmap -oN results.txt TARGET_IP nmap -oX results.xml TARGET_IP nmap -oG results.grep TARGET_IP nmap -oA results TARGET_IP # All formats Nmap Scripts # HTTP enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # SMB enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SNMP enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP # DNS enumeration nmap --script dns-brute TARGET_IP nmap --script dns-cache-snoop TARGET_IP nmap --script dns-client-subnet-scan TARGET_IP nmap --script dns-fingerprint TARGET_IP nmap --script dns-ip6-arpa-scan TARGET_IP nmap --script dns-nsec3-enum TARGET_IP nmap --script dns-nsec-enum TARGET_IP nmap --script dns-random-srcport TARGET_IP nmap --script dns-random-txid TARGET_IP nmap --script dns-recursion TARGET_IP nmap --script dns-service-discovery TARGET_IP nmap --script dns-srv-enum TARGET_IP nmap --script dns-zone-transfer TARGET_IP # FTP enumeration nmap --script ftp-anon TARGET_IP nmap --script ftp-bounce TARGET_IP nmap --script ftp-brute TARGET_IP nmap --script ftp-libopie TARGET_IP nmap --script ftp-proftpd-backdoor TARGET_IP nmap --script ftp-syst TARGET_IP nmap --script ftp-vsftpd-backdoor TARGET_IP nmap --script ftp-vuln-cve2010-4221 TARGET_IP # SSH enumeration nmap --script ssh-hostkey TARGET_IP nmap --script ssh-brute TARGET_IP nmap --script ssh-publickey-acceptance TARGET_IP nmap --script ssh-run TARGET_IP nmap --script ssh2-enum-algos TARGET_IP nmap --script sshv1 TARGET_IP # SMTP enumeration nmap --script smtp-commands TARGET_IP nmap --script smtp-enum-users TARGET_IP nmap --script smtp-ntlm-info TARGET_IP nmap --script smtp-open-relay TARGET_IP nmap --script smtp-strangeport TARGET_IP nmap --script smtp-vuln-cve2010-4344 TARGET_IP nmap --script smtp-vuln-cve2011-1720 TARGET_IP nmap --script smtp-vuln-cve2011-1764 TARGET_IP Masscan Basic Network Scanning # Basic port scan masscan -p80,443 TARGET_NETWORK # Scan all ports masscan -p0-65535 TARGET_NETWORK # Scan common ports masscan -p1-1000 TARGET_NETWORK # Scan specific ports masscan -p22,80,443,8080,8443 TARGET_NETWORK # Scan with rate limit masscan -p80,443 --rate=1000 TARGET_NETWORK # Scan with output file masscan -p80,443 -oG results.txt TARGET_NETWORK # Scan with XML output masscan -p80,443 -oX results.xml TARGET_NETWORK # Scan with JSON output masscan -p80,443 -oJ results.json TARGET_NETWORK # Scan with binary output masscan -p80,443 -oB results.bin TARGET_NETWORK Advanced Masscan Options # Stealth scan masscan -p80,443 --rate=100 TARGET_NETWORK # Randomize hosts masscan -p80,443 --randomize-hosts TARGET_NETWORK # Randomize ports masscan -p80,443 --randomize-ports TARGET_NETWORK # Adapter selection masscan -p80,443 --adapter eth0 TARGET_NETWORK # Source IP masscan -p80,443 --source-ip 192.168.1.100 TARGET_NETWORK # Source port masscan -p80,443 --source-port 40000 TARGET_NETWORK # Banner grab masscan -p80,443 --banners TARGET_NETWORK # Ping scan masscan --ping TARGET_NETWORK # ARP scan masscan --arp TARGET_NETWORK # ICMP scan masscan --icmp TARGET_NETWORK Zmap Basic Network Scanning # Basic port scan zmap -p 80 TARGET_NETWORK # Scan multiple ports zmap -p 80,443 TARGET_NETWORK # Scan port range zmap -p 80-443 TARGET_NETWORK # Scan with rate limit zmap -p 80 --rate=1000 TARGET_NETWORK # Scan with bandwidth limit zmap -p 80 --bandwidth=10M TARGET_NETWORK # Scan with output file zmap -p 80 -o results.txt TARGET_NETWORK # Scan with