DNS Scanning/Enumeration - Mapping the Site

Attack Surface Mapping and Asset Discovery

Project Discovery Suite
Web Content Discovery
Other Tools


The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
Collection of open source tools for attack surface management or Bug Bounties.
  • ​nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL.
  • ​subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
  • ​naabu - A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
  • ​httpx - httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
  • ​proxify - Swiss Army knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go.
  • ​dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
  • ​Photon - Incredibly fast crawler designed for OSINT.
  • ​URLgrab - A golang utility to spider through a website searching for additional links.
  • ​hakrawler - Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application. Also built by the Legendary Hakluke
  • ​gospider - This package contains a Fast web spider written in Go.
  • ​filebuster - Filebuster is a HTTP fuzzer / content discovery script with loads of features and built to be easy to use and fast! It uses one of the fastest HTTP classes in the world (of PERL) - Furl::HTTP. Also the thread modelling is optimized to run as fast as possible.
  • ​feroxbuster - feroxbuster is a tool designed to perform Forced Browsing. Forced browsing is an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.
  • ​Intrigue - Intrigue Core is a framework for discovering attack surface. It discovers security-relevant assets and exposures within the context of projects and can be used with a human-in-the-loop running individual tasks, and/or automated through the use of workflows.
  • ​Odin - ODIN is Python tool for automating intelligence gathering, asset discovery, and reporting.
  • ​AttackSurfaceMapper - AttackSurfaceMapper (ASM) is a reconnaissance tool that uses a mixture of open source intelligence and active techniques to expand the attack surface of your target. You feed in a mixture of one or more domains, subdomains and IP addresses and it uses numerous techniques to find more targets.
  • ​Goby - Goby is a new generation network security assessment tool. It can efficiently and practically scan vulnerabilities while sorting out the most complete attack surface information for a target enterprise.
  • ​Asnip - Asnip retrieves all IPs of a target organization—used for attack surface mapping in reconnaissance phases.
  • ​https://securitytrails.com/ - Powerful tools for third-party risk, attack surface management, and total intel
  • ​https://www.whoisxmlapi.com/ - Domain & IP Data Intelligence for Greater Enterprise Security
  • ​https://www.riskiq.com/ - RiskIQ Digital Footprint gives complete visibility beyond the firewall. Unlike scanners and IP-dependent data vendors, RiskIQ Digital Footprint is the only solution with composite intelligence, code-level discovery and automated threat detection and exposure monitoring—security intelligence mapped to your attack surface.
  • ​https://dehashed.com/ - Scan domain for indicators found in breaches
  • ​https://github.com/hakluke/hakcertstream - Use CertStream to get lists of new domains and subdomains registered with a certificate authority.
  • ​https://github.com/ayoubfathi/leaky-paths - A collection of special paths linked to major web CVEs, known misconfigurations, juicy APIs ..etc. It could be used as a part of web content discovery, to scan passively for high-quality endpoints and quick-wins


Enumeration Tools
Subdomain Fly Over
Subdomain Takeover
Subdomain Wordlist
  • ​dnsdumpster - A tool to perform DNS reconnaissance on target networks. Among the DNS information got from include subdomains, mx records, web application firewall detection and more fingerprinting and lookups
  • ​DNSRecon - The Original DNS recon script.
  • ​dnscan - dnscan is a python wordlist-based DNS subdomain scanner.
  • ​dnsenum - Dnsenum is a multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
  • ​dnsmap - dnsmap scans a domain for common subdomains using a built-in or an external wordlist
  • ​dnstracer - determines where a given Domain Name Server (DNS) gets its information from for a given hostname, and follows the chain of DNS servers back to the authoritative answer.
  • ​Lepus - A tool for enumerating subdomains, checking for subdomain takeovers and perform port scans - and boy, is it fast!
  • ​Knock - Knockpy is a python3 tool designed to enumerate subdomains on a target domain through dictionary attack.
  • ​HostileSubBruteForcer - Aggressive SubDomain brute forcing tool written by Nahamsec.
  • ​altdns - a DNS recon tool that allows for the discovery of subdomains that conform to patterns.
  • ​assetfinder - A tool to find domains and subdomains potentially related to a given domain.
  • ​fierce - Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It’s really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.
  • ​cansina - a Web Content Discovery Application. Help you making requests and filtering and inspecting the responses to tell apart if it is an existing resource or just an annoying or disguised 404.
  • ​Sublist3r - Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. This tool can do both scraping and Bruteforce which makes it a nice combined tool. The downside how ever is the wordlist cannot be specified.
  • ​dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
  • ​massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
    • Due to how many requests sent, we should use a list of resolvers to not get our connection banned. More on rate limiting here: https://github.com/blechschmidt/massdns#rate-limiting-evasion​
    • ​shuffledns - MassDNS wrapper written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support.
  • ​SubDomainizer - A tool to find subdomains and interesting things hidden inside, external Javascript files of page, folder, and Github.
  • ​shosubgo - Small tool to Grab subdomains using Shodan api.
  • ​zdns - Fast CLI DNS Lookup Tool
  • ​aiodnsbrute - A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously. This is a bruteforcer with insane speed, and a very large number of built in wordlists. Use a list of resolvers with it
  • ​Altdns: Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging), as well as a list of known subdomains.
  • ​Findomain: Findomain offers a dedicated monitoring service hosted in Amazon (only the local version is free), that allows you to monitor your target domains and send alerts to Discord and Slack webhooks or Telegram chats when new subdomains are found.
  • ​Dome - Fast and reliable python script that makes active and/or passive scan to obtain subdomains and search for open ports.
Visually parse and fly through subdomains looking for anything fun and interesting.
  • ​Aquatone - Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
  • ​EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible
  • ​Meg: Meg is a tool for fetching lots of URLs without taking a toll on the servers. It can be used to fetch many paths for many hosts, or fetching a single path for all hosts before moving on to the next path and repeating.
  • ​TKO-subs - A tool that can help detect and takeover subdomains with dead DNS records
  • ​Subjack - Subjack is a Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.
  • ​Second-Order - Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match some specific rules, or respond in a specific way.
  • ​dnstake - A fast tool to check missing hosted DNS zones that can lead to subdomain takeover

Directory Enumeration

Go Buster
Other Tools

​Go Buster

Directory/File, DNS and VHost busting tool written in Go. https://www.kali.org/tools/gobuster/​
Gobuster quick directory busting
gobuster -u -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux
Gobuster comprehensive directory busting
gobuster -s 200,204,301,302,307,403 -u -w /usr/share/seclists/Discovery/Web_Content/big.txt -t 80 -a 'Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0'
Gobuster search with file extension
gobuster -u -w /usr/share/seclists/Discovery/Web_Content/common.txt -t 80 -a Linux -x .txt,.php