Bug Bounty Automation: Subdomain enumeration
Automatically find subdomains via XDomain tool.
Discovering subdomains manually would take an age. There are a lot of tools out there to find subdomains, but you can’t depend on just one tool to enumerate subdomains. Top bug bounty hunters have their own tools that automate the recon process including the subdomains enumeration part.
You should have a good workflow during the recon process. For that reason, we created XDomain tool that will provide you with a great combination to bring the best results (subdomains) for you. XDomain will use the following workflow:
XDomain will do the following:
- Get subdomains from Amass.
- Get subdomains from Sublist3r.
- Get subdomains from Subbrute.
- Get subdomains from SecurityTrails API (You need to add the API key in the config file).
- Generate subdomains via Altdns.
- Auto take the founded list of subdomains and find the live targets. (The quality of this function is better than httprobe).
- Remove all duplicates.
- Take a screenshot for every subdomain.
- Find the technology of every subdomain.
- Nmap scan against every subdomain.
- Generate a quick HTML report.
- sudo apt-get update
- sudo apt install python3-pip
- sudo apt-get install nmap
- pip3 install builtwith
- pip3 install python-nmap
- pip3 install dnspython
- pip3 install BeautifulSoup4 (On some systems, you need to install this first “sudo apt-get install python-bs4”)
- pip3 install selenium
- pip3 install eventlet
- sudo apt-get install firefox-esr (Only if not installed)
In the conf.py, you can control the tool that you want to run.