Enumerate Hostnames via OSINT Sources
Enumerate subdomains and hostnames passively using OSINT data sources
Outputs
subdomainssubdomain-detailspotential-hostnamespotential-hostname-detailssubdomain-wildcardssubdomain-wildcard-detailspotential-hostname-wildcardspotential-hostname-wildcard-details
Enumerate Hostnames via OSINT Sources
Description
Enumerate subdomains passively using carefully chosen and tuned data sources to balance speed and thoroughness. It can also identify extra root domains and associated hostnames linked to the specified target domains, even if they aren’t their subdomains. You don’t need any 3rd-party API keys to use this module, but if you choose to query more data sources, you can give it that extra boost.
Features
- Carefully curated and optimized data sources ensure a balance between speed and comprehensiveness.
- Can enumerate thousands of domains simultaneously.
- Capable of identifying not only subdomains but also additional hostnames and root domains associated with the target organization.
- Functional without any API keys, but offers the option to provide them to improve results.
- Includes a detailed output file showing which data sources found each subdomain, helping you learn more.
Inputs
Required
- domains: a list of domain names
Optional
- source-configuration: YAML file with API keys and data source configuration
Outputs
- subdomains: List of discovered subdomains.
- subdomain-details: JSONLines records of subdomain discovery details.
- potential-hostnames: List of related hostnames outside the strict scope.
- potential-hostname-details: JSONLines records of potential hostname discovery details.
- subdomain-wildcards: List of discovered subdomain wildcards.
- subdomain-wildcard-details: JSONLines records of subdomain wildcard discovery details.
- potential-hostname-wildcards: List of related hostnames with wildcards outside the strict scope.
- potential-hostname-wildcard-details: JSONLines records of potential hostname wildcard discovery details.
Note: The *-details
outputs may contain duplicates if a hostname was discovered through multiple sources.
Changelog
- v1.0.0
- Initial release
- v1.0.1
- Bug fixes
- v1.0.2
- Performance improvements
- v1.0.3
- Improved output efficiency by storing one record per unique hostname from the certificate_transparency source