Websites
Tools
https://github.com/yunxu1/dnsub - 支持多层域名暴力枚举
$ rm output.csv; ./dnsub_darwin_amd64 -d aabb.io -t 50 -depth 3 -o output.txt
推荐
https://github.com/shmilylty/OneForAll
git clone https://github.com/shmilylty/OneForAll.git
cd OneForAll/
python3 -m pip install -U pip setuptools wheel -i https://mirrors.aliyun.com/pypi/simple/
pip3 install -r requirements.txt -i https://mirrors.aliyun.com/pypi/simple/
python3 oneforall.py --target example.com run
python3 oneforall.py --target example.com --brute True run
# 取出 cname
awk -F ',' '{print $6}' results/domain.csv
推荐
https://github.com/guelfoweb/knock
git clone https://github.com/guelfoweb/knock.git
cd knock
pip3 install -r requirements.txt
python3 knockpy.py <DOMAIN>
# convert to .csv
python3 knockpy.py --csv knockpy_report/aabb.io_2022_03_06_10_16_55.json
awk -F ';' '{print $3}' knockpy_report/aabb.io_2022_03_06_10_16_55.csv
备注:无法支持multi-level 破解
https://github.com/aboul3la/Sublist3r
备注:无法支持multi-level 破解
Archive
https://github.com/projectdiscovery/shuffledns
go install -v github.com/projectdiscovery/shuffledns/cmd/shuffledns@latest
shuffledns also supports bruteforce of a target with a given wordlist. You can use the w flag to pass a wordlist which will be used to generate permutations that will be resolved using massdns.
shuffledns -d hackerone.com -w wordlist.txt -r resolvers.txt
备注:要自己生成字典
Aggregate Domains
# de-duplicate domains, and combine domains
$ rm result*; cat * > result.txt; sort result.txt | uniq > result2.txt; tr '\n' ' ' < result2.txt
echo "<your_pwd>" | sudo openconnect -c ~/vpn.pem --user aabb --passwd-on-stdin -s 'vpn-slice --verbose <put your domain list here>' https://domain.com/