Subdomain Enumeration

IP Range Bulma

Bu site ile bir şirkete ait IP bloklarını listeleriz: https://bgp.he.net/

Eski IP Adresleri

• https://securitytrails.com/

Subfinder

Pasif tarama yaparak subdomainleri listeler.

• Bevigil: https://bevigil.com/osint/api-keys

• BinaryEdge: https://app.binaryedge.io/account/api

• BufferOver: https://tls.bufferover.run/

• Builtwith: https://api.builtwith.com/

• Censys: https://search.censys.io/account/api

• Certspotter: https://sslmate.com/account/api_keys

• Chaos: https://cloud.projectdiscovery.io/

• Fofa: https://en.fofa.info/userInfo

• Hunter: https://hunter.io/api-keys

• intelx: https://intelx.io/account?tab=developer

• Leakix: https://leakix.net/settings/api

• Netlas: https://app.netlas.io/profile/

• SecurityTrails: https://securitytrails.com/app/account/credentials

• Shodan: https://account.shodan.io/

• Virustotal: https://www.virustotal.com/gui/user/

• Zoomeye: https://www.zoomeye.hk/profile

# FREE bevigil builtwith fofa securitytrails shodan zoomeye
code /root/.config/subfinder/provider-config.yaml
subfinder -silent -all -dL domains.txt | anew subdomains.txt

DNS Bruteforce

echo 8.8.8.8 > resolver.txt
shuffledns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r resolver.txt -mode bruteforce -silent

Live Subdomains

cat subdomains.txt | dnsx -silent | anew example_live.txt

Live Websites

cat example_live.txt | httpx -silent -sc -cl -title -server -nc -td -cdn -fr -fhr -location -ss -st 20s -sid 10s | anew example_web.txt

cat example_live.txt | httpx -silent -sc -cl -title -server -td -cdn -fr -mc 200,302 -csv -o example_web.csv -ports 80,443,8009,8080,8081,8090,8180,8443

cat example_web.csv | cut -d',' -f11,7,8,14,17,22,28,34,38,43,44 > filtered_web.csv

Eyewitness

eyewitness -f example_live.txt

Assetfinder

Bu tool verilen domainle bağlantı olabilecek diğer domain ve subdomainleri bulur.

assetfinder example.com

VHOST Enumeration

ffuf -u http://example.com/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'HOST: FUZZ.example.com' -fs 15949

URL Enumeration

cat example_live.txt | (gau || hakrawler || waybackurls || katana) | anew example_urls.txt

cat example_urls.txt | uro | gf xss | grep '?' | qsreplace '"><img src=x onerror=alert(1)>' | httpx -sc -mr '<img src=x'

Web Crawling

katana -u 'https://example.com' -d 5 -jc -kf -nos -hl -silent -timeout 20 -iqp -o example.txt

Bug Bounty Target Toplama

# Hackerone
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/hackerone_data.json | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv' > hackerone.txt

# Bugcrowd
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv' > bugcrowd.txt

# Intigriti
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv' > intigriti.txt

# YesWeHack
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv' > yeswehack.txt

# All Subdomains
wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/refs/heads/main/data/domains.txt

# All Wildcards
wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/refs/heads/main/data/wildcards.txt