Enumerate Hostnames via OSINT Sources
Enumerate subdomains and hostnames passively using OSINT data sources
Category
Attack Surface Management
Inputs
domains
file
requiredList of domain names
source-configuration
file
YAML file with API keys and data source configuration
Outputs
subdomainssubdomain-detailspotential-hostnamespotential-hostname-detailssubdomain-wildcardssubdomain-wildcard-detailspotential-hostname-wildcardspotential-hostname-wildcard-details
Features
Enumerate Hostnames via OSINT Sources
Description
Enumerate subdomains passively using carefully chosen and tuned data sources to balance speed and thoroughness. It can also identify extra root domains and associated hostnames linked to the specified target domains, even if they aren’t their subdomains. You don’t need any 3rd-party API keys to use this module, but if you choose to query more data sources, you can give it that extra boost.
Features
- Carefully curated and optimized data sources ensure a balance between speed and comprehensiveness.
- Can enumerate thousands of domains simultaneously.
- Capable of identifying not only subdomains but also additional hostnames and root domains associated with the target organization.
- Functional without any API keys, but offers the option to provide them to improve results.
- Includes a detailed output file showing which data sources found each subdomain, helping you learn more.
Inputs
Required
- domains: a list of domain names
example.com
Optional
- source-configuration: YAML file with API keys and data source configuration
github:
- GITHUB_API_KEY_1
- GITHUB_API_KEY_2
shodan:
- SHODAN_API_KEY
#
# supported sources:
# - alienvault
# - anubis
# - bevigil
# - binaryedge
# - bufferover
# - c99
# - censys
# - certspotter
# - chaos
# - chinaz
# - commoncrawl
# - crtsh
# - digitorus
# - dnsdb
# - dnsdumpster
# - dnsrepo
# - fofa
# - fullhunt
# - github
# - hackertarget
# - hunter
# - intelx
# - netlas
# - leakix
# - passivetotal
# - quake
# - rapiddns
# - redhuntlabs
# - robtex
# - securitytrails
# - shodan
# - sitedossier
# - threatbook
# - virustotal
# - waybackarchive
# - whoisxmlapi
# - zoomeyeapi
# - facebook
# - builtwith
Outputs
- subdomains: List of discovered subdomains.
foo.example.com
bar.example.com
baz.example.com
- subdomain-details: JSONLines records of subdomain discovery details.
{"hostname": "foo.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "github"}
{"hostname": "bar.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "shodan"}
{"hostname": "baz.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "waybackarchive"}
- potential-hostnames: List of related hostnames outside the strict scope.
foo.example-internal.com
bar.example-subsidiary.com
baz.example-service-provider.net
- potential-hostname-details: JSONLines records of potential hostname discovery details.
{"hostname": "foo.example-corp.com", "domain_name": "example-corp.com", "data_sources": "osint source", "context": "cloud tls certificate"}
{"hostname": "bar.example-subsidiary.com", "domain_name": "example-subsidiary.com", "data_sources": "osint source", "context": "reverse analytics code search"}
{"hostname": "baz.example-service-provider.net", "domain_name": "example-service-provider.net", "data_sources": "osint source", "context": "certificate transparency"}
- subdomain-wildcards: List of discovered subdomain wildcards.
*.internal.example.com
- subdomain-wildcard-details: JSONLines records of subdomain wildcard discovery details.
{"hostname": "*.internal.example.com", "domain_name": "example.com", "data_source": "osint source", "context": "cloud tls certificate"}
- potential-hostname-wildcards: List of related hostnames with wildcards outside the strict scope.
*.proxy.example-corp.com
- potential-hostname-wildcard-details: JSONLines records of potential hostname wildcard discovery details.
{"hostname": "*.proxy.example-corp.com", "domain_name": "example-corp.com", "data_source": "osint source", "context": "certificate transparency"}
Note: The *-details
outputs may contain duplicates if a hostname was discovered through multiple sources.
Changelog
- v1.0
- Initial release