DNS and Subdomains

amass Cheatsheet Type: Actively maintained subdomain discovery — extensive data sources & tool integrations Installation sudo apt install amass # or go install -v github.com/owasp-amass/amass/v4/...@master # or snap install amass Subcommands Subcommand Description enum Subdomain enumeration (main command) intel Collect intel about an organisation viz Visualise enumeration results track Track differences between enumerations db Interact with the graph database enum — Subdomain Enumeration # Basic passive enumeration amass enum -passive -d example.com # Active enumeration (DNS resolution + brute force) amass enum -active -d example.com # Active with brute force amass enum -brute -d example.com # Brute force with wordlist amass enum -brute -w wordlist.txt -d example.com # Multiple domains amass enum -d example.com -d example.org # Domains from file amass enum -df domains.txt # Limit data sources amass enum -passive -d example.com -src # Output to file amass enum -d example.com -o output.txt # Output to JSON amass enum -d example.com -json output.json # Show data sources in results amass enum -d example.com -src # Verbose amass enum -v -d example.com # Set timeout (minutes) amass enum -d example.com -timeout 30 # Use specific resolvers amass enum -d example.com -r 8.8.8.8,1.1.1.1 # Use resolver list amass enum -d example.com -rf resolvers.txt # Exclude data sources amass enum -d example.com -exclude CrtSearch # Only specific data sources amass enum -d example.com -include Wayback,CrtSearch Common Flags (enum) Flag Description -d <domain> Target domain -df <file> File with list of domains -passive Passive only (no DNS resolution) -active Active DNS (zone transfer, cert grabbing) -brute Enable brute force -w <wordlist> Wordlist for brute force -o <file> Output results to file -json <file> Output as JSON -src Show data source for each result -ip Show IP addresses -r <resolvers> Comma-separated resolver IPs -rf <file> File of resolver IPs -timeout <n> Timeout in minutes -v Verbose -config <file> Config file path -dir <path> Directory for output/database intel — Org Recon # Find domains by organisation name amass intel -org "Target Corp" # Reverse whois amass intel -whois -d example.com # ASN lookup amass intel -asn 12345 # Find domains from IP/CIDR amass intel -ip 192.168.1.0/24 # Find ASN from domain amass intel -d example.com -whois Configuration File Config file at ~/.config/amass/config.ini (or specify with -config): ...

assetfinder Cheatsheet Type: Simple, lightweight subdomain finder using multiple passive data sources — ideal for quick recon Installation go install github.com/tomnomnom/assetfinder@latest # Binary ends up in ~/go/bin/assetfinder # Or download pre-built binary wget https://github.com/tomnomnom/assetfinder/releases/latest/download/assetfinder-linux-amd64.tgz tar xf assetfinder-linux-amd64.tgz mv assetfinder /usr/local/bin/ Basic Usage assetfinder <domain> assetfinder example.com Flags Flag Description --subs-only Show only subdomains (filter out related domains / TLD variants) Common Commands # All results (subdomains + related domains) assetfinder example.com # Subdomains only (most common usage) assetfinder --subs-only example.com # Save to file assetfinder --subs-only example.com > subdomains.txt # Multiple domains from stdin cat domains.txt | xargs -I{} assetfinder --subs-only {} # Pipe into other tools assetfinder --subs-only example.com | httprobe # Check live hosts assetfinder --subs-only example.com | sort -u # Deduplicate Data Sources Used crt.sh (Certificate transparency logs) certspotter (SSL cert monitoring) hackertarget (Passive DNS) threatcrowd (Threat intelligence) wayback (Wayback Machine / archive.org) dnsdumpster (DNS recon service) facebook CT (Facebook certificate transparency) virustotal (Passive DNS) findsubdomains.com Pipeline Examples # Find subdomains → probe for live web servers → save assetfinder --subs-only example.com | httprobe | tee live_hosts.txt # Find subdomains → resolve to IPs assetfinder --subs-only example.com | \ xargs -I{} dig +short {} | grep -v "^$" | sort -u # Find subdomains → run nmap on live ones assetfinder --subs-only example.com | \ httprobe | sed 's/https\?:\/\///' | \ xargs -I{} nmap -p 80,443 {} # Combine with other tools for coverage (assetfinder --subs-only example.com; \ subfinder -d example.com -silent; \ amass enum -passive -d example.com) | sort -u > all_subs.txt Notes Passive only — does not brute force DNS or make queries to the target Fast and lightweight — great first pass before heavier tools No API keys needed for most sources (some may be rate-limited) Output may contain duplicates — always pipe through sort -u

