Rock-ON – An All In One Recon Tool That Will Just Get A Single Entry Of The Domain Name And Do All Of The Work Alone

Rock-On is a all in one recon tool that will help your Recon process give a boost. It is mainley aimed to automate the whole process of recon and save the time that is being wasted in doing all this stuffs manually. A thorough blog will be up in sometime. Stay tuned for the Stable version with a UI.FeaturesSub Domain ScrapingFinding A.S.N -> Netblocks -> IP’sResolvingFinding PortsFinding VHostFinding DirectoriesFinding Sub TakeoversAsset tracker with live monitoringPush Notifications to SlackFinding JS link then relative links in them and some sensitive filesActive and passive crawlingRecommendationMachine Configuration – Debian- 9.4, 4 GB RAM on DigitalOcean and its will be good to run this tool on a new and fresh VPS.For Censys:Set the API and SECRET KEY in the sub.sh unless you want to set it again and again.For removing:1. Delete the lines 13-182. Then set you API and SECRET KEY on line 47 & 48 like this: export CENSYS_API_ID=your_key_hereFor getting notification on Slack:Change the webhook address to your one in sub.sh, ASN.sh and Sublert.py-> config.py to get notification while you do your other works.For changing:1. Replace the Webhook address at line 113 in sub.sh and 15 in ASN.sh2. Replace the Webhook address in Tools/sublert/config.pyANDFollow @yassineaboukir guide to configure the slack for sublert and also for creating a webhook address for sub.sh and ASN.sh here: https://medium.com/@yassineaboukir/automated-monitoring-of-subdomains-for-fun-and-profit-release-of-sublert-634cfc5d7708Tools AddedThanks to all the aurthors who have written these scripts and making a huge contribution to the great community. A big shout-out for @ehsahil for his blog on recon that helped me a lot while making this tool and taking examples for the repository. Sublist3r Knock Subfinder Censys Amass CT Logs CTFR Wayback San Domains AltDns NMAP Masscan MassDNS Sublert Aquatone Vhost Rapid7 FDNS DB AWS-CLI Dirsearch More to be added… RequirementsGo-LanguangeInstall by Following methods:wget https://dl.google.com/go/go1.12.5.linux-amd64.tar.gztar -C /usr/local -xzf go1.12.5.linux-amd64.tar.gzrm -f go1.12.5.linux-amd64.tar.gznano ~/.profileAdd this linesexport PATH=$PATH:/usr/local/go/binexport GOROOT=/usr/local/goInstallationNote: For a new Fresh VPS run this commands first:sudo apt-get upgrade && sudo apt-get update && sudo apt-get install gitgit clone https://github.com/SilverPoision/Rock-ON.gitcd Rock-ONchmod +x rockon.sh./rockon.sh1Also don’t forget to configure your AWS credentials by runningaws configureUsage./rockon.shEnter your choice and then the required Information.ScreenshotNote: Run the below command while running the 4th option for the first time.gem install colorizeGive Rock-On some LoveIf this tool was useful to you during your recon stages – I would love to know. Any suggestions or ideas for this tool are appreciated – Just DM me on Facebook or TwitterDownload Rock-ON

Link: http://www.kitploit.com/2019/07/rock-on-all-in-one-recon-tool-that-will.html

