rtexit-method 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +2 -5
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/copy-assets.js +5 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,906 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-subdomain-enum
|
|
3
|
+
description: "Subdomain enumeration skill. Use to discover all subdomains using passive (crt.sh, Subfinder, Amass passive, SecurityTrails) and active (DNS brute force, permutation) techniques. Output: alive subdomains with HTTP status codes and tech stack. Feeds rt-attack-surface-map. Tools: subfinder, amass, gobuster, httpx, subjack."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# rt-subdomain-enum — Subdomain Enumeration Skill
|
|
7
|
+
|
|
8
|
+
## Overview
|
|
9
|
+
|
|
10
|
+
Subdomain enumeration is the first active recon phase in any external red team engagement. The goal is to map every resolvable hostname belonging to the target organization before any exploitation begins. A missed subdomain is a missed attack path — forgotten staging servers, unpatched admin panels, and legacy APIs all live here.
|
|
11
|
+
|
|
12
|
+
This skill covers:
|
|
13
|
+
- **Passive enumeration** — querying public data sources without touching the target (crt.sh, Subfinder, Amass passive, SecurityTrails, VirusTotal, DNSdumpster)
|
|
14
|
+
- **Active enumeration** — direct DNS queries: brute-force, permutation/alteration, zone transfer attempts
|
|
15
|
+
- **HTTP probing** — resolving which discovered hosts are actually alive, their status codes, titles, and technology fingerprints
|
|
16
|
+
- **Takeover screening** — checking for dangling CNAMEs that may be vulnerable to subdomain takeover
|
|
17
|
+
|
|
18
|
+
Output feeds directly into `rt-attack-surface-map` for prioritization and attack planning.
|
|
19
|
+
|
|
20
|
+
---
|
|
21
|
+
|
|
22
|
+
## Skill Levels
|
|
23
|
+
|
|
24
|
+
### BEGINNER
|
|
25
|
+
|
|
26
|
+
Entry-level operators focus on passive-only sources. No active DNS queries. Safe to run against any target in scope without notifying the client.
|
|
27
|
+
|
|
28
|
+
```bash
|
|
29
|
+
# 1. Certificate Transparency logs via crt.sh (no tooling required)
|
|
30
|
+
TARGET="example.com"
|
|
31
|
+
curl -s "https://crt.sh/?q=%25.${TARGET}&output=json" \
|
|
32
|
+
| jq -r '.[].name_value' \
|
|
33
|
+
| sed 's/\*\.//g' \
|
|
34
|
+
| sort -u > passive_crt.txt
|
|
35
|
+
|
|
36
|
+
# 2. Subfinder — passive only, default sources
|
|
37
|
+
subfinder -d "${TARGET}" -o subfinder_passive.txt -v
|
|
38
|
+
|
|
39
|
+
# 3. Combine and deduplicate
|
|
40
|
+
cat passive_crt.txt subfinder_passive.txt | sort -u > passive_combined.txt
|
|
41
|
+
echo "[*] Unique passive subdomains: $(wc -l < passive_combined.txt)"
|
|
42
|
+
|
|
43
|
+
# 4. Probe which ones are alive
|
|
44
|
+
cat passive_combined.txt | httpx -silent -status-code -title -o alive_passive.txt
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
**Expected output:** A deduplicated list of subdomains with HTTP status codes and page titles.
|
|
48
|
+
|
|
49
|
+
---
|
|
50
|
+
|
|
51
|
+
### INTERMEDIATE
|
|
52
|
+
|
|
53
|
+
Operators add active brute-force DNS enumeration using curated wordlists, and run Amass in passive mode for additional OSINT sources.
|
|
54
|
+
|
|
55
|
+
```bash
|
|
56
|
+
TARGET="example.com"
|
|
57
|
+
WORDLIST="/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt"
|
|
58
|
+
OUTPUT_DIR="./recon/${TARGET}/subdomains"
|
|
59
|
+
mkdir -p "${OUTPUT_DIR}"
|
|
60
|
+
|
|
61
|
+
# 1. Amass passive — mines ASNs, WHOIS, CT logs, APIs
|
|
62
|
+
amass enum -passive -d "${TARGET}" -o "${OUTPUT_DIR}/amass_passive.txt" -config ~/.config/amass/config.ini
|
|
63
|
+
|
|
64
|
+
# 2. Subfinder with all sources
|
|
65
|
+
subfinder -d "${TARGET}" -all -o "${OUTPUT_DIR}/subfinder_all.txt" -v
|
|
66
|
+
|
|
67
|
+
# 3. Certificate transparency
|
|
68
|
+
curl -s "https://crt.sh/?q=%25.${TARGET}&output=json" \
|
|
69
|
+
| jq -r '.[].name_value' \
|
|
70
|
+
| sed 's/\*\.//g' \
|
|
71
|
+
| sort -u > "${OUTPUT_DIR}/crt_sh.txt"
|
|
72
|
+
|
|
73
|
+
# 4. Active DNS brute-force with gobuster
|
|
74
|
+
gobuster dns -d "${TARGET}" \
|
|
75
|
+
-w "${WORDLIST}" \
|
|
76
|
+
-t 50 \
|
|
77
|
+
--timeout 5s \
|
|
78
|
+
-o "${OUTPUT_DIR}/gobuster_dns.txt"
|
|
79
|
+
|
|
80
|
+
# 5. Merge all results
|
|
81
|
+
cat "${OUTPUT_DIR}"/*.txt | sort -u > "${OUTPUT_DIR}/all_subdomains.txt"
|
|
82
|
+
echo "[*] Total unique subdomains: $(wc -l < "${OUTPUT_DIR}/all_subdomains.txt")"
|
|
83
|
+
|
|
84
|
+
# 6. Probe alive hosts — full detail
|
|
85
|
+
cat "${OUTPUT_DIR}/all_subdomains.txt" | httpx \
|
|
86
|
+
-silent \
|
|
87
|
+
-status-code \
|
|
88
|
+
-title \
|
|
89
|
+
-tech-detect \
|
|
90
|
+
-content-length \
|
|
91
|
+
-web-server \
|
|
92
|
+
-o "${OUTPUT_DIR}/alive_hosts.txt"
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
### ADVANCED
|
|
98
|
+
|
|
99
|
+
Full active enumeration with permutation fuzzing, wildcard detection, DNS record harvesting, and takeover screening. Uses larger wordlists and parallelism.
