Inspired by part two of https://twitter.com/RogueSMG/status/1496217791976054784
To list subdomains of a goal, the easiest way is programmatic automation.
First of all we need to have a Linux-based operating system, such as the KaliLinux distribution that can be used as a virtual machine from Vmware in Windows.
But my recommendation is to buy a cheap VPS, it doesn't matter what provider it is, in my case I have chosen a VPS based on Ubuntu 20.04.
After having access to the VPS by SSH we must install Go. We must go to the page https://go.dev/dl/ and locate the download of the "tar.gz" file for Linux. In my case, I have downloaded version 1.18.3 and this can change to a newer one when you read this entry.
The commands to download and install Go are as follows:
wget https://go.dev/dl/go1.18.3.linux-amd64.tar.gz tar -xvf go1.18.3.linux-amd64.tar.gz sudo mv go /usr/local export GOROOT=/usr/local /go export GOPATH=$HOME/go export PATH=$PATH:$GOROOT/bin:$GOPATH/bin source ~/.profile
To check if Go is installed correctly run the command "go version" in the terminal, you will get something like the following:
go version go1.18.3 linux/amd64
The tools to be used would be the following:
To install the version for Go run the following command.
go install -v github.com/OWASP/Amass/v3/...@master
If you have problems with the installation due to the version of Go, I recommend using version 1.18.3 as it is compatible with Amass.
You can also install Amass via Docker or by downloading the binary from releases. More information see its official GitHub repository.
To passively enumerate subdomains with Amass use the following command.
amass enum --passive -d starbucks.com
Since this tool no longer has updates since 2020, it is likely that it will have installation problems.
You need to download the Go files and install directly from these files.
wget https://github.com/tomnomnom/assetfinder/archive/refs/tags/v0.1.1.zip unzip v0.1.1.zip -d assetfinder cd assetfinder/ cd assetfinder-0.1.1/ go env -w GO111MODULE=auto
Now run the tool with the following command to perform subdomain enumeration.
assetfinder --subs-only starbucks.com
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
subfinder -d starbucks.com
The next two tools are optional, but they're pretty cool too.
This tool is very interesting because it uses different services for enumeration of subdomains, and it is compatible with Windows and Linux.
As the name implies, it allows you to get subdomains of projects hosted in public GitHub repositories. You just need to set the token.