Simple Recon Subdomain
I used web tools for enumerate host and ip.
TARGET IS A MAGIC STRING
curl -s "https://rapiddns.io/subdomain/TARGET?full=1#result" | awk -v RS='<[^>]+>' '/$1/' | sort -u >>TARGET-rapiddns.txt
curl -s "https://riddler.io/search/exportcsv?q=pld:TARGET" | grep -Po "(([w.-]*).([w]*).([A-z]))w+" | sort -u >>TARGET-riddler.txt
curl -s "https://jldc.me/anubis/subdomains/TARGET" | grep -Po "((http|https)://)?(([w.-]*).([w]*).([A-z]))w+" | sort -u >>TARGET-jldc.txt
curl -s "https://crt.sh/?q=%25.TARGET&output=json" | jq -r '.[].name_value' | sed 's/*.//g' | sort -u >>TARGET-crt.txt
curl -s "https://dns.bufferover.run/dns?q=.TARGET" | jq -r .FDNS_A[] | sed -s 's/,/\n/g' | sort -u >>TARGET-bufferover.txt
cat TARGET-*.txt | sort -u >TARGET.txt;cat TARGET.txt -n
USER TOOL
I used web tools for enumerate host and ip.
TARGET IS A MAGIC STRING
curl -s "https://rapiddns.io/subdomain/TARGET?full=1#result" | awk -v RS='<[^>]+>' '/$1/' | sort -u >>TARGET-rapiddns.txt
curl -s "https://riddler.io/search/exportcsv?q=pld:TARGET" | grep -Po "(([w.-]*).([w]*).([A-z]))w+" | sort -u >>TARGET-riddler.txt
curl -s "https://jldc.me/anubis/subdomains/TARGET" | grep -Po "((http|https)://)?(([w.-]*).([w]*).([A-z]))w+" | sort -u >>TARGET-jldc.txt
curl -s "https://crt.sh/?q=%25.TARGET&output=json" | jq -r '.[].name_value' | sed 's/*.//g' | sort -u >>TARGET-crt.txt
curl -s "https://dns.bufferover.run/dns?q=.TARGET" | jq -r .FDNS_A[] | sed -s 's/,/\n/g' | sort -u >>TARGET-bufferover.txt
cat TARGET-*.txt | sort -u >TARGET.txt;cat TARGET.txt -n
python tool.py {target}
python tool.py fbi.gov
OUTPUT
TARGET-rapiddns.txt
TARGET-riddler.txt
TARGET-jldc.txt
TARGET-crt.txt
TARGET-bufferover.txt
OUTPUT SORT UNIQ
TARGET.txt
DOWNLOAD TOOL