|
|
100
|
+
|
|
101
|
+
```bash
|
|
102
|
+
TARGET="example.com"
|
|
103
|
+
WORDLIST_LARGE="/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt"
|
|
104
|
+
OUTPUT_DIR="./recon/${TARGET}/subdomains"
|
|
105
|
+
mkdir -p "${OUTPUT_DIR}"
|
|
106
|
+
|
|
107
|
+
# 1. Full passive sweep (parallel)
|
|
108
|
+
subfinder -d "${TARGET}" -all -o "${OUTPUT_DIR}/subfinder.txt" -v &
|
|
109
|
+
amass enum -passive -d "${TARGET}" -o "${OUTPUT_DIR}/amass.txt" &
|
|
110
|
+
curl -s "https://crt.sh/?q=%25.${TARGET}&output=json" | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u > "${OUTPUT_DIR}/crt.txt" &
|
|
111
|
+
wait
|
|
112
|
+
|
|
113
|
+
# 2. Merge passive
|
|
114
|
+
cat "${OUTPUT_DIR}/subfinder.txt" "${OUTPUT_DIR}/amass.txt" "${OUTPUT_DIR}/crt.txt" \
|
|
115
|
+
| sort -u > "${OUTPUT_DIR}/passive_merged.txt"
|
|
116
|
+
|
|
117
|
+
# 3. Active brute-force with large wordlist
|
|
118
|
+
gobuster dns -d "${TARGET}" \
|
|
119
|
+
-w "${WORDLIST_LARGE}" \
|
|
120
|
+
-t 100 \
|
|
121
|
+
--timeout 3s \
|
|
122
|
+
-o "${OUTPUT_DIR}/gobuster_large.txt"
|
|
123
|
+
|
|
124
|
+
# 4. Permutation/alteration enumeration with altdns
|
|
125
|
+
# Generate mutations from known subdomains
|
|
126
|
+
altdns -i "${OUTPUT_DIR}/passive_merged.txt" \
|
|
127
|
+
-o "${OUTPUT_DIR}/altdns_mutations.txt" \
|
|
128
|
+
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
|
|
129
|
+
|
|
130
|
+
# Resolve mutations that actually exist
|
|
131
|
+
puredns resolve "${OUTPUT_DIR}/altdns_mutations.txt" \
|
|
132
|
+
--resolvers /opt/resolvers/resolvers.txt \
|
|
133
|
+
-w "${OUTPUT_DIR}/altdns_resolved.txt"
|
|
134
|
+
|
|
135
|
+
# 5. Merge everything
|
|
136
|
+
cat "${OUTPUT_DIR}"/*.txt | sort -u > "${OUTPUT_DIR}/all_subdomains.txt"
|
|
137
|
+
|
|
138
|
+
# 6. Wildcard detection — puredns handles this automatically
|
|
139
|
+
puredns bruteforce "${WORDLIST_LARGE}" "${TARGET}" \
|
|
140
|
+
--resolvers /opt/resolvers/resolvers.txt \
|
|
141
|
+
-w "${OUTPUT_DIR}/puredns_brute.txt"
|
|
142
|
+
|
|
143
|
+
# 7. HTTP probe — full fingerprint
|
|
144
|
+
cat "${OUTPUT_DIR}/all_subdomains.txt" | httpx \
|
|
145
|
+
-silent \
|
|
146
|
+
-status-code \
|
|
147
|
+
-title \
|
|
148
|
+
-tech-detect \
|
|
149
|
+
-content-length \
|
|
150
|
+
-web-server \
|
|
151
|
+
-ip \
|
|
152
|
+
-cname \
|
|
153
|
+
-cdn \
|
|
154
|
+
-json \
|
|
155
|
+
-o "${OUTPUT_DIR}/alive_full.json"
|
|
156
|
+
|
|
157
|
+
# 8. Extract clean alive list for downstream tools
|
|
158
|
+
cat "${OUTPUT_DIR}/alive_full.json" | jq -r '.url' > "${OUTPUT_DIR}/alive_urls.txt"
|
|
159
|
+
|
|
160
|
+
# 9. Subdomain takeover screening
|
|
161
|
+
subjack -w "${OUTPUT_DIR}/all_subdomains.txt" \
|
|
162
|
+
-t 50 \
|
|
163
|
+
-timeout 30 \
|
|
164
|
+
-o "${OUTPUT_DIR}/takeover_candidates.txt" \
|
|
165
|
+
-ssl \
|
|
166
|
+
-c /usr/share/subjack/fingerprints.json
|
|
167
|
+
```
|
|
168
|
+
|
|
169
|
+
---
|
|
170
|
+
|
|
171
|
+
### EXPERT
|
|
172
|
+
|
|
173
|
+
Full-spectrum enumeration with custom DNS resolvers, ASN-based pivoting, Amass active mode (AXFR, brute, scraping), SecurityTrails API, VHost discovery, and automated RTExit autodoc integration.
|
|
174
|
+
|
|
175
|
+
```bash
|
|
176
|
+
TARGET="example.com"
|
|
177
|
+
TARGET_ASN="AS12345"
|
|
178
|
+
OUTPUT_DIR="./recon/${TARGET}/subdomains"
|
|
179
|
+
RESOLVERS="/opt/resolvers/public_resolvers.txt"
|
|
180
|
+
SECTRAILS_API="YOUR_SECTRAILS_API_KEY"
|
|
181
|
+
mkdir -p "${OUTPUT_DIR}"/{passive,active,probe,takeover,vhost}
|
|
182
|
+
|
|
183
|
+
#########################################
|
|
184
|
+
# PHASE 1: PASSIVE ENUMERATION
|
|
185
|
+
#########################################
|
|
186
|
+
|
|
187
|
+
# SecurityTrails API
|
|
188
|
+
curl -s --request GET \
|
|
189
|
+
--url "https://api.securitytrails.com/v1/domain/${TARGET}/subdomains" \
|
|
190
|
+
--header "APIKEY: ${SECTRAILS_API}" \
|
|
191
|
+
| jq -r '.subdomains[]' \
|
|
192
|
+
| sed "s/$/.${TARGET}/" \
|
|
193
|
+
> "${OUTPUT_DIR}/passive/securitytrails.txt"
|
|
194
|
+
|
|
195
|
+
# VirusTotal passive DNS
|
|
196
|
+
curl -s "https://www.virustotal.com/vtapi/v2/domain/report?apikey=${VT_API_KEY}&domain=${TARGET}" \
|
|
197
|
+
| jq -r '.subdomains[]?' \
|
|
198
|
+
>> "${OUTPUT_DIR}/passive/virustotal.txt"
|
|
199
|
+
|
|
200
|
+
# Subfinder all sources
|
|
201
|
+
subfinder -d "${TARGET}" -all -o "${OUTPUT_DIR}/passive/subfinder.txt" -v
|
|
202
|
+
|
|
203
|
+
# Amass passive with config (API keys configured in ~/.config/amass/config.ini)
|
|
204
|
+
amass enum -passive -d "${TARGET}" \
|
|
205
|
+
-o "${OUTPUT_DIR}/passive/amass_passive.txt" \
|
|
206
|
+
-config ~/.config/amass/config.ini \
|
|
207
|
+