Amass – In-depth DNS Enumeration And Network Mapping

The OWASP Amass tool suite obtains subdomain names by scraping data sources, recursive brute forcing, crawling web archives, permuting/altering names and reverse DNS sweeping. Additionally, Amass uses the IP addresses obtained during resolution to discover associated netblocks and ASNs. All the information is then used to build maps of the target networks.Information Gathering Techniques Used:DNS: Basic enumeration, Brute forcing (upon request), Reverse DNS sweeping, Subdomain name alterations/permutations, Zone transfers (upon request)Scraping: Ask, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, YahooCertificates: Active pulls (upon request), Censys, CertDB, CertSpotter, Crtsh, EntrustAPIs: BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScanWeb Archives: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, WaybackHow to InstallPrebuiltA precompiled version is available for each release.If your operating environment supports Snap, you can click here to install, or perform the following from the command-line:sudo snap install amassOn Kali, follow these steps to install Snap and Amass + use AppArmor (for autoload):sudo apt install snapdsudo systemctl start snapdsudo systemctl enable snapdsudo systemctl start apparmorsudo systemctl enable apparmorAdd the Snap bin directory to your PATH:export PATH=$PATH:/snap/binPeriodically, execute the following command to update all your snap packages:sudo snap refreshFor Homebrew on Mac, the following two commands will install Amass into your macOS environment:brew tap caffix/amassbrew install amassUsing DockerBuild the Docker image:sudo docker build -t amass https://github.com/OWASP/Amass.gitRun the Docker image:sudo docker run amass –passive -d example.comThe wordlists maintained in the Amass git repository are available in /wordlists/ within the docker container. For example, to use all.txt:sudo docker run amass -w /wordlists/all.txt -d example.comFrom SourceIf you prefer to build your own binary from the latest release of the source code, make sure you have a correctly configured Go >= 1.10 environment. More information about how to achieve this can be found on the golang website. Then, take the following steps:Download OWASP Amass:go get -u github.com/OWASP/Amass/…If you wish to rebuild the binaries from the source code:cd $GOPATH/src/github.com/OWASP/Amassgo install ./…At this point, the binaries should be in $GOPATH/bin.Several wordlists can be found in the following directory:ls $GOPATH/src/github.com/OWASP/Amass/wordlists/DocumentationGo to the User’s Guide for additional information.Project LeadOWASP: CaffixGitHub: @caffixDownload Amass

Link: http://www.kitploit.com/2019/05/amass-in-depth-dns-enumeration-and.html

Horn3t – Powerful Visual Subdomain Enumeration At The Click Of A Mouse

Horn3t is your Nr #1 tool for exploring subdomains visually.Building on the great Sublist3r framework (or extensible with your favorite one) it searches for subdomains and generates awesome picture previews. Get a fast overview of your target with http status codes, add custom found subdomains and directly access found urls with one click.Recon your targets at blazing speedEnhance your productivity by focusing on interesting looking sitesEnumerate critical sites immediatelySting your targetInstallationInstall Google ChromeInstall requirements.txt with pip3Install requirements.txt of sublist3r with pip3Put the directory within the web server of your choiceMake sure to have the right permissionsRun horn3t.pyOr alternatively use the install.sh file with docker.Afterwards you can access the web portal under http://localhost:1337TodoBetter Scaling on FirefoxAdd Windows DockerfileDirekt Nmap Support per click on a subdomainDirekt Dirb Support per click on a subdomainGenerate PDF Reports of found subdomainsAssist with subdomain takeoverCreditsaboul3la – The creator of Sublist3r; turbolist3r adds some features but is otherwise a near clone of sublist3r.TheRook – The bruteforce module was based on his script subbrute.bitquark – The Subbrute’s wordlist was based on his research dnspop.Tested on Windows 10 and Debian with Google Chrome/Chromium 73Download Horn3t

