Recon & Discovery Tools¶
Subdomain Enumeration¶
Subfinder¶
GitHub: projectdiscovery/subfinder Purpose: Subdomain discovery from passive sources and certificate transparency
Enumerates subdomains using 10+ data sources without making direct requests to the target.
Data Sources: CT logs, DNS records, search engines, archives Speed: ~500 subdomains/minute Detection: Stealthy (no alerts from WAF)
Certificate Transparency¶
Tool: Built into subfinder via crt.sh API
Purpose: Extract subdomains from SSL certificate transparency logs
Every SSL certificate issued is logged in public CT databases. Extract SANs (Subject Alternative Names) to find all registered subdomains.
Example: Certificate for api.example.com might include SANs:
- *.api.example.com
- internal-api.example.com
- staging-api.example.com
HTTP Archive & Wayback Machine¶
Waybackurls¶
GitHub: tomnomnom/waybackurls Purpose: Find historical URLs from the Internet Archive
Queries the Wayback Machine to retrieve all URLs ever crawled on a domain. Useful for discovering: - Deprecated API versions - Removed endpoints (still may exist) - Old admin panels - Test/debug endpoints
Coverage: URLs from 1996-present Speed: ~5000 URLs/minute Detection: Public API, no alerting
GAU (GetAllUrls)¶
GitHub: lc/gau Purpose: Combine Wayback Machine, Common Crawl, and Alien Vault data
Aggregates URLs from multiple archives and passive data sources.
Sources: 3 different archives for comprehensive coverage Speed: Slower but more thorough than waybackurls
Waymore¶
GitHub: xnl-h4ck3r/waymore Purpose: Advanced archive searching with 7 sources
Modes: - Mode A: STDOUT (slow, streaming) - Mode B: Pipe to file (recommended)
DNS & Network Scanning¶
DNSX¶
GitHub: projectdiscovery/dnsx Purpose: DNS resolution with multiple resolver support
Resolve subdomains using multiple resolvers to detect shadowed DNS entries.
Resolvers: Public (1.1.1.1, 8.8.8.8), private options Speed: 1000s of domains/minute
NAABU¶
GitHub: projectdiscovery/naabu Purpose: Fast port scanning
Scan for open ports on discovered hosts.
Speed: 1000s of ports/second Stealth: Adjustable (TCP SYN, ACK, connection-based)
Web Server Detection¶
Httpx¶
GitHub: projectdiscovery/httpx Purpose: HTTP/HTTPS probing with fingerprinting
Detect responsive web servers and extract metadata (server version, title, status code).
Features: - HTTPS detection - Tech fingerprinting - Status code filtering - Screenshot capability (with Chrome integration)
Output:
Web Crawling¶
Katana¶
GitHub: projectdiscovery/katana Purpose: Advanced web crawler with JavaScript execution
Crawl all pages on a website, including JavaScript-rendered content (SPAs).
Features:
- JavaScript crawling (-jc)
- Depth control (-d)
- Custom headers/cookies
- Rate limiting
- Parallel crawling
Crawls: Links, form submissions, JS-rendered routes
Wordlist & Brute-Force¶
FFUF (Fuzz Faster U Fool)¶
GitHub: ffuf/ffuf Purpose: Fast fuzzing tool for endpoint enumeration
Brute-force endpoints, files, and parameters.
docker run --rm -v $(pwd):/work pentest-tools \
ffuf -u https://example.com/FUZZ \
-w /usr/share/seclists/Discovery/Web-Content/raft-small.txt \
-fc 404 -o results.json
Wordlists: SecLists (raft, common, api, backup, admin, etc.) Filtering: By status code, response size, keywords Speed: 1000s of requests/second
Alterx¶
GitHub: projectdiscovery/alterx Purpose: Permutation-based subdomain generation
Generate subdomain variations from word patterns.
docker run --rm -v $(pwd):/work pentest-tools \
alterx -l keywords.txt -d example.com -o subdomains.txt
Examples:
- admin → admin.example.com, admin-api.example.com, api-admin.example.com
- test → test.example.com, test-api.example.com, staging.example.com
PUREDNS¶
GitHub: d3mondev/puredns Purpose: DNS brute-force with validation
Brute-force subdomains and validate against resolvers.
docker run --rm -v $(pwd):/work pentest-tools \
puredns bruteforce wordlist.txt example.com \
-r resolvers.txt -o results.txt
ASN & IP Range Enumeration¶
ASNMAP¶
GitHub: projectdiscovery/asnmap Purpose: Map ASN (Autonomous System Number) to IP ranges
Enumerate all IP ranges owned by an organization.
Use Case: Bug bounty scope expansion (find related infrastructure)
UNCOVER¶
GitHub: projectdiscovery/uncover Purpose: Query multiple search engines (Shodan, Censys, Fofa, etc.)
Search for exposed infrastructure.
SSL/TLS Analysis¶
OpenSSL¶
Built-in: Linux/macOS standard Purpose: Extract SSL certificate information
openssl s_client -connect example.com:443 -servername example.com \
< /dev/null | openssl x509 -noout -text
Extract: - SANs (subdomains) - Issuer (CA) - Validity period - Public key details
Summary Table¶
| Tool | Purpose | Speed | Detection |
|---|---|---|---|
| Subfinder | CT + DNS enum | Fast | Stealthy |
| Waybackurls | Archive search | Slow | None |
| DNSX | DNS resolution | Very fast | None |
| Httpx | Web detection | Fast | Minor |
| Katana | Web crawling | Slow | Medium |
| FFUF | Endpoint fuzz | Very fast | High (WAF) |
| Naabu | Port scan | Very fast | High |
| Alterx | Permutation gen | Very fast | None |
| ASNMAP | IP range enum | Medium | None |