-json "${OUTPUT_DIR}/passive/amass_passive.json"
|
|
208
|
+
|
|
209
|
+
# Certificate Transparency
|
|
210
|
+
curl -s "https://crt.sh/?q=%25.${TARGET}&output=json" \
|
|
211
|
+
| jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u \
|
|
212
|
+
> "${OUTPUT_DIR}/passive/crt_sh.txt"
|
|
213
|
+
|
|
214
|
+
# DNSdumpster (scrape — use with caution, rate-limit applies)
|
|
215
|
+
python3 /opt/tools/dnsdumpster/dnsdumpster.py "${TARGET}" \
|
|
216
|
+
> "${OUTPUT_DIR}/passive/dnsdumpster.txt" 2>/dev/null
|
|
217
|
+
|
|
218
|
+
# Merge passive
|
|
219
|
+
cat "${OUTPUT_DIR}/passive/"*.txt | sort -u \
|
|
220
|
+
> "${OUTPUT_DIR}/passive/merged.txt"
|
|
221
|
+
echo "[PASSIVE] Unique subdomains: $(wc -l < "${OUTPUT_DIR}/passive/merged.txt")"
|
|
222
|
+
|
|
223
|
+
#########################################
|
|
224
|
+
# PHASE 2: ACTIVE ENUMERATION
|
|
225
|
+
#########################################
|
|
226
|
+
|
|
227
|
+
# Zone transfer attempt against all NS records
|
|
228
|
+
for NS in $(dig +short NS "${TARGET}"); do
|
|
229
|
+
echo "[*] Trying AXFR on ${NS}"
|
|
230
|
+
dig AXFR "${TARGET}" "@${NS}" >> "${OUTPUT_DIR}/active/axfr_attempt.txt" 2>&1
|
|
231
|
+
done
|
|
232
|
+
|
|
233
|
+
# Amass active (brute + scrape + AXFR)
|
|
234
|
+
amass enum -active -brute -d "${TARGET}" \
|
|
235
|
+
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
|
|
236
|
+
-o "${OUTPUT_DIR}/active/amass_active.txt" \
|
|
237
|
+
-config ~/.config/amass/config.ini \
|
|
238
|
+
-json "${OUTPUT_DIR}/active/amass_active.json" \
|
|
239
|
+
-p 80,443,8080,8443
|
|
240
|
+
|
|
241
|
+
# Puredns brute-force (wildcard-aware, fast)
|
|
242
|
+
puredns bruteforce \
|
|
243
|
+
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
|
|
244
|
+
"${TARGET}" \
|
|
245
|
+
--resolvers "${RESOLVERS}" \
|
|
246
|
+
--resolvers-trusted /opt/resolvers/trusted_resolvers.txt \
|
|
247
|
+
-w "${OUTPUT_DIR}/active/puredns_brute.txt"
|
|
248
|
+
|
|
249
|
+
# Permutation with DNSx + altdns
|
|
250
|
+
altdns -i "${OUTPUT_DIR}/passive/merged.txt" \
|
|
251
|
+
-o "${OUTPUT_DIR}/active/altdns_wordlist.txt" \
|
|
252
|
+
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
|
|
253
|
+
|
|
254
|
+
dnsx -l "${OUTPUT_DIR}/active/altdns_wordlist.txt" \
|
|
255
|
+
-r "${RESOLVERS}" \
|
|
256
|
+
-silent \
|
|
257
|
+
-a -cname \
|
|
258
|
+
-o "${OUTPUT_DIR}/active/dnsx_permutations.txt"
|
|
259
|
+
|
|
260
|
+
# Gobuster DNS with Jhaddix list
|
|
261
|
+
gobuster dns -d "${TARGET}" \
|
|
262
|
+
-w /usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt \
|
|
263
|
+
-t 150 \
|
|
264
|
+
--timeout 3s \
|
|
265
|
+
-o "${OUTPUT_DIR}/active/gobuster_jhaddix.txt"
|
|
266
|
+
|
|
267
|
+
# Merge active
|
|
268
|
+
cat "${OUTPUT_DIR}/active/"*.txt | grep -oP '[a-zA-Z0-9._-]+\.'"${TARGET}" \
|
|
269
|
+
| sort -u > "${OUTPUT_DIR}/active/merged.txt"
|
|
270
|
+
|
|
271
|
+
#########################################
|
|
272
|
+
# PHASE 3: RESOLVE + PROBE
|
|
273
|
+
#########################################
|
|
274
|
+
|
|
275
|
+
# Final dedup across passive + active
|
|
276
|
+
cat "${OUTPUT_DIR}/passive/merged.txt" "${OUTPUT_DIR}/active/merged.txt" \
|
|
277
|
+
| sort -u > "${OUTPUT_DIR}/all_subdomains.txt"
|
|
278
|
+
echo "[ALL] Total unique: $(wc -l < "${OUTPUT_DIR}/all_subdomains.txt")"
|
|
279
|
+
|
|
280
|
+
# Resolve with dnsx — get A, CNAME, MX, NS records
|
|
281
|
+
dnsx -l "${OUTPUT_DIR}/all_subdomains.txt" \
|
|
282
|
+
-r "${RESOLVERS}" \
|
|
283
|
+
-a -aaaa -cname -mx -ns -txt \
|
|
284
|
+
-resp \
|
|
285
|
+
-json \
|
|
286
|
+
-o "${OUTPUT_DIR}/probe/dns_records.json"
|
|
287
|
+
|
|
288
|
+
# Extract resolved hosts
|
|
289
|
+
cat "${OUTPUT_DIR}/probe/dns_records.json" \
|
|
290
|
+
| jq -r '.host' | sort -u \
|
|
291
|
+
> "${OUTPUT_DIR}/probe/resolved.txt"
|
|
292
|
+
|
|
293
|
+
# HTTP probe — full stack fingerprint
|
|
294
|
+
cat "${OUTPUT_DIR}/probe/resolved.txt" | httpx \
|
|
295
|
+
-silent \
|
|
296
|
+
-status-code \
|
|
297
|
+
-title \
|
|
298
|
+
-tech-detect \
|
|
299
|
+
-content-length \
|
|
300
|
+
-web-server \
|
|
301
|
+
-ip \
|
|
302
|
+
-cname \
|
|
303
|
+
-cdn \
|
|
304
|
+
-follow-redirects \
|
|
305
|
+
-random-agent \
|
|
306
|
+
-threads 50 \
|
|
307
|
+
-json \
|
|
308
|
+
-o "${OUTPUT_DIR}/probe/alive_full.json"
|
|
309
|
+
|
|
310
|
+
# Human-readable summary
|
|
311
|
+
cat "${OUTPUT_DIR}/probe/alive_full.json" \
|
|
312
|
+
| jq -r '[.url, .status_code, .title, .webserver] | @tsv' \
|
|
313
|
+
| column -t \
|
|
314
|
+
> "${OUTPUT_DIR}/probe/alive_summary.txt"
|
|
315
|
+
|
|
316
|
+
echo "[ALIVE] Hosts with HTTP response: $(wc -l < "${OUTPUT_DIR}/probe/alive_summary.txt")"
|
|
317
|
+
|
|
318
|
+