Link: http://www.kitploit.com/2019/05/horn3t-powerful-visual-subdomain.html

Zeebsploit – Web Scanner / Exploitation / Information Gathering

zeebsploit is a tool for hackingsearching for web information andscanning vulnerabilities of a webInstallation & Usageapt-get install gitgit clone https://github.com/jaxBCD/Zeebsploit.gitcd Zeebsploitchmod +x install./installpython3 zeebsploit.pytype ‘help’ for show modulesand follow instructionModules[Main modules]+———-+——————————-+| Modules | Description |+———-+——————————-+| Exploit | Exploitation Modules || Scanners | Scanners Modules || infoga | information Gathering Modules |+———-+——————————-+[Exploit Modules]+—————————+————————————————–+| Modules | Description |+—————————+————————————————–+| wp content injection | wordpress content injection version 4.7 or 4.7.1 || wp revslider | wordpress plugin revslider remote file upload || wp learndash | wordpress leardash remote file upload || wp swhobiz | wordpress plugin showbiz remote file upload || joomla com fabrik | joomla component fabrik file upload || joomla manager get config | joomla component manager auto get config || joomla jdownload | joomla component jdownloads remote file upload || joomla | Joomla ads manager component auto shell upload || apache struts rce | CVE: 2017-5638 – Apache Struts2 S2-045 || | remote command execution || drupal8 rce | drupal version 8 remote command execution || dvr cam leak credential | TBK DVR4104 / DVR4216 || | – Credentials Leak (Get User and password || webdav file upload | Nothing || —More— | Coming Soon the following version |+—————————+————————————————–+[Scanner Module]+——————–+—————————————-+| Modules | Description |+——————–+—————————————-+| subdomain scanner | Scan Subdomain for Web || sqli scanner | Scan Sql Injection Vulnerability || xss scanner | Scan XSS Injection Vulnerability || lfi scanner | Local File Includes Scanner etc/passwd || admin login finder | Scan Admin Login page || directory scanner | scan directory on web us e dirhunt || subdomain takeover | scan type subdomain takeover || —More— | Coming Soon the following version |+——————–+—————————————-+[Information Gathering]+——————–+——————————————+| Modules | Description |+——————–+——————————————+| cms detector | a tool for detecting cms on a web || port scanner | Scan Open Port use Nmap || information header | response header information || ip geolocation | detect the location of an ip or host || email searcher | searching email from web || traceroute | to show the route the package has pas sed || robot.txt detector | Scan Robot.txt from Web || header information | Response Header Checker || whois lookup | looking for registered users or || | recipients of Internet resource rights || —More— | Coming Soon the following version |+——————–+——————————————+Join Team : [Click This]Contact : [Contact]Download Zeebsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/9xaMRbIv1Dk/zeebsploit-web-scanner-exploitation.html

Zeebsploit – Web Scanner / Exploitation / Information Gathering

zeebsploit is a tool for hackingsearching for web information andscanning vulnerabilities of a webInstallation & Usageapt-get install gitgit clone https://github.com/jaxBCD/Zeebsploit.gitcd Zeebsploitchmod +x install./installpython3 zeebsploit.pytype ‘help’ for show modulesand follow instructionModules[Main modules]+———-+——————————-+| Modules | Description |+———-+——————————-+| Exploit | Exploitation Modules || Scanners | Scanners Modules || infoga | information Gathering Modules |+———-+——————————-+[Exploit Modules]+—————————+————————————————–+| Modules | Description |+—————————+————————————————–+| wp content injection | wordpress content injection version 4.7 or 4.7.1 || wp revslider | wordpress plugin revslider remote file upload || wp learndash | wordpress leardash remote file upload || wp swhobiz | wordpress plugin showbiz remote file upload || joomla com fabrik | joomla component fabrik file upload || joomla manager get config | joomla component manager auto get config || joomla jdownload | joomla component jdownloads remote file upload || joomla | Joomla ads manager component auto shell upload || apache struts rce | CVE: 2017-5638 – Apache Struts2 S2-045 || | remote command execution || drupal8 rce | drupal version 8 remote command execution || dvr cam leak credential | TBK DVR4104 / DVR4216 || | – Credentials Leak (Get User and password || webdav file upload | Nothing || —More— | Coming Soon the following version |+—————————+————————————————–+[Scanner Module]+——————–+—————————————-+| Modules | Description |+——————–+—————————————-+| subdomain scanner | Scan Subdomain for Web || sqli scanner | Scan Sql Injection Vulnerability || xss scanner | Scan XSS Injection Vulnerability || lfi scanner | Local File Includes Scanner etc/passwd || admin login finder | Scan Admin Login page || directory scanner | scan directory on web us e dirhunt || subdomain takeover | scan type subdomain takeover || —More— | Coming Soon the following version |+——————–+—————————————-+[Information Gathering]+——————–+——————————————+| Modules | Description |+——————–+——————————————+| cms detector | a tool for detecting cms on a web || port scanner | Scan Open Port use Nmap || information header | response header information || ip geolocation | detect the location of an ip or host || email searcher | searching email from web || traceroute | to show the route the package has pas sed || robot.txt detector | Scan Robot.txt from Web || header information | Response Header Checker || whois lookup | looking for registered users or || | recipients of Internet resource rights || —More— | Coming Soon the following version |+——————–+——————————————+Join Team : [Click This]Contact : [Contact]Download Zeebsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/RZKskKnsCFU/zeebsploit-web-scanner-exploitation_10.html

