Recon Web Applications Subdomains & Directories Find any hidden or unknown subdomains and directories on the target system.
Directory and Subdomain Discovery
Subdomain finder one-liners
Find subdomains from various sources and add them to output.txt file.
Copy (curl -s "https://rapiddns.io/subdomain/$TARGET?full=1#result" 2>/dev/null | grep "<td><a" 2>/dev/null | cut -d '"' -f 2 2>/dev/null | grep http 2>/dev/null | cut -d '/' -f3 2>/dev/null | sed 's/#results//g' 2>/dev/null | sort -u 2>/dev/null) > output.txt
(curl -s https://dns.bufferover.run/dns?q=.$TARGET 2>/dev/null |jq -r .FDNS_A[] 2>/dev/null |cut -d',' -f2 2>/dev/null|sort -u 2>/dev/null ) >> output.txt
(curl -s "https://riddler.io/search/exportcsv?q=pld:${TARGET}" 2>/dev/null| grep -Po "(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 2>/dev/null| sort -u 2>/dev/null ) >> output.txt
(curl -s "https://www.virustotal.com/ui/domains/${TARGET}/subdomains?limit=40" 2>/dev/null | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt
(curl -s "https://certspotter.com/api/v1/issuances?domain=${TARGET}&include_subdomains=true&expand=dns_names" 2>/dev/null | jq .[].dns_names 2>/dev/null | tr -d '[]"\n ' 2>/dev/null | tr ',' '\n'2>/dev/null ) >> output.txt
(curl -s "https://jldc.me/anubis/subdomains/${TARGET}" 2>/dev/null | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt
(curl -s "https://securitytrails.com/list/apex_domain/${TARGET}" 2>/dev/null | grep -Po "((http|https):\/\/)?(([\w.-]*)\.([\w]*)\.([A-z]))\w+" 2>/dev/null| grep "${TARGET}" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt
(curl --silent https://sonar.omnisint.io/subdomains/$TARGET 2>/dev/null | grep -oE "[a-zA-Z0-9._-]+\.$TARGET" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt
(curl --silent -X POST https://synapsint.com/report.php -d "name=https%3A%2F%2F$TARGET" 2>/dev/null| grep -oE "[a-zA-Z0-9._-]+\.$TARGET" 2>/dev/null | sort -u 2>/dev/null ) >> output.txt
(curl -s "https://crt.sh/?q=%25.$TARGET&output=json" 2>/dev/null| jq -r '.[].name_value' 2>/dev/null| sed 's/\*\.//g' 2>/dev/null| sort -u 2>/dev/null ) >> output.txt Sublist3r
Copy sublist3r -d [domain] -t [threads] -o [output] -v -b [brute force mode>] OWASP Opendoor
Copy python3 opendoor.py --host 10.10.10.6 --scan=directories -t 50 Cansina
Copy python ./cansina.py -u 10.10.10.6 -p ./directories.dat --persist -t 50 --show-type --full-path -b 403,404 Dirb
Copy dirb http://example.com -r Dirsearch
Copy python3 dirsearch.py -u http://192.168.56.122 -e php,exe.elf.cgi,asp,txt,pdf,png,jpg -r -t 5 -w db/dicc.txt -x 403,404 Patator
Copy patator http_fuzz url=[url] method=POST body Gobuster
Used for both subdomain/vhost and subdirectory discovery.
Copy gobuster dir -w /usr/share/wordlists/dirb/directory-list-2.3-medium.txt -u 10.10.10 Some useful options:
Copy -x → extention
dir → directory brutforce
dns → subdomain bruteforce
-c → cookie string
-e → print full url
-U → username for auth
-p → password for basic auth
-P → proxy [http(s)://host:port]
-s → set positive status codes will be overwritten with statuscodesblacklist if set) (default "200,204,301,302,307,401,403")
-u → url
-o → output to a file
-k → skip ssl
-a → set user agent Gobuster Web Content Discovery
Copy gobuster -u http:/// -w /usr/share/seclists/Discovery/ Web_Content/common.txt -s '200,204,301,302,307,403,500' -e Gobuster subdomain brute forcing
Copy gobuster dns -w /usr/share/seclists/Discovery/ DNS/subdomains-top1million-110000.txt -d target.com Gobuster subdomain vhost search
Copy gobuster vhost -u example.com -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt Dirbuster
Wordlist for bruteforce is in /usr/share/wordlists/dirbuster
Set go faster 200 threats (usually works best) in file extensions add any file type you want to look for like rar, docx, zip, etc.
Wfuzz
It can fuzz any given location in a url, the location is specified by the "FUZZ" parameter:
Copy wfuzz -u http://sneakycorp.htb -w /usr/share/wordlists/dirbuster/directory-list -2.3-small.txt -H 'Host: FUZZ.sneakycorp.htb' --hw 1 Find files and extensions, Hide 404 codes:
Copy wfuzz -u http://10.10.15.205/firstdirc/seconddir/FUZZ.extension -w /usr/share/dirbuster/wordl 