#########################################
|
|
319
|
+
# PHASE 4: VIRTUAL HOST DISCOVERY
|
|
320
|
+
#########################################
|
|
321
|
+
|
|
322
|
+
# Collect unique IPs from probe
|
|
323
|
+
cat "${OUTPUT_DIR}/probe/alive_full.json" \
|
|
324
|
+
| jq -r '.host' | sort -u \
|
|
325
|
+
> "${OUTPUT_DIR}/vhost/target_ips.txt"
|
|
326
|
+
|
|
327
|
+
# VHost brute-force with gobuster
|
|
328
|
+
while read -r IP; do
|
|
329
|
+
gobuster vhost \
|
|
330
|
+
-u "https://${IP}" \
|
|
331
|
+
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
|
|
332
|
+
--append-domain \
|
|
333
|
+
-t 40 \
|
|
334
|
+
-o "${OUTPUT_DIR}/vhost/vhost_${IP//./_}.txt" 2>/dev/null
|
|
335
|
+
done < "${OUTPUT_DIR}/vhost/target_ips.txt"
|
|
336
|
+
|
|
337
|
+
#########################################
|
|
338
|
+
# PHASE 5: TAKEOVER SCREENING
|
|
339
|
+
#########################################
|
|
340
|
+
|
|
341
|
+
subjack -w "${OUTPUT_DIR}/all_subdomains.txt" \
|
|
342
|
+
-t 100 \
|
|
343
|
+
-timeout 30 \
|
|
344
|
+
-o "${OUTPUT_DIR}/takeover/subjack_results.txt" \
|
|
345
|
+
-ssl \
|
|
346
|
+
-c /usr/share/subjack/fingerprints.json
|
|
347
|
+
|
|
348
|
+
# Also check with nuclei takeover templates
|
|
349
|
+
nuclei -l "${OUTPUT_DIR}/probe/alive_full.json" \
|
|
350
|
+
-t /opt/nuclei-templates/takeovers/ \
|
|
351
|
+
-o "${OUTPUT_DIR}/takeover/nuclei_takeover.txt" \
|
|
352
|
+
-silent
|
|
353
|
+
|
|
354
|
+
#########################################
|
|
355
|
+
# PHASE 6: AUTODOC INTEGRATION (RTExit)
|
|
356
|
+
#########################################
|
|
357
|
+
|
|
358
|
+
python3 /opt/rtexit/autodoc.py \
|
|
359
|
+
--skill rt-subdomain-enum \
|
|
360
|
+
--target "${TARGET}" \
|
|
361
|
+
--input "${OUTPUT_DIR}/probe/alive_full.json" \
|
|
362
|
+
--dns-records "${OUTPUT_DIR}/probe/dns_records.json" \
|
|
363
|
+
--takeover "${OUTPUT_DIR}/takeover/subjack_results.txt" \
|
|
364
|
+
--output "./reports/${TARGET}/subdomain_enum_$(date +%Y%m%d).md" \
|
|
365
|
+
--format markdown
|
|
366
|
+
|
|
367
|
+
echo "[DONE] Enumeration complete. Results in: ${OUTPUT_DIR}"
|
|
368
|
+
echo "[DONE] Report: ./reports/${TARGET}/subdomain_enum_$(date +%Y%m%d).md"
|
|
369
|
+
```
|
|
370
|
+
|
|
371
|
+
---
|
|
372
|
+
|
|
373
|
+
## Step-by-Step Workflow
|
|
374
|
+
|
|
375
|
+
### Step 1: Environment Setup
|
|
376
|
+
|
|
377
|
+
```bash
|
|
378
|
+
# Create engagement directory structure
|
|
379
|
+
TARGET="example.com"
|
|
380
|
+
ENGAGEMENT="ENG-2024-001"
|
|
381
|
+
mkdir -p ~/engagements/${ENGAGEMENT}/recon/${TARGET}/subdomains/{passive,active,probe,takeover,vhost}
|
|
382
|
+
cd ~/engagements/${ENGAGEMENT}
|
|
383
|
+
|
|
384
|
+
# Verify tools are installed
|
|
385
|
+
for tool in subfinder amass gobuster httpx subjack dnsx puredns altdns nuclei; do
|
|
386
|
+
command -v "${tool}" &>/dev/null \
|
|
387
|
+
&& echo "[OK] ${tool}" \
|
|
388
|
+
|| echo "[MISSING] ${tool} — install required"
|
|
389
|
+
done
|
|
390
|
+
```
|
|
391
|
+
|
|
392
|
+
### Step 2: Configure API Keys
|
|
393
|
+
|
|
394
|
+
API keys dramatically expand passive enumeration coverage. Store them in Amass and Subfinder config files so they are used automatically.
|
|
395
|
+
|
|
396
|
+
```bash
|
|
397
|
+
# Subfinder provider config (~/.config/subfinder/provider-config.yaml)
|
|
398
|
+
cat > ~/.config/subfinder/provider-config.yaml << 'EOF'
|
|
399
|
+
securitytrails:
|
|
400
|
+
- YOUR_SECURITYTRAILS_KEY
|
|
401
|
+
shodan:
|
|
402
|
+
- YOUR_SHODAN_KEY
|
|
403
|
+
censys:
|
|
404
|
+
- YOUR_CENSYS_API_ID:YOUR_CENSYS_SECRET
|
|
405
|
+
virustotal:
|
|
406
|
+
- YOUR_VT_KEY
|
|
407
|
+
chaos:
|
|
408
|
+
- YOUR_CHAOS_KEY
|
|
409
|
+
passivetotal:
|
|
410
|
+
- YOUR_PT_USERNAME:YOUR_PT_KEY
|
|
411
|
+
binaryedge:
|
|
412
|
+
- YOUR_BE_KEY
|
|
413
|
+
EOF
|
|
414
|
+
|
|
415
|
+
# Amass config (~/.config/amass/config.ini)
|
|
416
|
+
# See: https://github.com/owasp-amass/amass/blob/master/examples/config.ini
|
|
417
|
+
```
|
|
418
|
+
|
|
419
|
+
### Step 3: Passive Enumeration
|
|
420
|
+
|
|
421
|
+
```bash
|
|
422
|
+
TARGET="example.com"
|
|
423
|
+
OUTPUT="${HOME}/engagements/${ENGAGEMENT}/recon/${TARGET}/subdomains"
|
|
424
|
+
|
|
425
|
+
# Run passive tools
|
|
426
|
+
subfinder -d "${TARGET}" -all -o "${OUTPUT}/passive/subfinder.txt"
|
|
427
|
+
amass enum -passive -d "${TARGET}" -o "${OUTPUT}/passive/amass.txt"
|
|
428
|
+
curl -s "https://crt.sh/?q=%25.${TARGET}&output=json" \
|
|
429
|
+
| jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u \
|
|
430
|
+
> "${OUTPUT}/passive/crt.txt"
|
|
431
|
+
|
|
432
|
+
# Merge
|
|
433
|
+
cat "${OUTPUT}/passive/"*.txt | sort -u > "${OUTPUT}/passive/merged.txt"
|
|
434
