Google Dork for Finding Subdomains

site:*.example.com -www

site:*.example.com tells Google to look for any subdomain of example.com.

site:*.example.com
site:*.example.com filetype:pdf

site:*.example.com intitle:"login"
site:*.example.com inurl:"admin"

Crt.sh

One of the easiest ways to start is by checking Certificate Transparency (CT) logs using crt.sh. This website records every SSL/TLS certificate issued for a domain, including subdomains.

Let’s look at the results.

You can also use crt.py script to get all unique domains straight to your txt file.

Sublist3r

python sublist3r.py -d example.com

To find subdomains of example.com and save to example_subs.txt:

python sublist3r.py -d example.com -o example_subs.txt -t 20

Amass

amass enum -d example.com```
![[images/Pasted image 20250604203229.png]]
## Building a **Recon Pipeline**
 
Combine Amass with other tools for an even more thorough enumeration:
 
- **Passive + Active**:
    1. Passive: `amass enum -passive -d example.com`
    2. Active: `amass enum -active -d example.com`
- **Visualize relationships**:
    ```bash
    amass viz -d3 -dir amass_output/ -o graph.html
    ```
 
Would you like me to **write a bash script** for automating your Amass workflow? Or show how to **integrate Amass output with Python** for further processing? Let me know! 🚀✨

Explorer

Finding Subdomains

Table of Contents

Google Dork for Finding Subdomains

Crt.sh

Sublist3r

Amass

Explorer

Graph View

Table of Contents

Recently Added

Tip & Tricks

Headers, DLLs and Functions

Code Injection