Censys Subdomain Finder – Perform Subdomain Enumeration Using The Certificate Transparency Logs From Censys

This is a tool to enumerate subdomains using the Certificate Transparency logs stored by Censys. It should return any subdomain who has ever been issued a SSL certificate by a public CA.See it in action:$ python censys_subdomain_finder.py github.com[*] Searching Censys for subdomains of github.com[*] Found 42 unique subdomains of github.com in ~1.7 seconds – hq.github.com – talks.github.com – cla.github.com – github.com – cloud.github.com – enterprise.github.com – help.github.com – collector-cdn.github.com – central.github.com – smtp.github.com – cas.octodemo.github.com – schrauger.github.com – jobs.github.com – classroom.github.com – dodgeball.github.com – visualstudio.github.com – branch.github.com – www.github.com – edu.github.com – education.github.com – import.github.com – styleguide.github.com – community.github.com – server.github.com – mac-installer.github.com – registry.github.com – f.cloud.github.com – offer.github.com – helpnext.github.com – foo.github.com – porter.github.com – id.github.com – atom-installer.github.com – review-lab.github.com – vpn-ca.iad.github.com – maintainers.github.com – raw.github.com – status.github.com – camo.github.com – support.enterprise.github.com – stg.github.com – rs.github.comSetupRegister an account (free) on https://censys.io/registerBrowse to https://censys.io/account, and set two environment variables with your API ID and API secret$ export CENSYS_API_ID=…$ export CENSYS_API_SECRET=…Clone the repository$ git clone https://github.com/christophetd/censys-subdomain-finder.gitInstall the dependencies$ cd censys-subdomain-finder$ pip install -r requirements.txtRun the script on example.com to make sure everything works as expected.$ python censys_subdomain_finder.py example.com[*] Searching Censys for subdomains of example.com[*] Found 5 unique subdomains of example.com – products.example.com – www.example.com – dev.example.com – example.com – support.example.comUsageusage: censys_subdomain_finder.py [-h] [-o OUTPUT_FILE] [–censys-api-id CENSYS_API_ID] [–censys-api-secret CENSYS_API_SECRET] domainpositional arguments: domain The domain to scanoptional arguments: -h, –help show this help message and exit -o OUTPUT_FILE, –output OUTPUT_FILE A file to output the list of subdomains to (default: None) –censys-api-id CENSYS_API_ID Censys API ID. Can also be defined using the CENSYS_API_ID environment variable (default: None) –censys-api-secret CENSYS_API_SECRET Censys API secret. Can also be defined using the CENSYS_API_SECRET environment variable (default: None)CompatibilityShould run on Python 2.7 and 3.5.NotesThe Censys API has a limit rate of 120 queries per 5 minutes window. Each invocation of this tool makes exactly one API call to Censys.Feel free to open an issue or to tweet @christophetd for suggestions or remarks.Download Censys-Subdomain-Finder

Link: http://feedproxy.google.com/~r/PentestTools/~3/bPFQtNdU4Fw/censys-subdomain-finder-perform.html

SubScraper – External Pentest Tool That Performs Subdomain Enumeration Through Various Techniques

