It's a common problem when a company forgets to protect some of their subdomains, so here's how to find them quickly and I'll tell you about it
The fastest way is to use crt.sh
$ curl -s \\?q\\=%25.example.com\\&output\\=json> \\
| jq '.[] | [ .common_name, .name_value ] | .[]' -r \\
| sort -u \\
| grep -v -E " |@"
*.example.com
dev.example.com
example.com
m.example.com
...This method is good because it instantly gives information on the basis of issued certificates and does not work aggressively
Dozens of other resources can act as a source, and in order not to address each resource individually you need to use the subfinder application , which allows you to configure integration with multiple sources
The list of all possible sources subfinder -ls :
It remains to find out which domains are valid, just run cat d.txt | dnsx:
Note - on screenshot the command head, because example.com is not the most comfortable example to search for subdomains and I found 22705 domains 🫠
Okay, so we found domains, what next?
Check if it is alive, in this utility will help httpx:
It is also able to create screenshots, which helps to visually evaluate the finds 😉
I'll post a couple more ways in the future, right now it’s enought for most cases
Anyway, it's all a good start, install the utilities with a special installer https://github.com/projectdiscovery/pdtm (just run pdtm -ia after to receive all tools)
