๐ ๏ธ Command
Amass: Passive Subdomain Discovery
Enumerate subdomains using passive sources to avoid direct interaction.
amass enum -passive -d {{domain}}Subfinder: Subdomain Discovery
A fast tool for finding subdomains by querying various online sources.
subfinder -d {{domain}} -o {{output_file}}Assetfinder: Find Related Domains
Quickly identify domains and subdomains associated with a target.
assetfinder --subs-only {{domain}}Httprobe: Filter for Live Hosts
Test a list of subdomains to see which ones are hosting active web services.
cat {{subdomain_list}} | httprobe๐ Description
Tools and techniques for mapping a targetโs external attack surface by identifying subdomains and related infrastructure.
Domain enumeration is the foundation of OSINT and external penetration testing. By identifying subdomains, an attacker can find forgotten development servers, administrative portals, or unmonitored endpoints that may be vulnerable to initial access vectors.