Discovering Subdomains
Blog post from Bugcrowd
When coming across a *.target.com scope, it's often beneficial to explore less-traveled applications running on unusual subdomains to uncover critical vulnerabilities and potential high payouts. Various techniques can be employed for subdomain discovery, including utilizing public resources such as search engines or scanning IP blocks and doing reverse lookups. One popular method is using Google Dorks to filter results, while other tools like Virustotal, DNSDumpster, and Shodan provide extensive information on subdomains. Bruteforce techniques can also be effective in discovering subdomains, with various tools available for automation, such as Subbrute, dnscan, Nmap, and Recon-Ng. A script called Enumall.sh can automate the process of harvesting subdomains from public resources and bruteforcing them, utilizing a combination of Google scraping, Bing scraping, Baidu scraping, Netcraft, and the SecLists project subdomain list.
No tracked trend matches for this post yet.
Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.