dnsenum Cheatsheet Type: Comprehensive DNS enumeration — dictionary & brute-force subdomain discovery Installation sudo apt install dnsenum # or git clone https://github.com/fwaeytens/dnsenum.git Basic Usage dnsenum <domain> dnsenum example.com Common Flags Flag Description --dnsserver <ns> Use a specific DNS server -f <wordlist> Wordlist for subdomain brute force -r Enable recursive brute force on found subdomains -p <pages> Number of Google scraping pages (default: 5) -s <results> Maximum results from Google scraping -o <file> Output to XML file --enum Shortcut: enables brute force, threads, Google scraping --threads <n> Number of threads for brute forcing --noreverse Skip reverse lookup on found IP ranges --nocolor Disable colored output -v Verbose output --timeout <s> DNS query timeout in seconds Common Commands # Full enumeration with brute force dnsenum --dnsserver <ns> --enum -p 0 -s 0 -f wordlist.txt <domain> # Brute force with threads, no Google scraping dnsenum -f wordlist.txt --threads 20 --noreverse <domain> # Output to XML dnsenum -f wordlist.txt -o output.xml <domain> # Recursive brute force (enumerate found subdomains too) dnsenum -f wordlist.txt -r <domain> # Suppress Google scraping (clean/offline) dnsenum -p 0 -s 0 -f wordlist.txt <domain> # Use specific nameserver dnsenum --dnsserver 8.8.8.8 -f wordlist.txt <domain> What dnsenum Does Automatically 1. Queries A, NS, MX records 2. Attempts zone transfer (AXFR) on each nameserver 3. Google scraping for subdomains (unless -p 0 -s 0) 4. Reverse lookups on found IP ranges 5. Brute forces subdomains from wordlist (if -f provided) Recommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt /usr/share/wordlists/dnsmap.txt Example Full Run dnsenum --dnsserver 8.8.8.8 \ --enum \ -p 0 -s 0 \ --threads 20 \ -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -o results.xml \ example.com

dnsrecon Cheatsheet Type: Versatile DNS reconnaissance — multiple techniques, customisable output formats Installation sudo apt install dnsrecon # or git clone https://github.com/darkoperator/dnsrecon.git pip3 install -r requirements.txt Basic Usage dnsrecon -d <domain> dnsrecon -d example.com Scan Types (-t) Type Description std Standard — A, AAAA, NS, SOA, MX, TXT records axfr Zone transfer attempt on all nameservers brt Brute force subdomains from wordlist rvl Reverse lookup on IP range goo Google scraping for subdomains snoop Cache snooping on nameservers tld Check all TLD variations of domain zonewalk DNSSEC zone walking (NSEC enumeration) srv SRV record enumeration bing Bing scraping for subdomains crt Certificate transparency logs Common Flags Flag Description -d <domain> Target domain -t <type> Scan type (see table above) -D <wordlist> Wordlist for brute force (brt) -n <nameserver> Use specific nameserver -r <cidr> IP range for reverse lookups -c <file> Save output to CSV -j <file> Save output to JSON -x <file> Save output to XML --db <file> Save output to SQLite DB -f Filter wildcard results -a Perform AXFR on all nameservers --iw Continue brute force even if wildcard detected -v Verbose output --lifetime <s> Query lifetime in seconds --tcp Use TCP for queries -t std,brt Combine multiple scan types Common Commands # Standard enumeration (all record types) dnsrecon -d example.com -t std # Zone transfer attempt dnsrecon -d example.com -t axfr # Brute force subdomains dnsrecon -d example.com -t brt -D wordlist.txt # Reverse lookup on a range dnsrecon -r 192.168.1.0/24 -t rvl # Cache snooping dnsrecon -t snoop -n <nameserver> -D wordlist.txt # DNSSEC zone walking dnsrecon -d example.com -t zonewalk # Certificate transparency dnsrecon -d example.com -t crt # Multiple scan types at once dnsrecon -d example.com -t std,axfr,brt -D wordlist.txt # Use specific nameserver dnsrecon -d example.com -n 8.8.8.8 -t std # Output to JSON dnsrecon -d example.com -t std -j output.json # Output to CSV dnsrecon -d example.com -t brt -D wordlist.txt -c output.csv # Filter wildcards during brute force dnsrecon -d example.com -t brt -D wordlist.txt -f # Force brute force through wildcard dnsrecon -d example.com -t brt -D wordlist.txt --iw Recommended Wordlists /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt Example Full Run dnsrecon -d example.com \ -t std,axfr,brt \ -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -n 8.8.8.8 \ -f \ -j dnsrecon_results.json

feroxbuster Cheatsheet Type: Fast Rust-based web fuzzer — recursive directory brute forcing, wildcard detection, rich filtering Installation sudo apt install feroxbuster # or curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash # or cargo install feroxbuster Basic Usage feroxbuster -u http://<ip> feroxbuster -u http://<ip> -w wordlist.txt Common Flags Flag Description -u <url> Target URL -w <wordlist> Wordlist (default: built-in if not specified) -t <n> Threads (default: 50) -x <ext> File extensions to append -d <n> Recursion depth (default: 4, 0 = unlimited) -r Follow redirects -k Disable TLS certificate verification -n Disable recursion -C <codes> Filter out status codes -s <codes> Only show these status codes -S <size> Filter by response size (bytes) -W <words> Filter by word count in response -L <lines> Filter by line count in response -X <regex> Filter by response body regex -H <header> Add custom header (repeatable) -b <cookie> Add cookie -m <methods> HTTP methods (default: GET) -o <file> Output to file -q Quiet — no banner or progress --json Output as JSON -v Verbose -T <seconds> Request timeout --rate-limit <n> Max requests per second -p <proxy> Use proxy (http/socks5) -U <user> -P <pass> HTTP Basic auth -a <agent> User-Agent string --dont-filter Disable wildcard filtering --auto-tune Automatically slow down on errors --collect-extensions Collect and scan discovered extensions --collect-words Build wordlist from responses --resume-from <file> Resume from a saved state file Common Commands # Basic scan with extensions feroxbuster -u http://<ip> -w wordlist.txt -x php,html,txt # No recursion (flat scan) feroxbuster -u http://<ip> -w wordlist.txt -n # Limit recursion depth feroxbuster -u http://<ip> -w wordlist.txt -d 2 # Filter out 404s and 403s feroxbuster -u http://<ip> -w wordlist.txt -C 404,403 # Only show 200 and 301 feroxbuster -u http://<ip> -w wordlist.txt -s 200,301 # Filter responses by size (remove default page noise) feroxbuster -u http://<ip> -w wordlist.txt -S 1234 # Filter by word count feroxbuster -u http://<ip> -w wordlist.txt -W 25 # HTTPS with TLS skip feroxbuster -u https://<ip> -w wordlist.txt -k # Custom headers (e.g. API auth) feroxbuster -u http://<ip> -w wordlist.txt \ -H "Authorization: Bearer <token>" \ -H "X-Custom: value" # Use proxy (Burp Suite) feroxbuster -u http://<ip> -w wordlist.txt \ -p http://127.0.0.1:8080 -k # POST requests feroxbuster -u http://<ip> -w wordlist.txt -m POST # Multiple HTTP methods feroxbuster -u http://<ip> -w wordlist.txt -m GET,POST,PUT # Output to file (also saves state for resume) feroxbuster -u http://<ip> -w wordlist.txt -o results.txt # JSON output feroxbuster -u http://<ip> -w wordlist.txt --json -o results.json # Resume interrupted scan feroxbuster --resume-from ferox-<ip>.state # Rate limit (be polite / evade detection) feroxbuster -u http://<ip> -w wordlist.txt --rate-limit 100 # Collect extensions seen in responses and scan them too feroxbuster -u http://<ip> -w wordlist.txt --collect-extensions # Build a wordlist from page content, then use it feroxbuster -u http://<ip> -w wordlist.txt --collect-words Virtual Host Discovery # feroxbuster doesn't natively fuzz Host headers # Use with -H to manually set a specific host header, # or use ffuf/gobuster for vhost fuzzing feroxbuster -u http://<ip> -w wordlist.txt \ -H "Host: staging.example.com" Interactive Pause Menu While feroxbuster is running, press ENTER to open the interactive menu: ...