|
+
echo "Passive total: $(wc -l < "${OUTPUT}/passive/merged.txt")"
|
|
435
|
+
```
|
|
436
|
+
|
|
437
|
+
### Step 4: Active DNS Brute-Force
|
|
438
|
+
|
|
439
|
+
```bash
|
|
440
|
+
# Small/fast first pass (5000 words)
|
|
441
|
+
puredns bruteforce \
|
|
442
|
+
/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \
|
|
443
|
+
"${TARGET}" \
|
|
444
|
+
--resolvers /opt/resolvers/resolvers.txt \
|
|
445
|
+
-w "${OUTPUT}/active/puredns_5k.txt"
|
|
446
|
+
|
|
447
|
+
# Larger pass if time permits
|
|
448
|
+
puredns bruteforce \
|
|
449
|
+
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt \
|
|
450
|
+
"${TARGET}" \
|
|
451
|
+
--resolvers /opt/resolvers/resolvers.txt \
|
|
452
|
+
-w "${OUTPUT}/active/puredns_20k.txt"
|
|
453
|
+
```
|
|
454
|
+
|
|
455
|
+
### Step 5: Permutation Generation
|
|
456
|
+
|
|
457
|
+
```bash
|
|
458
|
+
# Generate mutations from known subdomains
|
|
459
|
+
altdns \
|
|
460
|
+
-i "${OUTPUT}/passive/merged.txt" \
|
|
461
|
+
-o "${OUTPUT}/active/mutations_raw.txt" \
|
|
462
|
+
-w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
|
|
463
|
+
|
|
464
|
+
# Resolve mutations
|
|
465
|
+
dnsx \
|
|
466
|
+
-l "${OUTPUT}/active/mutations_raw.txt" \
|
|
467
|
+
-r /opt/resolvers/resolvers.txt \
|
|
468
|
+
-silent \
|
|
469
|
+
-o "${OUTPUT}/active/mutations_resolved.txt"
|
|
470
|
+
```
|
|
471
|
+
|
|
472
|
+
### Step 6: Merge All Results
|
|
473
|
+
|
|
474
|
+
```bash
|
|
475
|
+
cat "${OUTPUT}/passive/merged.txt" \
|
|
476
|
+
"${OUTPUT}/active/"*.txt \
|
|
477
|
+
| grep -oP '[a-zA-Z0-9._-]+\.'"${TARGET}"'$' \
|
|
478
|
+
| sort -u \
|
|
479
|
+
> "${OUTPUT}/all_subdomains.txt"
|
|
480
|
+
|
|
481
|
+
echo "Total unique subdomains: $(wc -l < "${OUTPUT}/all_subdomains.txt")"
|
|
482
|
+
```
|
|
483
|
+
|
|
484
|
+
### Step 7: HTTP Probing
|
|
485
|
+
|
|
486
|
+
```bash
|
|
487
|
+
cat "${OUTPUT}/all_subdomains.txt" | httpx \
|
|
488
|
+
-silent \
|
|
489
|
+
-status-code \
|
|
490
|
+
-title \
|
|
491
|
+
-tech-detect \
|
|
492
|
+
-content-length \
|
|
493
|
+
-web-server \
|
|
494
|
+
-ip \
|
|
495
|
+
-cname \
|
|
496
|
+
-cdn \
|
|
497
|
+
-json \
|
|
498
|
+
-o "${OUTPUT}/probe/alive.json"
|
|
499
|
+
|
|
500
|
+
# Quick summary
|
|
501
|
+
cat "${OUTPUT}/probe/alive.json" \
|
|
502
|
+
| jq -r '[.url, (.status_code|tostring), .title] | @tsv' \
|
|
503
|
+
| sort -t$'\t' -k2 -n \
|
|
504
|
+
| column -t
|
|
505
|
+
```
|
|
506
|
+
|
|
507
|
+
### Step 8: Takeover Screening
|
|
508
|
+
|
|
509
|
+
```bash
|
|
510
|
+
subjack \
|
|
511
|
+
-w "${OUTPUT}/all_subdomains.txt" \
|
|
512
|
+
-t 50 \
|
|
513
|
+
-o "${OUTPUT}/takeover/candidates.txt" \
|
|
514
|
+
-ssl
|
|
515
|
+
|
|
516
|
+
# Review candidates immediately
|
|
517
|
+
cat "${OUTPUT}/takeover/candidates.txt"
|
|
518
|
+
```
|
|
519
|
+
|
|
520
|
+
### Step 9: Export for Attack Surface Mapping
|
|
521
|
+
|
|
522
|
+
```bash
|
|
523
|
+
# Extract alive URLs for rt-attack-surface-map
|
|
524
|
+
cat "${OUTPUT}/probe/alive.json" | jq -r '.url' \
|
|
525
|
+
> "${OUTPUT}/alive_urls_final.txt"
|
|
526
|
+
|
|
527
|
+
# Export DNS records for pivot analysis
|
|
528
|
+
cat "${OUTPUT}/probe/dns_records.json" \
|
|
529
|
+
| jq -r 'select(.cname != null) | [.host, .cname[]] | @tsv' \
|
|
530
|
+
> "${OUTPUT}/cname_chains.tsv"
|
|
531
|
+
|
|
532
|
+
echo "[COMPLETE] Feed alive_urls_final.txt into rt-attack-surface-map"
|
|
533
|
+
```
|
|
534
|
+
|
|
535
|
+
### Step 10: Autodoc Report Generation
|
|
536
|
+
|
|
537
|
+
```bash
|
|
538
|
+
python3 /opt/rtexit/autodoc.py \
|
|
539
|
+
--skill rt-subdomain-enum \
|
|
540
|
+
--target "${TARGET}" \
|
|
541
|
+
--input "${OUTPUT}/probe/alive.json" \
|
|
542
|
+
--dns-records "${OUTPUT}/probe/dns_records.json" \
|
|
543
|
+
--takeover "${OUTPUT}/takeover/candidates.txt" \
|
|
544
|
+
--output "./reports/${TARGET}/subdomain_enum_$(date +%Y%m%d_%H%M).md" \
|
|
545
|
+
--format markdown \
|
|
546
|
+
--engagement "${ENGAGEMENT}"
|
|
547
|
+
```
|
|
548
|
+
|
|
549
|
+
---
|
|
550
|
+
|
|
551
|
+
## Tool Reference
|
|
552
|
+
|
|
553
|
+
### subfinder
|
|
554
|
+
Passive subdomain discovery using multiple data sources (cert logs, APIs, scrapers).
|
|
555
|
+
|
|
556
|
+
- **GitHub:** https://github.com/projectdiscovery/subfinder
|
|
557
|
+
- **Install:** `go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest`
|
|
558
|
+
- **Key flags:** `-d` (domain), `-all` (all sources), `-o` (output), `-v` (verbose)
|
|
559
|
+
|
|
560
|
+
```bash
|
|
561
|
+
subfinder -d example.com -all -o subs.txt -v
|
|
562
|
+
```
|
|
563
|
+
|
|
564
|
+
### amass
|
|
565
|
+
OWASP subdomain enumeration and network mapping tool. Best-in-class for ASN pivoting and OSINT.