SubScraper uses DNS brute force, Google & Bing scraping, and Virus Total to enumerate subdomains without an API. Written in Python3, SubScraper performs HTTP(S) requests and DNS “A" record lookups during the enumeration process to validate discovered subdomains. This provides further information to help prioritize targets and aid in potential next steps. Post-Enumeration, "CNAME" lookups are displayed to identify subdomain takeover opportunities. Usagepython3 subscraper.py example.compython3 subscraper.py -t 5 -o csv example.comOptions -s Only use internet to find subdomains -b Only use DNS brute forcing to find subdomains -o OUTFILE Define output file type: csv/txt (Default: None) -t MAX_THREADS Max threads (Default: 10) -w SUBLIST Custom subdomain wordlistDownload Subscraper

Link: http://feedproxy.google.com/~r/PentestTools/~3/N7uapcTydU0/subscraper-external-pentest-tool-that.html

Firebase Exploiting Tool – Exploiting Misconfigured Firebase Databases

Exploiting vulnerable/misconfigured Firebase databasesPrerequisitesNon-standard python modules:dnsdumpsterbs4requestsInstallationIf the following commands run successfully, you are ready to use the script:git clone https://github.com/Turr0n/firebase.gitcd firebasepip install -r requirements.txtUsagepython3 firebase.py [-h] [–dnsdumpster] [-d /path/to/file.htm] [-o results.json] [-l /path/to/file] [-c 100] [-p 4]Arguments: -h Show the help message -d Absolute path to the downloaded HTML file. -o Output file name. Default: results.json -c Crawl for domains in the top-1m by Alexa. Set how many domains to crawl, for example: 100. Up to 1000000 -p How many processes to execute. Default: 1 -l Path to a file containing the DBs to crawl. One DB name per line. This option can’t be used with -d or -c –dnsdumpster Use the DNSDumpster API to gather DBs –just-v Ignore “non-vulnerable" DBs –amass Path of the output file of an amass scan ([-o] argument)Example: python3 firebase.py -p 4 -f results_1.json -c 150 –dnsdumpster This will lookup the first 150 domains in the Alexa file aswell as the DBs provided by DNSDumpster. The results will be saved to results_1.json and the whole script will execute using 4 parallel processesThe script will create a json file containing the gathered vulnerable databases and their dumped contents. Each database has a status:-2: DB doesn’t exists-1: means it’s not vulnerable0: further explotation may be possible1: vulnerableFor a better results head to pentest-tools.com and in its subdomain scanner introduce the following domain: firebaseio.com. Once the scan has finished, save the page HTML(CRL+S) and use the -d [path] argument, this will allow the script to analyze the subdomains discovered by that service. Further subdomain crawlers might get supported.Now we support the amass scanner by @caffix! By running any desired scann with that tool against firebaseio.com using the -o argument, the script will be able to digest the output file and crawl for the discovered DBs.Firebase DBs work using this structure: https://[DB name].firebaseio.com/. If you are using the -l [path] argument, the supplied file needs to contain a [DB name] per line, for example:airbnbtwittermicrosoftUsing that file will check for these DBs: https://airbnb.firebaseio.com/.json, https://twitter.firebaseio.com/.json, https://microsoft.firebaseio.com/.jsonDownload Firebase

Link: http://feedproxy.google.com/~r/PentestTools/~3/i5hgSAIPl6I/firebase-exploiting-tool-exploiting.html

SubFinder – A Subdomain Discovery Tool That Discovers Valid Subdomains For Websites

SubFinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and has been aimed as a successor to sublist3r project. SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then it uses a permutation module inspired by altdns to generate permutations and resolve them quickly using a powerful bruteforcing engine. It can also perform plain bruteforce if needed. The tool is highly customizable, and the code is built with a modular approach in mind making it easy to add functionalities and remove errors.We have designed SubFinder to comply with all passive sources licenses, and usage restrictions, as well as maintained a consistently passive model to make it useful to both penetration testers and bug bounty hunters alike. FeaturesSimple and modular code base making it easy to contribute.Fast And Powerful Bruteforcing ModulePowerful Permutation generation engine. (In Development)Many Passive Data Sources (30 At Present)Multiple Output formatsAsk, Archive.is, Baidu, Bing, Censys, CertDB, CertSpotter, CrtSH, DnsDB, DNSDumpster, Dogpile, Entrust CT-Search, Exalead, FindSubdomains, GoogleTER, Hackertarget, IPv4Info, Netcraft, PassiveTotal, PTRArchive, Riddler, SecurityTrails, SiteDossier, Shodan, SSL Certificates, ThreatCrowd, ThreatMiner, Virustotal, WaybackArchive, Yahoo Usage./subfinder -h This will display help for the tool. Here are all the switches it supports. Flag Description Example -b Use bruteforcing to find subdomains ./subfinder -d example.com -b -c Don’t show colored output ./subfinder -c -d Domain to find subdomains for ./subfinder -d example.com -dL List of domains to find subdomains for ./subfinder -dl hosts.txt -nW Remove wildcard subdomains ./subfinder -nw -o Name of the output file (Optional) ./subfinder -o output.txt -oT Write output in Aquatone style JSON format (Required -nW) ./subfinder -o output.txt -nw -oA -oJ Write output in JSON format ./subfinder -o output.json -oJ -oD Output to directory (When using multiple hosts) ./subfinder -od ~/misc/out/ -r Comma-separated list of resolvers to use ./subfinder -r 8.8.8.8,1.1.1.1 -rL File containing list of resolvers to use ./subfinder -rL resolvers.txt –recursive Use recursive subdomain finding (default: true) ./subfinder –recursive –set-config Sets a configuration option ./subfinder –set-config example=something –set-settings Sets a setting option ./subfinder –set-settings CensysPages=10 –no-passive Do not perform passive subdomain enumeration ./subfinder -d freelancer.com –no-passive –silent Show only the subdomains found ./subfinder –silent –sources Comma separated list of sources to use (optional) ./subfinder –sources threatcrowd,virustotal –exclude-sources Comma separated list of sources not to use (optional) ./subfinder –exclude-sources threatcrowd,virustotal -t Number of concurrent threads (Bruteforce) ./subfinder -t 10 –timeout Seconds to wait until quitting connection ./subfinder –timeout 10 -v Display verbose output ./subfinder -v -w Wordlist for doing bruteforcing and permutation ./subfinder -w words.txt Installation InstructionsDirect InstallationSubFinder requires go1.10+ to install successfully !The installation is easy. Git clone the repo and run go build.go get github.com/subfinder/subfinderUpgradingIf you wish to upgrade the package you can use:go get -u github.com/subfinder/subfinderRunning in a Docker ContainerGit clone the repo, then build and run subfinder in a container with the following commandsClone the repo using git clone https://github.com/subfinder/subfinder.gitBuild your docker containerdocker build -t subfinder .After building the container, run the following.docker run -it subfinderThe above command is the same as running -hNOTE: Please follow the Post Install steps given after this to correctly configure the tool.For example, this runs the tool against uber.com and output the results to your host file system:docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d uber.com > uber.com.txtPost Installation InstructionsSubfinder will work after using the installation instructions however to configure Subfinder to work with certain services, you will need to have setup API keys. These following services do not work without an API key:VirustotalPassivetotalSecurityTrailsCensysRiddlerShodanThese are the configuration options you have to specify via the command line.VirustotalAPIKey PassivetotalUsername PassivetotalKeySecurityTrailsKeyRiddlerEmailRiddlerPasswordCensysUsernameCensysSecretShodanAPIKeyTheses