ffuf Cheatsheet Type: Fast web fuzzer — directory busting, virtual host discovery, parameter fuzzing, Host header fuzzing Installation sudo apt install ffuf # or go install github.com/ffuf/ffuf/v2@latest Core Concept FUZZ is the keyword replaced by each wordlist entry. It can go anywhere in the request — URL path, headers, parameters, body. ffuf -u http://<ip>/FUZZ -w wordlist.txt Multiple keywords are supported by naming them with -w wordlist:KEYWORD: ffuf -u http://<ip>/FUZZ -w wordlist1.txt -w params.txt:PARAM Common Flags Flag Description -u <url> Target URL (include FUZZ) -w <wordlist> Wordlist (use wordlist:KEYWORD for named) -H <header> Add/fuzz header (repeatable) -X <method> HTTP method (default: GET) -d <data> POST data body -b <cookie> Cookie string -r Follow redirects -k Skip TLS verification -t <n> Threads (default: 40) -p <delay> Delay between requests (e.g. 0.1, 0.5-1.5) -rate <n> Max requests per second -timeout <n> Request timeout in seconds -mc <codes> Match status codes (default: 200-299,301,302,307,401,403,405,500) -ms <size> Match response size -mw <words> Match word count -ml <lines> Match line count -mr <regex> Match regex in response body -fc <codes> Filter status codes -fs <size> Filter response size -fw <words> Filter word count -fl <lines> Filter line count -fr <regex> Filter regex in response body -ac Auto-calibrate filters (detects and removes false positives) -o <file> Output file -of <fmt> Output format: json, ejson, html, md, csv, all -v Verbose (show redirects, full URL) -s Silent — only results -c Colorize output -recursion Enable recursive fuzzing -recursion-depth <n> Recursion depth -e <exts> File extensions (e.g. php,html,txt) -ic Ignore wordlist comments -input-cmd <cmd> Use command output as input instead of wordlist Directory & File Fuzzing # Basic directory scan ffuf -u http://<ip>/FUZZ -w wordlist.txt # With file extensions ffuf -u http://<ip>/FUZZ -w wordlist.txt -e .php,.html,.txt,.bak # Filter 404s ffuf -u http://<ip>/FUZZ -w wordlist.txt -fc 404 # Match only 200 ffuf -u http://<ip>/FUZZ -w wordlist.txt -mc 200 # Auto-calibrate (removes false positives automatically) ffuf -u http://<ip>/FUZZ -w wordlist.txt -ac # Recursive scanning ffuf -u http://<ip>/FUZZ -w wordlist.txt -recursion -recursion-depth 3 -e .php # Filter by response size (remove noise) ffuf -u http://<ip>/FUZZ -w wordlist.txt -fs 4242 Virtual Host Discovery (Host Header Fuzzing) # Basic vhost fuzzing ffuf -u http://<ip> -H "Host: FUZZ.example.com" -w wordlist.txt # Filter default response size ffuf -u http://<ip> -H "Host: FUZZ.example.com" \ -w wordlist.txt \ -fs <default_size> # Auto-calibrate to remove default response ffuf -u http://<ip> -H "Host: FUZZ.example.com" \ -w wordlist.txt \ -ac # HTTPS ffuf -u https://<ip> -H "Host: FUZZ.example.com" \ -w wordlist.txt \ -k -fs <default_size> Parameter Fuzzing # GET parameter discovery ffuf -u "http://<ip>/page?FUZZ=value" -w wordlist.txt -fc 404 # GET parameter value fuzzing ffuf -u "http://<ip>/page?id=FUZZ" -w numbers.txt # POST parameter fuzzing ffuf -u http://<ip>/login \ -X POST \ -d "username=admin&password=FUZZ" \ -w wordlist.txt \ -fc 401 # POST body with JSON ffuf -u http://<ip>/api/login \ -X POST \ -H "Content-Type: application/json" \ -d '{"username":"admin","password":"FUZZ"}' \ -w wordlist.txt Multiple Wordlists (Clusterbomb / Pitchfork) # Two keywords — try all combinations (clusterbomb) ffuf -u http://<ip>/FUZZ/W2 \ -w wordlist.txt:FUZZ \ -w extensions.txt:W2 # Username + password combinations ffuf -u http://<ip>/login \ -X POST \ -d "user=USER&pass=PASS" \ -w users.txt:USER \ -w passwords.txt:PASS \ -fc 401 Fuzzing with Proxy (Burp Suite) ffuf -u http://<ip>/FUZZ -w wordlist.txt \ -x http://127.0.0.1:8080 -k Output # Save to file (markdown) ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results.md -of md # Save as JSON ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results.json -of json # Save all formats ffuf -u http://<ip>/FUZZ -w wordlist.txt -o results -of all Recommended Wordlists # Directories /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt /usr/share/seclists/Discovery/Web-Content/common.txt # Virtual hosts / subdomains /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt # Parameters /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt # Passwords /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt Example Full Runs # Directory + extension scan ffuf -u http://example.com/FUZZ \ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt \ -e .php,.html,.txt,.bak \ -ac -c -v \ -t 50 \ -o ffuf_dir.json -of json # Virtual host discovery ffuf -u http://example.com \ -H "Host: FUZZ.example.com" \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ -ac -c \ -t 50 \ -o ffuf_vhost.json -of json