|
|
566
|
+
|
|
567
|
+
- **GitHub:** https://github.com/owasp-amass/amass
|
|
568
|
+
- **Install:** `go install -v github.com/owasp-amass/amass/v4/...@master`
|
|
569
|
+
- **Docs:** https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md
|
|
570
|
+
|
|
571
|
+
```bash
|
|
572
|
+
# Passive
|
|
573
|
+
amass enum -passive -d example.com -o amass_passive.txt
|
|
574
|
+
|
|
575
|
+
# Active (brute + AXFR)
|
|
576
|
+
amass enum -active -brute -d example.com -w wordlist.txt -o amass_active.txt
|
|
577
|
+
```
|
|
578
|
+
|
|
579
|
+
### gobuster
|
|
580
|
+
Directory/DNS/VHost brute-forcer written in Go. Fast and reliable for DNS mode.
|
|
581
|
+
|
|
582
|
+
- **GitHub:** https://github.com/OJ/gobuster
|
|
583
|
+
- **Install:** `go install github.com/OJ/gobuster/v3@latest`
|
|
584
|
+
|
|
585
|
+
```bash
|
|
586
|
+
gobuster dns -d example.com -w wordlist.txt -t 50 -o dns_results.txt
|
|
587
|
+
gobuster vhost -u https://10.10.10.10 -w subdomains.txt --append-domain
|
|
588
|
+
```
|
|
589
|
+
|
|
590
|
+
### httpx
|
|
591
|
+
Multi-purpose HTTP probing toolkit from ProjectDiscovery. Supports tech detection, status codes, screenshots.
|
|
592
|
+
|
|
593
|
+
- **GitHub:** https://github.com/projectdiscovery/httpx
|
|
594
|
+
- **Install:** `go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest`
|
|
595
|
+
|
|
596
|
+
```bash
|
|
597
|
+
cat subdomains.txt | httpx -silent -status-code -title -tech-detect -json -o alive.json
|
|
598
|
+
```
|
|
599
|
+
|
|
600
|
+
### subjack
|
|
601
|
+
Subdomain takeover detection tool.
|
|
602
|
+
|
|
603
|
+
- **GitHub:** https://github.com/haccer/subjack
|
|
604
|
+
- **Install:** `go install github.com/haccer/subjack@latest`
|
|
605
|
+
|
|
606
|
+
```bash
|
|
607
|
+
subjack -w subdomains.txt -t 50 -o takeover.txt -ssl -c fingerprints.json
|
|
608
|
+
```
|
|
609
|
+
|
|
610
|
+
### dnsx
|
|
611
|
+
Fast DNS toolkit for running multiple DNS queries at scale.
|
|
612
|
+
|
|
613
|
+
- **GitHub:** https://github.com/projectdiscovery/dnsx
|
|
614
|
+
- **Install:** `go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest`
|
|
615
|
+
|
|
616
|
+
```bash
|
|
617
|
+
cat subdomains.txt | dnsx -silent -a -cname -resp -o dns_records.txt
|
|
618
|
+
```
|
|
619
|
+
|
|
620
|
+
### puredns
|
|
621
|
+
Wildcard-aware DNS brute-forcer and resolver. Essential for accurate active enumeration.
|
|
622
|
+
|
|
623
|
+
- **GitHub:** https://github.com/d3mondev/puredns
|
|
624
|
+
- **Install:** `go install github.com/d3mondev/puredns/v2@latest`
|
|
625
|
+
|
|
626
|
+
```bash
|
|
627
|
+
puredns bruteforce wordlist.txt example.com --resolvers resolvers.txt -w out.txt
|
|
628
|
+
puredns resolve subdomains.txt --resolvers resolvers.txt -w resolved.txt
|
|
629
|
+
```
|
|
630
|
+
|
|
631
|
+
### altdns
|
|
632
|
+
Subdomain permutation/alteration and mutation engine.
|
|
633
|
+
|
|
634
|
+
- **GitHub:** https://github.com/infosec-au/altdns
|
|
635
|
+
- **Install:** `pip3 install py-altdns` or `pip3 install altdns`
|
|
636
|
+
|
|
637
|
+
```bash
|
|
638
|
+
altdns -i subdomains.txt -o mutations.txt -w words.txt
|
|
639
|
+
```
|
|
640
|
+
|
|
641
|
+
### nuclei
|
|
642
|
+
Fast template-based vulnerability scanner. Used here for takeover templates.
|
|
643
|
+
|
|
644
|
+
- **GitHub:** https://github.com/projectdiscovery/nuclei
|
|
645
|
+
- **Install:** `go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest`
|
|
646
|
+
|
|
647
|
+
```bash
|
|
648
|
+
nuclei -l alive.txt -t nuclei-templates/takeovers/ -o takeover_hits.txt
|
|
649
|
+
```
|
|
650
|
+
|
|
651
|
+
---
|
|
652
|
+
|
|
653
|
+
## Output Instructions
|
|
654
|
+
|
|
655
|
+
### Directory Structure
|
|
656
|
+
|
|
657
|
+
```
|
|
658
|
+
recon/<TARGET>/subdomains/
|
|
659
|
+
├── passive/
|
|
660
|
+
│ ├── subfinder.txt
|
|
661
|
+
│ ├── amass.txt
|
|
662
|
+
│ ├── crt.txt
|
|
663
|
+
│ ├── securitytrails.txt
|
|
664
|
+
│ └── merged.txt
|
|
665
|
+
├── active/
|
|
666
|
+
│ ├── puredns_5k.txt
|
|
667
|
+
│ ├── puredns_20k.txt
|
|
668
|
+
│ ├── gobuster_jhaddix.txt
|
|
669
|
+
│ ├── altdns_mutations.txt
|
|
670
|
+
│ └── merged.txt
|
|
671
|
+
├── probe/
|
|
672
|
+
│ ├── dns_records.json
|
|
673
|
+
│ ├── alive_full.json
|
|
674
|
+
│ └── alive_summary.txt
|
|
675
|
+
├── takeover/
|
|
676
|
+
│ ├── subjack_results.txt
|
|
677
|
+
│ └── nuclei_takeover.txt
|
|
678
|
+
├── vhost/
|
|
679
|
+
│ └── vhost_<IP>.txt
|
|
680
|
+
├── all_subdomains.txt
|
|
681
|
+
└── alive_urls_final.txt
|
|
682
|
+
```
|
|
683
|
+
|
|
684
|
+
### Files to Save and Their Purpose
|
|
685
|
+
|
|
686
|
+
| File | Purpose | Downstream Consumer |
|
|
687
|
+
|---|---|---|
|
|
688
|
+
| `passive/merged.txt` | Deduplicated passive results | Active phase, permutations |
|
|
689
|
+
| `all_subdomains.txt` | All discovered subdomains | httpx probing, subjack |
|
|
690
|
+
| `probe/alive_full.json` | Full HTTP probe with tech stack | rt-attack-surface-map, nuclei |
|
|
691
|
+
| `probe/alive_summary.txt` | Human-readable alive hosts | Operator review, reporting |
|
|
692
|
+
| `probe/dns_records.json` | Full DNS records (A, CNAME, MX, TXT) | Pivot analysis, takeover detection |
|
|
693
|
+
| `takeover/subjack_results.txt` | Takeover candidates | Immediate exploitation |
|
|
694
|
+
| `alive_urls_final.txt` | Clean URL list | rt-attack-surface-map |
