Subdomain Enumeration
ASN Lookup
Related Domains
Reverse whois: https://viewdns.info/
Builtwith: https://pro.builtwith.com/
DNS Records
Subfinder
Pasif tarama yaparak subdomainleri listeler.
Bevigil: https://bevigil.com/osint/api-keys
BinaryEdge: https://app.binaryedge.io/account/api
BufferOver: https://tls.bufferover.run/
Builtwith: https://api.builtwith.com/
Certspotter: https://sslmate.com/account/api_keys
Hunter: https://hunter.io/api-keys
Leakix: https://leakix.net/settings/api
Netlas: https://app.netlas.io/profile/
SecurityTrails: https://securitytrails.com/app/account/credentials
Shodan: https://account.shodan.io/
Virustotal: https://www.virustotal.com/gui/user/
Zoomeye: https://www.zoomeye.hk/profile
# FREE bevigil builtwith fofa securitytrails shodan zoomeye
code /root/.config/subfinder/provider-config.yaml
subfinder -silent -all -dL domains.txt | anew subdomains.txt
DNS Bruteforce
echo 8.8.8.8 > resolver.txt
shuffledns -d example.com -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r resolver.txt -mode bruteforce -silent
Live Subdomains
cat subdomains.txt | dnsx -silent -retry 5 | anew live.txt
Live Websites
cat live.txt | httpx -silent -nc -sc -cl -fr -title -server -td -cdn -ip | anew web.txt
cat live.txt | httpx -silent -csv -o web.csv -ports 80,443,3387,5985,8005,8009,8080,8081,8090,8180,8443
cat httpx.txt | tr "[]" "~" | cut -d "~" -f1
cat httpx.txt | tr "[]" "~" | sort -t "~" -k1 -n
Screenshot
gowitness report server -q --host 0.0.0.0
gowitness scan file --write-db -f live.txt
Assetfinder
Bu tool verilen domainle bağlantı olabilecek diğer domain ve subdomainleri bulur.
assetfinder example.com
VHOST Enumeration
ffuf -u http://example.com/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'HOST: FUZZ.example.com' -fs 15949
URL Enumeration
cat example_live.txt | (gau || hakrawler || waybackurls || katana) | anew example_urls.txt
cat example_urls.txt | uro | gf xss | grep '?' | qsreplace '"><img src=x onerror=alert(1)>' | httpx -sc -mr '<img src=x'
Web Crawling
katana -u 'https://example.com' -silent -jc -kf -aff -iqp -s breadth-first -d 5 -hl -nos -o example.txt
Bug Bounty Target Toplama
# Hackerone
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/hackerone_data.json | jq -r '.[].targets.in_scope[] | [.asset_identifier, .asset_type] | @tsv' > hackerone.txt
# Bugcrowd
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/bugcrowd_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv' > bugcrowd.txt
# Intigriti
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/intigriti_data.json | jq -r '.[].targets.in_scope[] | [.endpoint, .type] | @tsv' > intigriti.txt
# YesWeHack
curl -sL https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/main/data/yeswehack_data.json | jq -r '.[].targets.in_scope[] | [.target, .type] | @tsv' > yeswehack.txt
# All Subdomains
wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/refs/heads/main/data/domains.txt
# All Wildcards
wget https://raw.githubusercontent.com/arkadiyt/bounty-targets-data/refs/heads/main/data/wildcards.txt
Last updated
Was this helpful?