fierce Cheatsheet Type: User-friendly recursive subdomain discovery with wildcard detection Installation sudo apt install fierce # or pip3 install fierce # or git clone https://github.com/mschwager/fierce.git Basic Usage fierce --domain <domain> fierce --domain example.com Common Flags Flag Description --domain <domain> Target domain --wordlist <file> Custom wordlist for brute forcing --dns-servers <ns> Use specific DNS servers (space-separated) --delay <seconds> Delay between requests --subdomains <list> Manually specify subdomains to check --wide Scan entire Class C of discovered hosts --traverse <n> Scan IPs n away from discovered hosts --search <domains> Filter results by domain pattern --range <cidr> Scan an IP range for PTR records --connect Attempt HTTP/HTTPS connections to found hosts --output <file> Save results to JSON file Common Commands # Basic scan (uses built-in wordlist) fierce --domain example.com # Custom wordlist fierce --domain example.com \ --wordlist /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt # Use specific DNS server fierce --domain example.com --dns-servers 8.8.8.8 # Wide scan (scan Class C of discovered IPs) fierce --domain example.com --wide # Add delay to evade detection fierce --domain example.com --delay 3 # Traverse IPs near discovered hosts fierce --domain example.com --traverse 5 # Check HTTP/HTTPS on found hosts fierce --domain example.com --connect # Save to JSON fierce --domain example.com --output results.json # Scan IP range for reverse DNS fierce --range 192.168.1.0/24 Key Features - Wildcard detection (avoids false positives from wildcard DNS) - Recursive: checks subdomains of subdomains - Identifies adjacent IPs in same IP space - Clean, readable output format - Built-in default wordlist Wildcard Detection Fierce automatically detects wildcard DNS entries. If a domain resolves all queries (e.g., *.example.com → same IP), fierce identifies this and handles it gracefully instead of reporting false positives. ...

gobuster Cheatsheet Type: Multi-purpose brute-forcing tool — directories, files, DNS subdomains, virtual hosts, S3 buckets Installation sudo apt install gobuster # or go install github.com/OJ/gobuster/v3@latest Modes Mode Description dir Directory and file brute forcing dns DNS subdomain brute forcing vhost Virtual host discovery fuzz Fuzzing (replace FUZZ keyword anywhere in URL) s3 AWS S3 bucket enumeration gcs Google Cloud Storage bucket enumeration Global Flags Flag Description -w <wordlist> Wordlist path -t <n> Threads (default: 10) -o <file> Output to file -q Quiet — only print results -v Verbose --no-error Suppress errors -z No progress bar --delay <ms> Delay between requests dir — Directory & File Brute Force # Basic scan gobuster dir -u http://<ip> -w wordlist.txt # Common flags gobuster dir -u http://<ip> -w wordlist.txt \ -t 50 \ # 50 threads -x php,html,txt,bak \ # File extensions -s 200,204,301,302,307 \ # Status codes to show -b 404,403 \ # Status codes to exclude --timeout 10s \ # Request timeout -k \ # Skip TLS verification -c "PHPSESSID=abc123" \ # Cookie -H "Authorization: Bearer tok" \ # Custom header -U <user> -P <pass> \ # HTTP Basic auth -r \ # Follow redirects -e \ # Print full URL -o results.txt # HTTPS target gobuster dir -u https://<ip> -w wordlist.txt -k # Custom User-Agent gobuster dir -u http://<ip> -w wordlist.txt \ -a "Mozilla/5.0" dir Flags Flag Description -u <url> Target URL -x <ext> File extensions (comma-separated) -s <codes> Allowed status codes -b <codes> Blacklisted status codes -r Follow redirects -k Skip TLS certificate verification -c <cookie> Cookie string -H <header> Extra header (repeatable) -U / -P HTTP Basic auth username/password -e Print full URL in output -l Print response length --timeout <dur> Request timeout --wildcard Force continue if