Well, subdomain enumeration is important when you are hunting on wildcard enable scope programs. If you are able to get unique subdomains that other miss then it's a good chance for you to get some bugs
- Passive
- Active
- Permutation
In this stage you have to use as much resources as you can to passivly gather subdomains Now a days it's not that much hard to do with community standard tools that usages API keys
- Subfinder
- Amass
- Assetfinder
- Findomain
In this stage you have to perform bruteforcing on your target host to see if the word from your wordlist resolve as valid subdomain or not
- ShuffleDNS
- Aiodnsbrute
In this stage you have to play around the subdomains. Now do changed with the words and see still it resolve as valid or not
Convert domains into ip address
while read l; do ip=$(dig +short $l|grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"|head -1);echo "[+] '$l' => $ip";echo $ip >> ips.txt;done < domains.txt
we will use masscan for faster results
masscan -p1-65535 -iL ips.txt --max-rate 1800 -oG output.log
or you can use Naabu, RustScan.
- AltDNS
- DNSGen + ShuffleDNS
https://pentester.land/cheatsheets/2018/11/14/subdomains-enumeration-cheatsheet.html
https://0xpatrik.com/subdomain-enumeration-2019/
https://0xpatrik.com/subdomain-enumeration-smarter/
https://rootsploit.com/bug-bounty-recon-faster-port-scan/
Theres a lot you can do. For now just mentioning communty standard approaches. Will be updating it regularly depending on the methodology comes out.
An automated framework can be used to automate those whole workflow