|
|
695
|
+
| `cname_chains.tsv` | CNAME pivot map | Infrastructure mapping |
|
|
696
|
+
|
|
697
|
+
### Naming Convention
|
|
698
|
+
|
|
699
|
+
```
|
|
700
|
+
<ENGAGEMENT_ID>_<TARGET>_subdomain_enum_<YYYYMMDD_HHMM>.md
|
|
701
|
+
e.g. ENG-2024-001_example.com_subdomain_enum_20241115_1430.md
|
|
702
|
+
```
|
|
703
|
+
|
|
704
|
+
### Minimum Required Outputs
|
|
705
|
+
|
|
706
|
+
Before closing enumeration phase, confirm these files exist and are non-empty:
|
|
707
|
+
1. `all_subdomains.txt` — raw discovered subdomains
|
|
708
|
+
2. `probe/alive_full.json` — HTTP probed hosts with status + tech
|
|
709
|
+
3. `probe/alive_summary.txt` — human-readable summary
|
|
710
|
+
4. `takeover/subjack_results.txt` — takeover screening complete (even if empty)
|
|
711
|
+
5. `alive_urls_final.txt` — ready for `rt-attack-surface-map`
|
|
712
|
+
|
|
713
|
+
---
|
|
714
|
+
|
|
715
|
+
## Useful Python Scripts
|
|
716
|
+
|
|
717
|
+
### crt.sh Bulk Fetch with Rate Limiting
|
|
718
|
+
|
|
719
|
+
```python
|
|
720
|
+
#!/usr/bin/env python3
|
|
721
|
+
# crtsh_enum.py — Fetch subdomains from crt.sh with retry logic
|
|
722
|
+
import requests, json, time, sys
|
|
723
|
+
from urllib.parse import quote
|
|
724
|
+
|
|
725
|
+
def fetch_crtsh(domain, retries=3, delay=5):
|
|
726
|
+
url = f"https://crt.sh/?q=%.{domain}&output=json"
|
|
727
|
+
for attempt in range(retries):
|
|
728
|
+
try:
|
|
729
|
+
r = requests.get(url, timeout=30)
|
|
730
|
+
r.raise_for_status()
|
|
731
|
+
data = r.json()
|
|
732
|
+
subdomains = set()
|
|
733
|
+
for entry in data:
|
|
734
|
+
for name in entry.get("name_value", "").splitlines():
|
|
735
|
+
clean = name.strip().lstrip("*.")
|
|
736
|
+
if clean.endswith(domain):
|
|
737
|
+
subdomains.add(clean.lower())
|
|
738
|
+
return sorted(subdomains)
|
|
739
|
+
except Exception as e:
|
|
740
|
+
print(f"[!] Attempt {attempt+1} failed: {e}", file=sys.stderr)
|
|
741
|
+
time.sleep(delay)
|
|
742
|
+
return []
|
|
743
|
+
|
|
744
|
+
if __name__ == "__main__":
|
|
745
|
+
domain = sys.argv[1] if len(sys.argv) > 1 else "example.com"
|
|
746
|
+
subs = fetch_crtsh(domain)
|
|
747
|
+
print(f"[*] Found {len(subs)} subdomains via crt.sh", file=sys.stderr)
|
|
748
|
+
for s in subs:
|
|
749
|
+
print(s)
|
|
750
|
+
```
|
|
751
|
+
|
|
752
|
+
Usage:
|
|
753
|
+
```bash
|
|
754
|
+
python3 crtsh_enum.py example.com > crt_results.txt
|
|
755
|
+
```
|
|
756
|
+
|
|
757
|
+
### Parse httpx JSON Output
|
|
758
|
+
|
|
759
|
+
```python
|
|
760
|
+
#!/usr/bin/env python3
|
|
761
|
+
# parse_alive.py — Parse httpx JSON to CSV for reporting
|
|
762
|
+
import json, sys, csv
|
|
763
|
+
|
|
764
|
+
def parse_httpx(input_file, output_file):
|
|
765
|
+
results = []
|
|
766
|
+
with open(input_file) as f:
|
|
767
|
+
for line in f:
|
|
768
|
+
try:
|
|
769
|
+
entry = json.loads(line.strip())
|
|
770
|
+
results.append({
|
|
771
|
+
"url": entry.get("url", ""),
|
|
772
|
+
"status_code": entry.get("status_code", ""),
|
|
773
|
+
"title": entry.get("title", ""),
|
|
774
|
+
"webserver": entry.get("webserver", ""),
|
|
775
|
+
"tech": ", ".join(entry.get("tech", [])),
|
|
776
|
+
"ip": entry.get("host", ""),
|
|
777
|
+
"cname": ", ".join(entry.get("cname", [])),
|
|
778
|
+
"cdn": entry.get("cdn", False),
|
|
779
|
+
"content_length": entry.get("content_length", ""),
|
|
780
|
+
})
|
|
781
|
+
except json.JSONDecodeError:
|
|
782
|
+
continue
|
|
783
|
+
|
|
784
|
+
with open(output_file, "w", newline="") as f:
|
|
785
|
+
writer = csv.DictWriter(f, fieldnames=results[0].keys() if results else [])
|
|
786
|
+
writer.writeheader()
|
|
787
|
+
writer.writerows(results)
|
|
788
|
+
print(f"[*] Wrote {len(results)} entries to {output_file}")
|
|
789
|
+
|
|
790
|
+
if __name__ == "__main__":
|
|
791
|
+
parse_httpx(sys.argv[1], sys.argv[2])
|
|
792
|
+
```
|
|
793
|
+
|
|
794
|
+
Usage:
|
|
795
|
+
```bash
|
|
796
|
+
python3 parse_alive.py probe/alive_full.json probe/alive_report.csv
|
|
797
|
+
```
|
|
798
|
+
|
|
799
|
+
---
|
|
800
|
+
|
|
801
|
+
## SecLists Wordlist Reference
|
|
802
|
+
|
|
803
|
+
| Wordlist | Path | Size | Use Case |
|
|
804
|
+
|---|---|---|---|
|
|
805
|
+
| subdomains-top1million-5000.txt | `/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt` | 5k | Fast initial pass |
|
|
806
|
+
| subdomains-top1million-20000.txt | `/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt` | 20k | Standard engagement |
|
|
807
|
+
| subdomains-top1million-110000.txt | `/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt` | 110k | Thorough assessment |
|
|
808
|
+
| dns-Jhaddix.txt | `/usr/share/seclists/Discovery/DNS/dns-Jhaddix.txt` | 1.8M | Comprehensive brute |
|
|
809
|
+
| bitquark-subdomains-top100000.txt | `/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt` | 100k | Alternative large list |
|
|
810
|
+
|
|
811
|
+
Install SecLists:
|
|
812
|
+
```bash
|
|
813
|
+
sudo apt install seclists
|
|
814
|
+
# or
|
|
815
|
+
git clone https://github.com/danielmiessler/SecLists /usr/share/seclists
|
|
816
|
+
```
|
|
817
|
+
|
|
818
|
+
---
|
|
819
|
+
|
|
820
|
+
## Public DNS Resolvers
|
|
821
|
+
|
|
822
|
+
High-quality resolver lists are critical for accurate active enumeration. Use puredns with trusted resolvers to avoid false positives from wildcard DNS.
