Bash program that chains together multiple domain recon tools to enumerate subdomains on a target domain.
This program requires Go and a few Go packages.
Assetfinder: Find domains and subdomains potentially related to a given domain.
go install github.com/tomnomnom/assetfinder@latest
Httprobe: Take a list of domains and probe for working http and https servers.
Install latest from master branch for --prefer-https support.
go install github.com/tomnomnom/httprobe@master
Subjack: Subdomain Takeover tool designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.
go install github.com/haccer/subjack@latest
Clone this repo and run ./sdr.sh to get started.
$ ./sdr.sh
Domain to scan: totallyrealsite.com
[+] Finding subdomains ...
[+] Found 10 unique subdomains for totallyrealsite.com ...
[+] Probing subdomains for response ...
[+] Found 8 subdomains with a response ...
[+] Checking subdomains for subdomain takeover ...
[+] Done! Recon files logged to: recon/totallyrealsite.com
[+] Completed in 7 seconds.
Output for the assetfinder, httprobe and subjack scans can be found in:
$ ls recon/totallyrealsite.com
recon/totallyrealsite.com/totallyrealsite.com.assets
recon/totallyrealsite.com/totallyrealsite.com.probed
recon/totallyrealsite.com/totallyrealsite.com.subjack
- Chain this automated process further with tools like gowitness and nmap.
- Scrape and pull files from wayback machine.