<aside> <img src="/icons/fireworks_gray.svg" alt="/icons/fireworks_gray.svg" width="40px" />

Goal - Enumeration

Extract the DNS information in all the targeted domains such as subdomains, enumerate services, scan services for vulnerabilities.

</aside>

Subdomain discovery

C99

Checkout the C99 subdomain finder, in seconds it will perform a scan and output a lot of subdomains.

image.png

Also it has data stored about older scans.

image.png

https://subdomainfinder.c99.nl/

Amass

Active:

amass enum -d domain.com

Passive:

amass enum -d domain.com --passive

DNSrecon

Scan a domain (-d example.com), use a dictionary to brute force hostnames (-D /usr/share/wordlists/dnsmap.txt), do a standard scan (-t std), and save the output to a file (–xml dnsrecon.xml):

image.png

Find vulnerabilities

Active:

Utilize the BurpSuite, Nessus & other scanner tools for detecting vulnerabilities

Passive: