技巧
DNS解析记录 主站获取 单点登录接口 crossdomain.xml IP反查 通过HTTPS证书收集 DNS域传送搜集 联系人信息/邮箱反查域名 x-dns-prefetch-control #DNS解析 - ctrl+u查看网页源码
工具
fierce
Sublist3r
subbrute
SubDomainsBrute
Layer
wydomain
theHarvester #emails,names,subdomains,IPs,and URLs
搜索引擎
http://www.ask.com https://www.baidu.com http://cn.bing.com https://api.cognitive.microsoft.com http://www.dogpile.com https://duckduckgo.com http://www.exalead.com/search/web http://www.fofa.so https://www.so.com https://www.google.com https://search.yahoo.com https://www.exalead.com http://www.googleapis.com https://www.zoomeye.org https://shodan.io
通过解析记录
https://www.dnsdb.info https://www.virustotal.com https://circl.lu/services/passive-dns https://www.paloaltoneonetworks.com/features/passive-dns https://dnsdumpster.com https://www.threatcrowd.org/domain.php?domain=qq.com
爬虫
工具如burp spider / domain hunter
DNSSEC zone walking
NSEC ldns-walk 工具 ldnsutils dig dit +short NSEC api.nasa.gov 工具 dnsutils dig +short NSEC api.nasa.gov | wak '{print $1;}' NSEC3 http://josefsson.org/walker https://dnscurve.org/nsec3walker.html https://github.com/anonion0/nese3map
在线网站
https://www.netcraft.com http://i.links.cn/subdomain http://dns.aizhan.com https://crt.sh https://d.chinacycc.com phpinfo.me/domain https://dns.bufferover.run/dns?q=xx.com whois.chinaz.com www.intemic.net/whois.html https://www.google.com/transparencyreport/https/ct/?hl=zh-CN#domain=apple.com&incl_exp=false&incl_sub=true https://ctr.sh/ https://censys.io https://www.google.com/transparencyreport/https/ct/ https://scans.io/ https://github.com/appsecco/bugcrowd-levelup-subdomain-enumeration/blob/master/cloudflare_enum.py