Domain Discovery

Check the following locations for additional domains:

  • Certificate Transparency Reports

  • Goole Cache

  • Wordlists in DNS


Imagine that a DNS CNAME is for a record which is a separate subdomain on the cloud service, can we search for that record as well! This may give us additional information about new assets.

// Below gives us a new potential set of hostnames, m4lwhereNotes


inetdata - -

./ -t brt,crt -d -D hosts.txt --iw --threads 10
# Brute Force, Cert Transparency Logs (brt,crt)
# Target domain of
# -D is custom dictionary of hosts.txt
# --iw is to ignore the wildcard


Uses massdns to shuffle DNS requests across many different providers, very quick!

shuffledns -d -w ./subdomains-5k.txt -r ./resolvers.txt --massdns /opt/bin/massdns -o ./out.txt


Last updated