JSON output zmap -p 80 -o results.json TARGET_NETWORK # Scan with CSV output zmap -p 80 -o results.csv TARGET_NETWORK # Scan with binary output zmap -p 80 -o results.bin TARGET_NETWORK Advanced Zmap Options # Stealth scan zmap -p 80 --rate=100 TARGET_NETWORK # Randomize targets zmap -p 80 --shards=1/1 TARGET_NETWORK # Blacklist file zmap -p 80 --blacklist-file=blacklist.txt TARGET_NETWORK # Whitelist file zmap -p 80 --whitelist-file=whitelist.txt TARGET_NETWORK # Source IP zmap -p 80 --source-ip=192.168.1.100 TARGET_NETWORK # Source port zmap -p 80 --source-port=40000 TARGET_NETWORK # Interface selection zmap -p 80 --interface=eth0 TARGET_NETWORK # Gateway MAC zmap -p 80 --gateway-mac=00:11:22:33:44:55 TARGET_NETWORK # Probe module zmap -p 80 --probe-module=tcp_synscan TARGET_NETWORK # Output module zmap -p 80 --output-module=json TARGET_NETWORK Custom Scripts Python Network Scanner import socket import threading import queue import time import ipaddress def network_scanner(target, ports, threads=10, delay=0): def worker(): while True: try: port = ports.get() if port is None: break sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(1) result = sock.connect_ex((target, port)) if result == 0: print(f"[OPEN] {target}:{port}") sock.close() time.sleep(delay) except Exception as e: pass finally: ports.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add ports to queue for port in range(1, 65536): ports.put(port) # Wait for completion ports.join() # Usage target = "TARGET_IP" ports = queue.Queue() network_scanner(target, ports, threads=100, delay=0.01) Bash Network Scanner #!/bin/bash TARGET_IP="TARGET_IP" THREADS=10 # Function to check port check_port() { local port=$1 local target=$2 if timeout 1 bash -c "echo >/dev/tcp/$target/$port" 2>/dev/null; then echo "[OPEN] $target:$port" fi } # Export function for parallel export -f check_port export TARGET_IP # Run parallel port check seq 1 65535 | parallel -j "$THREADS" check_port {} "$TARGET_IP" Network Discovery ARP Scanning # ARP scan arp-scan -l # ARP scan with interface arp-scan -I eth0 -l # ARP scan with output arp-scan -l -o results.txt # ARP scan with verbose arp-scan -l -v # ARP scan with quiet arp-scan -l -q # ARP scan with timeout arp-scan -l -t 1000 # ARP scan with retries arp-scan -l -r 3 # ARP scan with random arp-scan -l --random # ARP scan with local arp-scan -l --local ICMP Scanning # ICMP ping ping -c 4 TARGET_IP # ICMP ping with timestamp ping -D TARGET_IP # ICMP ping with flood ping -f TARGET_IP # ICMP ping with interval ping -i 0.2 TARGET_IP # ICMP ping with size ping -s 1000 TARGET_IP # ICMP ping with TTL ping -t 64 TARGET_IP # ICMP ping with verbose ping -v TARGET_IP # ICMP ping with quiet ping -q TARGET_IP UDP Scanning # UDP scan with nmap nmap -sU TARGET_IP # UDP scan with specific ports nmap -sU -p 53,67,68,69,123,135,137,138,139,161,162,445,500,514,520,631,1434,1900,4500,49152 TARGET_IP # UDP scan with service detection nmap -sU -sV TARGET_IP # UDP scan with OS detection nmap -sU -O TARGET_IP # UDP scan with scripts nmap -sU --script vuln TARGET_IP Service Detection Banner Grabbing # Telnet banner grab telnet TARGET_IP 80 # Netcat banner grab nc TARGET_IP 80 # Nmap banner grab nmap -sV --script banner TARGET_IP # Curl banner grab curl -I http://TARGET_IP # Wget banner grab wget --spider -S http://TARGET_IP # OpenSSL banner grab openssl s_client -connect TARGET_IP:443 # SMTP banner grab nc TARGET_IP 25 # FTP banner grab nc TARGET_IP 21 # SSH banner grab nc TARGET_IP 22 Service Enumeration # HTTP service enumeration nmap --script http-enum TARGET_IP nmap --script http-headers TARGET_IP nmap --script http-methods TARGET_IP nmap --script http-robots.txt TARGET_IP nmap --script http-sitemap-generator TARGET_IP nmap --script http-title TARGET_IP nmap --script http-vhosts TARGET_IP # SMB service enumeration nmap --script smb-enum-shares TARGET_IP nmap --script smb-enum-users TARGET_IP nmap --script smb-enum-groups TARGET_IP nmap --script smb-enum-domains TARGET_IP nmap --script smb-os-discovery TARGET_IP nmap --script smb-protocols TARGET_IP nmap --script smb-security-mode TARGET_IP nmap --script smb-system-info TARGET_IP # SNMP service enumeration nmap --script snmp-info TARGET_IP nmap --script snmp-brute TARGET_IP nmap --script snmp-communities TARGET_IP nmap --script snmp-hh3c-logins TARGET_IP nmap --script snmp-interfaces TARGET_IP nmap --script snmp-ios-config TARGET_IP nmap --script snmp-netstat TARGET_IP nmap --script snmp-processes TARGET_IP nmap --script snmp-public TARGET_IP nmap --script snmp-sysdescr TARGET_IP nmap --script snmp-win32-services TARGET_IP nmap --script snmp-win32-shares TARGET_IP nmap --script snmp-win32-software TARGET_IP nmap --script snmp-win32-users TARGET_IP Best Practices Rate Limiting # Add delay between requests nmap -T2 TARGET_IP # Use fewer threads nmap -T1 TARGET_IP # Use proxy rotation nmap -sS --proxies http://proxy1:8080,http://proxy2:8080 TARGET_IP Stealth Mode # Use random timing nmap -T3 --randomize-hosts TARGET_IP # Use fragment packets nmap -sS -f TARGET_IP # Use decoy scans nmap -sS -D decoy1,decoy2,decoy3 TARGET_IP # Use source port spoofing nmap -sS --source-port 53 TARGET_IP Output Analysis # Save results to file nmap -oN results.txt TARGET_IP # Filter by port status grep "open" results.txt grep "filtered" results.txt grep "closed" results.txt # Filter by service grep "http" results.txt grep "ssh" results.txt grep "ftp" results.txt grep "smb" results.txt grep "snmp" results.txt Troubleshooting Common Issues # Connection timeout nmap -T1 TARGET_IP # Too many requests nmap -T0 TARGET_IP # Invalid target nmap -sn TARGET_NETWORK # Permission denied sudo nmap -sS TARGET_IP Performance Optimization # Use appropriate timing nmap -T4 TARGET_IP # Use smaller port ranges nmap -p 1-1000 TARGET_IP # Use specific scripts nmap --script vuln TARGET_IP Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate tools for the target Document findings properly Follow responsible disclosure practices

Subdomain Enumeration Tools Comprehensive collection of subdomain enumeration tools and techniques for reconnaissance and web application security testing. Subfinder Basic Subdomain Enumeration # Basic subdomain enumeration subfinder -d TARGET_DOMAIN # With multiple domains subfinder -d TARGET_DOMAIN1,TARGET_DOMAIN2,TARGET_DOMAIN3 # With output file subfinder -d TARGET_DOMAIN -o results.txt # With JSON output subfinder -d TARGET_DOMAIN -o results.json -json # With verbose output subfinder -d TARGET_DOMAIN -v # With silent output subfinder -d TARGET_DOMAIN -silent # With threads subfinder -d TARGET_DOMAIN -t 50 # With timeout subfinder -d TARGET_DOMAIN -timeout 10 # With retries subfinder -d TARGET_DOMAIN -retries 3 Advanced Subfinder Options # With specific sources subfinder -d TARGET_DOMAIN -sources shodan,crtsh,passivetotal # With all sources subfinder -d TARGET_DOMAIN -all # With exclude sources subfinder -d TARGET_DOMAIN -exclude-sources shodan,crtsh # With config file subfinder -d TARGET_DOMAIN -config config.yaml # With proxy subfinder -d TARGET_DOMAIN -proxy http://127.0.0.1:8080 # With rate limit subfinder -d TARGET_DOMAIN -rate-limit 100 # With wildcard detection subfinder -d TARGET_DOMAIN -wildcard # With recursive enumeration subfinder -d TARGET_DOMAIN -recursive Amass Basic Subdomain Enumeration # Basic subdomain enumeration amass enum -d TARGET_DOMAIN # With multiple domains amass enum -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file amass enum -d TARGET_DOMAIN -o results.txt # With JSON output amass enum -d TARGET_DOMAIN -json results.json # With verbose output amass enum -d TARGET_DOMAIN -v # With silent output amass enum -d TARGET_DOMAIN -silent # With threads amass enum -d TARGET_DOMAIN -t 50 # With timeout amass enum -d TARGET_DOMAIN -timeout 10 Advanced Amass Options # With specific sources amass enum -d TARGET_DOMAIN -sources shodan,crtsh,passivetotal # With all sources amass enum -d TARGET_DOMAIN -all # With exclude sources amass enum -d TARGET_DOMAIN -exclude-sources shodan,crtsh # With config file amass enum -d TARGET_DOMAIN -config config.yaml # With proxy amass enum -d TARGET_DOMAIN -proxy http://127.0.0.1:8080 # With rate limit amass enum -d TARGET_DOMAIN -rate-limit 100 # With wildcard detection amass enum -d TARGET_DOMAIN -wildcard # With recursive enumeration amass enum -d TARGET_DOMAIN -recursive # With brute force amass enum -d TARGET_DOMAIN -brute # With wordlist amass enum -d TARGET_DOMAIN -w wordlist.txt Assetfinder Basic Subdomain Enumeration # Basic subdomain enumeration assetfinder TARGET_DOMAIN # With multiple domains assetfinder TARGET_DOMAIN1 TARGET_DOMAIN2 TARGET_DOMAIN3 # With output file assetfinder TARGET_DOMAIN > results.txt # With subs-only assetfinder --subs-only TARGET_DOMAIN # With alive check assetfinder --alive TARGET_DOMAIN # With verbose output assetfinder -v TARGET_DOMAIN Sublist3r Basic Subdomain Enumeration # Basic subdomain enumeration sublist3r -d TARGET_DOMAIN # With multiple domains sublist3r -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file sublist3r -d TARGET_DOMAIN -o results.txt # With verbose output sublist3r -d TARGET_DOMAIN -v # With threads sublist3r -d TARGET_DOMAIN -t 50 # With timeout sublist3r -d TARGET_DOMAIN -t 10 # With specific engines sublist3r -d TARGET_DOMAIN -e google,yahoo,bing # With all engines sublist3r -d TARGET_DOMAIN -e all # With exclude engines sublist3r -d TARGET_DOMAIN -e google,yahoo -x bing,duckduckgo DNSrecon Basic DNS Enumeration # Basic DNS enumeration dnsrecon -d TARGET_DOMAIN # With multiple domains dnsrecon -d TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file dnsrecon -d TARGET_DOMAIN -o results.txt # With JSON output dnsrecon -d TARGET_DOMAIN -j results.json # With verbose output dnsrecon -d TARGET_DOMAIN -v # With threads dnsrecon -d TARGET_DOMAIN -t 50 # With timeout dnsrecon -d TARGET_DOMAIN -t 10 # With specific record types dnsrecon -d TARGET_DOMAIN -t A,AAAA,CNAME,MX,NS,SOA,TXT # With all record types dnsrecon -d TARGET_DOMAIN -t all # With brute force dnsrecon -d TARGET_DOMAIN -b # With wordlist dnsrecon -d TARGET_DOMAIN -w wordlist.txt Fierce Basic Subdomain Enumeration # Basic subdomain enumeration fierce -dns TARGET_DOMAIN # With multiple domains fierce -dns TARGET_DOMAIN1,TARGET_DOMAIN2 # With output file fierce -dns TARGET_DOMAIN -file results.txt # With verbose output fierce -dns TARGET_DOMAIN -verbose # With threads fierce -dns TARGET_DOMAIN -threads 50 # With timeout fierce -dns TARGET_DOMAIN -timeout 10 # With wordlist fierce -dns TARGET_DOMAIN -wordlist wordlist.txt # With range fierce -dns TARGET_DOMAIN -range 192.168.1.0/24 # With delay fierce -dns TARGET_DOMAIN -delay 1 DNSenum Basic DNS Enumeration # Basic DNS enumeration dnsenum TARGET_DOMAIN # With multiple domains dnsenum TARGET_DOMAIN1 TARGET_DOMAIN2 # With output file dnsenum TARGET_DOMAIN -o results.txt # With verbose output dnsenum TARGET_DOMAIN -v # With threads dnsenum TARGET_DOMAIN -t 50 # With timeout dnsenum TARGET_DOMAIN -t 10 # With wordlist dnsenum TARGET_DOMAIN -w wordlist.txt # With range dnsenum TARGET_DOMAIN -r 192.168.1.0/24 # With delay dnsenum TARGET_DOMAIN -d 1 Custom Scripts Python Subdomain Enumeration import requests import threading import queue import time import dns.resolver def subdomain_enumeration(domain, wordlist, threads=10, delay=0): def worker(): while True: try: subdomain = wordlist.get() if subdomain is None: break full_domain = f"{subdomain}.{domain}" # DNS resolution try: dns.resolver.resolve(full_domain, 'A') print(f"[DNS] {full_domain}") except: pass # HTTP check try: response = requests.get(f"http://{full_domain}", timeout=5) print(f"[HTTP] {full_domain} - {response.status_code}") except: pass # HTTPS check try: response = requests.get(f"https://{full_domain}", timeout=5) print(f"[HTTPS] {full_domain} - {response.status_code}") except: pass time.sleep(delay) except Exception as e: pass finally: wordlist.task_done() # Start threads for i in range(threads): t = threading.Thread(target=worker) t.daemon = True t.start() # Add subdomains to queue with open(wordlist_file, 'r') as f: for line in f: wordlist.put(line.strip()) # Wait for completion wordlist.join() # Usage domain = "TARGET_DOMAIN" wordlist_file = "/usr/share/wordlists/subdomains.txt" wordlist = queue.Queue() subdomain_enumeration(domain, wordlist, threads=20, delay=0.1) Bash Subdomain Enumeration #!/bin/bash DOMAIN="TARGET_DOMAIN" WORDLIST="/usr/share/wordlists/subdomains.txt" THREADS=10 # Function to check subdomain check_subdomain() { local subdomain=$1 local full_domain="${subdomain}.${DOMAIN}" # DNS resolution if nslookup "$full_domain" > /dev/null 2>&1; then echo "[DNS] $full_domain" fi # HTTP check if curl -s -o /dev/null -w "%{http_code}" "http://$full_domain" | grep -q "200\|301\|302\|403\|401"; then echo "[HTTP] $full_domain" fi # HTTPS check if curl -s -o /dev/null -w "%{http_code}" "https://$full_domain" | grep -q "200\|301\|302\|403\|401"; then echo "[HTTPS] $full_domain" fi } # Export function for parallel export -f check_subdomain export DOMAIN # Run parallel subdomain check cat "$WORDLIST" | parallel -j "$THREADS" check_subdomain {} Wordlists Common Subdomain Wordlists # SecLists subdomain wordlists /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt /usr/share/wordlists/SecLists/Discovery/DNS/dns-Jhaddix.txt # Custom subdomain wordlists /usr/share/wordlists/custom/subdomains.txt /usr/share/wordlists/custom/api-subdomains.txt /usr/share/wordlists/custom/admin-subdomains.txt # Generate custom wordlists echo "www,mail,ftp,admin,api,dev,test,staging,prod" | tr ',' '\n' > custom_subdomains.txt Creating Custom Wordlists # Extract subdomains from certificate transparency logs curl -s "https://crt.sh/?q=%.TARGET_DOMAIN&output=json" | jq -r '.