values are stored in the $HOME/.config/subfinder/config.json file which will be created when you run the tool for the first time. To configure the services to use an API key, you need to use the tool with –set-config option which will allow you to set a configuration option. For example:./subfinder –set-config VirustotalAPIKey=0x41414141./subfinder –set-config PassivetotalUsername=hacker,PassivetotalKey=supersecretIf you are using docker, you need to first create your directory structure holding subfinder configuration file. You can either run the binary in your host system and let it create the directory structure of files, after which you can use –set-config flag to set the api values like before. Or you can run:mkdir $HOME/.config/subfindercp config.json $HOME/.config/subfinder/config.jsonnano $HOME/.config/subfinder/config.jsonAfter that, you can pass it as a volume using the following sample command.sudo docker run -v $HOME/.config/subfinder:/root/.config/subfinder -it subfinder -d freelancer.comNow, you can also pass –set-config inside the docker to change the configuration options.Running SubfinderTo run the tool on a target, just use the following command../subfinder -d freelancer.comThis will run the tool against freelancer.com. There are a number of configuration options that you can pass along with this command. The verbose switch (-v) can be used to display verbose information.[CERTSPOTTER] www.fi.freelancer.com[DNSDUMPSTER] hosting.freelancer.com[DNSDUMPSTER] support.freelancer.com[DNSDUMPSTER] accounts.freelancer.com[DNSDUMPSTER] phabricator.freelancer.com[DNSDUMPSTER] cdn1.freelancer.com[DNSDUMPSTER] t1.freelancer.com[DNSDUMPSTER] wdc.t1.freelancer.com[DNSDUMPSTER] dal.t1.freelancer.comThe -o command can be used to specify an output file../subfinder -d freelancer.com -o output.txtYou can also get output in json format using -oJ switch. The –silent switch can be used to show only subdomains found without any other info. The –set-config switch can be used to set the value of any configuration option as explained above in the readme.You can also pass some special settings for the tool through the command line by using –set-setting flag. For example, you can pass the number of Censys pages to check using the following command../subfinder -d freelancer.com –sources censys –set-settings CensysPages=2 -v For checking all pages returned by censys, you can use “all" option. Note, It is a string.These are the settings currently supportedCensysPagesAskPagesBaiduPagesBingPagesFor using bruteforcing capabilities, you can use -b flag with -w option to specify a wordlist../subfinder -d freelancer.com -b -w jhaddix_all.txt -t 100 –sources censys –set-settings CensysPages=2 -v You can also write output in JSON format as used by Aquatone../subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v You can specify custom resolvers too../subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v -r 8.8.8.8,1.1.1.1./subfinder -d freelancer.com -o result_aquatone.json -oT -nW -v -rL resolvers.txtIf you want to do bruteforce only and do not want to run the passive subdomain discovery engine, you can use –no-passive flag which will not run passive discovery. You can use this functionality to run plain bruteforce, etc../subfinder -d freelancer.com –no-passive -v -b -w ~/dnslist.txtDownload SubFinder

Link: http://feedproxy.google.com/~r/PentestTools/~3/58lFnCeg94M/subfinder-subdomain-discovery-tool-that.html

Takeover – SubDomain TakeOver Vulnerability Scanner

Sub-domain takeover vulnerability occur when a sub-domain (subdomain.example.com) is pointing to a service (e.g: GitHub, AWS/S3,..) that has been removed or deleted. This allows an attacker to set up a page on the service that was being used and point their page to that sub-domain. For example, if subdomain.example.com was pointing to a GitHub page and the user decided to delete their GitHub page, an attacker can now create a GitHub page, add a CNAME file containing subdomain.example.com, and claim subdomain.example.com. For more information: hereInstallation:# git clone https://github.com/m4ll0k/takeover.git# cd takeover# python takeover.pyor:wget -q https://raw.githubusercontent.com/m4ll0k/takeover/master/takeover.py && python takeover.pyDownload Takeover

Link: http://feedproxy.google.com/~r/PentestTools/~3/bCpPqZo0iAg/takeover-subdomain-takeover.html