Subdomain & Asset Discovery
Amass, Subfinder, httpx, dnsx — finding everything a target owns.
You can't hack what you can't enumerate. Modern asset discovery combines passive sources (CT logs, DNS aggregators, WHOIS), active enumeration (DNS brute, permutations), and probing (httpx, screenshots) into a single pipeline. For deeper OSINT see OSINT & Recon. For the full bug-bounty meta-pipeline see Bug-Bounty Recon Workflows. For port-level enum see Network Scanning (Nmap).
Subdomain enumeration — the heavy hitters
- ★ ★ Amass (OWASP) — the deepest passive + active enum platform; many sources, graph database, intel commands; the long-standing reference. Free.
- ★ Subfinder (ProjectDiscovery) — Go; passive only; fastest "enum from many sources" out of the box; integrates with the rest of the PD chain (httpx, nuclei, naabu). Free.
- assetfinder (tomnomnom) — minimal passive enum; complements subfinder.
- Findomain — Rust; passive; commercial paid tier for monitoring.
- chaos client (ProjectDiscovery) — pull pre-curated subdomain data from
chaos.projectdiscovery.io.
DNS brute / permutation
- ★ puredns — Go DNS brute-forcer with massdns under the hood; the speed default.
- massdns — raw mass DNS resolver; underlies puredns / dnsx / shuffledns.
- shuffledns (ProjectDiscovery) — wraps massdns with wildcard handling.
- dnsx (ProjectDiscovery) — Go DNS toolkit (resolve, A/CNAME/MX/SRV, retries, output).
- alterx (ProjectDiscovery) — subdomain permutation generator; pair with puredns.
- DNSCewl / dnsgen / altdns — older permutation generators.
- knockpy — Python brute-forcer.
Cert transparency
- ★ crt.sh — the free CT search; one URL away.
- Censys / SecurityTrails / Shodan — paid CT-derived data; richer.
- certspotter / cero — pull from CT directly.
Live probing & fingerprinting
- ★ httpx (ProjectDiscovery) — Go probe; check live, gather titles / status / tech / TLS / favicon hash. Free.
- httprobe (tomnomnom) — minimalist; older.
- fingerprintx — service fingerprinting beyond HTTP.
- Wappalyzer / WhatWeb — tech-stack detection.
- gowitness / aquatone / EyeWitness — bulk screenshots of every live host (aquatone is archived but still common).
Crawling / URL collection
- ★ katana (ProjectDiscovery) — modern crawler; headless mode; outputs URLs, params, JS endpoints. Free.
- gau / gauplus — Wayback / CommonCrawl / OTX URL pulls.
- waybackurls — same niche, narrower.
- hakrawler — fast.
- gospider — Go alternative.
Port + version (linking out)
- See Network Scanning (Nmap) — naabu, masscan, rustscan, nmap.
- Typical chain: subfinder → dnsx → naabu → httpx.
Cloud / S3 / bucket discovery
- cloud_enum — AWS / Azure / GCP storage enum.
- s3scanner — S3 bucket scanning.
- GCPBucketBrute — GCS.
- gobuster s3 — S3 mode.
- bucket-stream — stream public S3 buckets via CT logs.
Code / GitHub recon
- trufflehog / gitleaks — see Security Scanning.
- github-search / GitDorker / gitDorker — find leaked secrets via GitHub search.
- DorkGPT / GitGuardian Public Search — leak intel.
ASN / org-level enum
- asnmap (ProjectDiscovery) — ASN → IP-range.
- bgp.he.net / bgpview — manual lookup.
- whois -h whois.cymru.com — quick ASN lookups.
- mapcidr (ProjectDiscovery) — CIDR math, ranges.
Putting it together — the canonical chain
See Bug-Bounty Recon Workflows for full automation (reconftw, axiom, EarlyBird).
Pick this if…
- Deepest passive + active enum: Amass.
- Fastest passive subdomain pull: Subfinder + chaos + assetfinder.
- DNS brute on permuted lists: puredns + alterx.
- Live probe / fingerprint at scale: httpx.
- Crawl + URL discovery: katana.
- Cert transparency only: crt.sh.
- Cloud bucket sweep: cloud_enum.