Category

Attack Surface Management

Inputs

domains
file
required
List of domain names
source-configuration
file
YAML file with API keys and data source configuration

Outputs

subdomainssubdomain-detailspotential-hostnamespotential-hostname-detailssubdomain-wildcardssubdomain-wildcard-detailspotential-hostname-wildcardspotential-hostname-wildcard-details

Enumerate Hostnames via OSINT Sources

Description

Enumerate subdomains passively using carefully chosen and tuned data sources to balance speed and thoroughness. It can also identify extra root domains and associated hostnames linked to the specified target domains, even if they aren’t their subdomains. You don’t need any 3rd-party API keys to use this module, but if you choose to query more data sources, you can give it that extra boost.

Features

  • Carefully curated and optimized data sources ensure a balance between speed and comprehensiveness.
  • Can enumerate thousands of domains simultaneously.
  • Capable of identifying not only subdomains but also additional hostnames and root domains associated with the target organization.
  • Functional without any API keys, but offers the option to provide them to improve results.
  • Includes a detailed output file showing which data sources found each subdomain, helping you learn more.

Inputs

Required

  • domains: a list of domain names
example.com

Optional

  • source-configuration: YAML file with API keys and data source configuration
github:

  - GITHUB_API_KEY_1

  - GITHUB_API_KEY_2

shodan:

  - SHODAN_API_KEY

#

# supported sources:

# - alienvault

# - anubis

# - bevigil

# - binaryedge

# - bufferover

# - c99

# - censys

# - certspotter

# - chaos

# - chinaz

# - commoncrawl

# - crtsh

# - digitorus

# - dnsdb

# - dnsdumpster

# - dnsrepo

# - fofa

# - fullhunt

# - github

# - hackertarget

# - hunter

# - intelx

# - netlas

# - leakix

# - passivetotal

# - quake

# - rapiddns

# - redhuntlabs

# - robtex

# - securitytrails

# - shodan

# - sitedossier

# - threatbook

# - virustotal

# - waybackarchive

# - whoisxmlapi

# - zoomeyeapi

# - facebook

# - builtwith

Outputs

  • subdomains: List of discovered subdomains.
foo.example.com

bar.example.com

baz.example.com
  • subdomain-details: JSONLines records of subdomain discovery details.
{"hostname": "foo.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "github"}

{"hostname": "bar.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "shodan"}

{"hostname": "baz.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "waybackarchive"}
  • potential-hostnames: List of related hostnames outside the strict scope.
foo.example-internal.com

bar.example-subsidiary.com

baz.example-service-provider.net
  • potential-hostname-details: JSONLines records of potential hostname discovery details.
{"hostname": "foo.example-corp.com", "domain_name": "example-corp.com", "data_sources": "osint source", "context": "cloud tls certificate"}

{"hostname": "bar.example-subsidiary.com", "domain_name": "example-subsidiary.com", "data_sources": "osint source", "context": "reverse analytics code search"}

{"hostname": "baz.example-service-provider.net", "domain_name": "example-service-provider.net", "data_sources": "osint source", "context": "certificate transparency"}
  • subdomain-wildcards: List of discovered subdomain wildcards.
*.internal.example.com
  • subdomain-wildcard-details: JSONLines records of subdomain wildcard discovery details.
{"hostname": "*.internal.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "cloud tls certificate"}
  • potential-hostname-wildcards: List of related hostnames with wildcards outside the strict scope.
*.proxy.example-corp.com
  • potential-hostname-wildcard-details: JSONLines records of potential hostname wildcard discovery details.
{"hostname": "*.proxy.example-corp.com", "domain_name": "example-corp.com", "data_source": "osint source", "context": "certificate transparency"}

Note: The *-details outputs may contain duplicates if a hostname was discovered through multiple sources.

Changelog

  • v1.0.0
    • Initial release
  • v1.0.1
    • Bug fixes
  • v1.0.2
    • Performance improvements
  • v1.0.3
    • Improved output efficiency by storing one record per unique hostname from the certificate_transparency source