|
|
823
|
+
|
|
824
|
+
```bash
|
|
825
|
+
# Download fresh resolver list
|
|
826
|
+
curl -s https://raw.githubusercontent.com/trickest/resolvers/main/resolvers.txt \
|
|
827
|
+
-o /opt/resolvers/resolvers.txt
|
|
828
|
+
|
|
829
|
+
# Verify resolver quality
|
|
830
|
+
dnsvalidator -tL /opt/resolvers/resolvers.txt -threads 200 -o /opt/resolvers/valid_resolvers.txt
|
|
831
|
+
```
|
|
832
|
+
|
|
833
|
+
---
|
|
834
|
+
|
|
835
|
+
## Integration with RTExit Autodoc Engine
|
|
836
|
+
|
|
837
|
+
The autodoc engine ingests structured JSON from httpx and generates engagement-ready Markdown reports automatically.
|
|
838
|
+
|
|
839
|
+
```bash
|
|
840
|
+
# Trigger autodoc after enumeration completes
|
|
841
|
+
python3 /opt/rtexit/autodoc.py \
|
|
842
|
+
--skill rt-subdomain-enum \
|
|
843
|
+
--target "${TARGET}" \
|
|
844
|
+
--engagement "${ENGAGEMENT}" \
|
|
845
|
+
--input "${OUTPUT}/probe/alive_full.json" \
|
|
846
|
+
--dns-records "${OUTPUT}/probe/dns_records.json" \
|
|
847
|
+
--takeover "${OUTPUT}/takeover/subjack_results.txt" \
|
|
848
|
+
--output "./reports/${TARGET}/subdomain_enum_$(date +%Y%m%d_%H%M).md" \
|
|
849
|
+
--format markdown
|
|
850
|
+
|
|
851
|
+
# RTExit also accepts the alive URLs file directly for indexing
|
|
852
|
+
python3 /opt/rtexit/index_asset.py \
|
|
853
|
+
--type subdomain \
|
|
854
|
+
--source "${OUTPUT}/alive_urls_final.txt" \
|
|
855
|
+
--engagement "${ENGAGEMENT}"
|
|
856
|
+
```
|
|
857
|
+
|
|
858
|
+
The autodoc engine produces:
|
|
859
|
+
- Executive summary table (alive hosts, status breakdown, tech stack summary)
|
|
860
|
+
- Takeover risk section (high/medium/low)
|
|
861
|
+
- CNAME chain analysis
|
|
862
|
+
- CDN-hosted vs direct-hosted breakdown
|
|
863
|
+
- Recommended next steps (feeds `rt-attack-surface-map`)
|
|
864
|
+
|
|
865
|
+
---
|
|
866
|
+
|
|
867
|
+
## Resources
|
|
868
|
+
|
|
869
|
+
### Official Documentation
|
|
870
|
+
- Subfinder README: https://github.com/projectdiscovery/subfinder/blob/main/README.md
|
|
871
|
+
- Amass User Guide: https://github.com/owasp-amass/amass/blob/master/doc/user_guide.md
|
|
872
|
+
- Amass Config Examples: https://github.com/owasp-amass/amass/blob/master/examples/config.ini
|
|
873
|
+
- httpx README: https://github.com/projectdiscovery/httpx/blob/master/README.md
|
|
874
|
+
- puredns README: https://github.com/d3mondev/puredns/blob/master/README.md
|
|
875
|
+
|
|
876
|
+
### Wordlists and Data
|
|
877
|
+
- SecLists: https://github.com/danielmiessler/SecLists
|
|
878
|
+
- Trickest Resolvers: https://github.com/trickest/resolvers
|
|
879
|
+
- Commonspeak2 wordlists: https://github.com/assetnote/commonspeak2-wordlists
|
|
880
|
+
|
|
881
|
+
### OSINT APIs (require registration)
|
|
882
|
+
- SecurityTrails API: https://securitytrails.com/app/account/credentials
|
|
883
|
+
- VirusTotal API: https://www.virustotal.com/gui/my-apikey
|
|
884
|
+
- Chaos (ProjectDiscovery): https://chaos.projectdiscovery.io/
|
|
885
|
+
- Shodan API: https://account.shodan.io/
|
|
886
|
+
- Censys API: https://search.censys.io/account/api
|
|
887
|
+
|
|
888
|
+
### Certificate Transparency
|
|
889
|
+
- crt.sh: https://crt.sh/
|
|
890
|
+
- crt.sh JSON API: https://crt.sh/?q=%.example.com&output=json
|
|
891
|
+
- Facebook CT Monitor: https://developers.facebook.com/tools/ct/
|
|
892
|
+
- Google CT Log List: https://www.gstatic.com/ct/log_list/v3/log_list.json
|
|
893
|
+
|
|
894
|
+
### Learning and Reference
|
|
895
|
+
- HackTricks Subdomain Enumeration: https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/web-discovery-and-information-gathering#subdomain-enumeration
|
|
896
|
+
- Bug Bounty Recon Methodology (Jason Haddix): https://www.youtube.com/watch?v=p4JgIu1mceI
|
|
897
|
+
- Subdomain Takeover Reference: https://github.com/EdOverflow/can-i-take-over-xyz
|
|
898
|
+
- DNS Recon Cheatsheet: https://pentestbook.six2dez.com/recon/domains
|
|
899
|
+
- Assetnote Blog — Subdomain Enumeration: https://www.assetnote.io/resources/research/subdomains-in-the-age-of-scope-creep
|
|
900
|
+
- NahamCon Recon Talk: https://www.youtube.com/watch?v=G3A1H5RQGjA
|
|
901
|
+
|
|
902
|
+
### Related RTExit Skills
|
|
903
|
+
- `rt-attack-surface-map` — consumes output of this skill for prioritization
|
|
904
|
+
- `rt-scope-definition` — must be run before this skill to confirm in-scope domains
|
|
905
|
+
- `rt-threat-model` — informs which subdomain categories to prioritize
|
|
906
|
+
- `rt-create-sead` — SEAD operations may leverage discovered subdomains for phishing infrastructure
|