wildcard found --exclude-length <n> Exclude responses of this length dns — Subdomain Brute Force # Basic DNS brute force gobuster dns -d <domain> -w wordlist.txt # With specific resolver gobuster dns -d example.com -w wordlist.txt -r 8.8.8.8 # Show IP addresses gobuster dns -d example.com -w wordlist.txt -i # Wildcard override gobuster dns -d example.com -w wordlist.txt --wildcard dns Flags Flag Description -d <domain> Target domain -r <resolver> Custom DNS resolver -i Show IP addresses of found subdomains --wildcard Force scan even if wildcard DNS detected vhost — Virtual Host Discovery # Basic vhost scan gobuster vhost -u http://<ip> -w wordlist.txt # Append domain to wordlist entries gobuster vhost -u http://<ip> -w wordlist.txt \ --append-domain \ --domain example.com # Filter out specific response length (removes default/fallback page) gobuster vhost -u http://<ip> -w wordlist.txt \ --append-domain \ --exclude-length 290 # HTTPS gobuster vhost -u https://<ip> -w wordlist.txt -k --append-domain vhost Flags Flag Description -u <url> Target URL --append-domain Append base domain to each word --domain <domain> Base domain to append --exclude-length <n> Exclude responses of this content length fuzz — Generic Fuzzing # Fuzz a parameter value gobuster fuzz -u "http://<ip>/page.php?id=FUZZ" -w wordlist.txt # Fuzz with status filter gobuster fuzz -u "http://<ip>/FUZZ.php" -w wordlist.txt -b 404 Recommended Wordlists # Directories /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt /usr/share/seclists/Discovery/Web-Content/common.txt /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt # Files (with extensions) /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt # Virtual hosts / subdomains /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt Example Full Runs # Directory + file scan gobuster dir \ -u http://example.com \ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt \ -x php,html,txt,bak,zip \ -t 50 -e -l \ -o gobuster_dir.txt # Virtual host discovery gobuster vhost \ -u http://example.com \ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt \ --append-domain \ --exclude-length 290 \ -t 50 \ -o gobuster_vhost.txt

puredns Cheatsheet Type: Powerful DNS brute-forcing and resolution tool — filters wildcard results effectively at scale Installation go install github.com/d3mondev/puredns/v2@latest # Binary ends up in ~/go/bin/puredns # Also requires massdns (dependency for fast resolution) git clone https://github.com/blechschmidt/massdns.git cd massdns && make sudo cp bin/massdns /usr/local/bin/ Modes Mode Description bruteforce Brute force subdomains using a wordlist resolve Resolve a list of domains/subdomains Basic Usage # Brute force puredns bruteforce wordlist.txt example.com # Resolve a list of subdomains puredns resolve subdomains.txt Common Flags Flag Description -r <file> Resolver list file (required for speed) --resolvers-trusted <file> Trusted resolvers for wildcard detection -l <n> Rate limit (queries per second) --bin <path> Path to massdns binary -w <file> Write valid results to file --wildcard-tests <n> Number of wildcard tests per domain (default: 10) --wildcard-batch <n> Subdomains to test per batch --skip-wildcard-filter Skip wildcard filtering --skip-validation Skip validation step -t <n> Massdns threads -q Quiet mode -v Verbose Common Commands # Basic brute force with resolver list puredns bruteforce wordlist.txt example.com -r resolvers.txt # Brute force with rate limiting puredns bruteforce wordlist.txt example.com \ -r resolvers.txt \ -l 1000 # Brute force with trusted resolvers for wildcard detection puredns bruteforce wordlist.txt example.com \ -r resolvers.txt \ --resolvers-trusted trusted.txt # Save results to file puredns bruteforce wordlist.txt example.com \ -r resolvers.txt \ -w results.txt # Resolve a list of subdomains puredns resolve subdomains.txt -r resolvers.txt # Resolve and save valid results puredns resolve subdomains.txt -r resolvers.txt -w resolved.txt # Skip wildcard filter (if you want all results) puredns bruteforce wordlist.txt example.com \ -r resolvers.txt \ --skip-wildcard-filter # Quiet output (subdomains only to stdout) puredns bruteforce wordlist.txt example.com -r resolvers.txt -q Resolver Lists Public resolver lists are essential for speed and accuracy: ...