[].name_value' | sort -u > crt_subdomains.txt # Extract subdomains from DNS records dig @8.8.8.8 TARGET_DOMAIN ANY | grep -oP 'IN\s+\w+\s+\K[^\s]+' | sort -u > dns_subdomains.txt # Combine multiple wordlists cat wordlist1.txt wordlist2.txt wordlist3.txt | sort -u > combined_wordlist.txt # Remove empty lines and duplicates grep -v '^$' wordlist.txt | sort -u > clean_wordlist.txt API-based Enumeration Shodan API # Using Shodan CLI shodan domain TARGET_DOMAIN # Using Shodan API curl -s "https://api.shodan.io/dns/domain/TARGET_DOMAIN?key=YOUR_API_KEY" | jq -r '.data[].subdomain' | sort -u Censys API # Using Censys API curl -s "https://censys.io/api/v1/search/certificates" \ -H "Authorization: Basic YOUR_API_KEY" \ -d '{"query": "TARGET_DOMAIN", "fields": ["parsed.names"]}' | jq -r '.result.hits[].parsed.names[]' | sort -u VirusTotal API # Using VirusTotal API curl -s "https://www.virustotal.com/vtapi/v2/domain/report" \ -d "apikey=YOUR_API_KEY" \ -d "domain=TARGET_DOMAIN" | jq -r '.subdomains[]' | sort -u Passive vs Active Enumeration Passive Enumeration # Using only passive sources subfinder -d TARGET_DOMAIN -sources crtsh,passivetotal,shodan # Using only passive DNS dnsrecon -d TARGET_DOMAIN -t A,AAAA,CNAME,MX,NS,SOA,TXT # Using only certificate transparency curl -s "https://crt.sh/?q=%.TARGET_DOMAIN&output=json" | jq -r '.[].name_value' | sort -u Active Enumeration # Using brute force amass enum -d TARGET_DOMAIN -brute # Using wordlist subfinder -d TARGET_DOMAIN -w wordlist.txt # Using recursive enumeration subfinder -d TARGET_DOMAIN -recursive Best Practices Rate Limiting # Add delay between requests subfinder -d TARGET_DOMAIN -rate-limit 100 # Use fewer threads subfinder -d TARGET_DOMAIN -t 10 # Use proxy rotation subfinder -d TARGET_DOMAIN -proxy http://proxy1:8080 Stealth Mode # Use random user agents subfinder -d TARGET_DOMAIN -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" # Use realistic delays subfinder -d TARGET_DOMAIN -rate-limit 50 # Use smaller wordlists subfinder -d TARGET_DOMAIN -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt Output Analysis # Save results to file subfinder -d TARGET_DOMAIN -o results.txt # Filter by status code grep "200" results.txt grep "403" results.txt grep "301\|302" results.txt # Sort by response size sort -k3 -n results.txt Troubleshooting Common Issues # Connection timeout subfinder -d TARGET_DOMAIN -t 5 # Too many requests subfinder -d TARGET_DOMAIN -rate-limit 50 # Invalid SSL certificate subfinder -d TARGET_DOMAIN -k # Authentication required subfinder -d TARGET_DOMAIN -u admin -p password Performance Optimization # Use appropriate thread count subfinder -d TARGET_DOMAIN -t 20 # Use smaller wordlists for initial scan subfinder -d TARGET_DOMAIN -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt # Use specific sources subfinder -d TARGET_DOMAIN -sources crtsh,passivetotal Legal and Ethical Considerations Always obtain proper authorization before testing Respect rate limits and server resources Use appropriate wordlists for the target Document findings properly Follow responsible disclosure practices