Tooling

Subdomain & Asset Discovery

Amass, Subfinder, httpx, dnsx — finding everything a target owns.

You can't hack what you can't enumerate. Modern asset discovery combines passive sources (CT logs, DNS aggregators, WHOIS), active enumeration (DNS brute, permutations), and probing (httpx, screenshots) into a single pipeline. For deeper OSINT see OSINT & Recon. For the full bug-bounty meta-pipeline see Bug-Bounty Recon Workflows. For port-level enum see Network Scanning (Nmap).

Subdomain enumeration — the heavy hitters

  • ★ ★ Amass (OWASP) — the deepest passive + active enum platform; many sources, graph database, intel commands; the long-standing reference. Free.
  • Subfinder (ProjectDiscovery) — Go; passive only; fastest "enum from many sources" out of the box; integrates with the rest of the PD chain (httpx, nuclei, naabu). Free.
  • assetfinder (tomnomnom) — minimal passive enum; complements subfinder.
  • Findomain — Rust; passive; commercial paid tier for monitoring.
  • chaos client (ProjectDiscovery) — pull pre-curated subdomain data from chaos.projectdiscovery.io.

DNS brute / permutation

  • puredns — Go DNS brute-forcer with massdns under the hood; the speed default.
  • massdns — raw mass DNS resolver; underlies puredns / dnsx / shuffledns.
  • shuffledns (ProjectDiscovery) — wraps massdns with wildcard handling.
  • dnsx (ProjectDiscovery) — Go DNS toolkit (resolve, A/CNAME/MX/SRV, retries, output).
  • alterx (ProjectDiscovery) — subdomain permutation generator; pair with puredns.
  • DNSCewl / dnsgen / altdns — older permutation generators.
  • knockpy — Python brute-forcer.

Cert transparency

  • crt.sh — the free CT search; one URL away.
  • Censys / SecurityTrails / Shodan — paid CT-derived data; richer.
  • certspotter / cero — pull from CT directly.

Live probing & fingerprinting

  • httpx (ProjectDiscovery) — Go probe; check live, gather titles / status / tech / TLS / favicon hash. Free.
  • httprobe (tomnomnom) — minimalist; older.
  • fingerprintx — service fingerprinting beyond HTTP.
  • Wappalyzer / WhatWeb — tech-stack detection.
  • gowitness / aquatone / EyeWitness — bulk screenshots of every live host (aquatone is archived but still common).

Crawling / URL collection

  • katana (ProjectDiscovery) — modern crawler; headless mode; outputs URLs, params, JS endpoints. Free.
  • gau / gauplus — Wayback / CommonCrawl / OTX URL pulls.
  • waybackurls — same niche, narrower.
  • hakrawler — fast.
  • gospider — Go alternative.

Port + version (linking out)

  • See Network Scanning (Nmap) — naabu, masscan, rustscan, nmap.
  • Typical chain: subfinder → dnsx → naabu → httpx.

Cloud / S3 / bucket discovery

  • cloud_enum — AWS / Azure / GCP storage enum.
  • s3scanner — S3 bucket scanning.
  • GCPBucketBrute — GCS.
  • gobuster s3 — S3 mode.
  • bucket-stream — stream public S3 buckets via CT logs.

Code / GitHub recon

  • trufflehog / gitleaks — see Security Scanning.
  • github-search / GitDorker / gitDorker — find leaked secrets via GitHub search.
  • DorkGPT / GitGuardian Public Search — leak intel.

ASN / org-level enum

  • asnmap (ProjectDiscovery) — ASN → IP-range.
  • bgp.he.net / bgpview — manual lookup.
  • whois -h whois.cymru.com — quick ASN lookups.
  • mapcidr (ProjectDiscovery) — CIDR math, ranges.

Putting it together — the canonical chain

subfinder -d target.tld -all -o subs.txt
puredns resolve subs.txt -r resolvers.txt -w live.txt
httpx -l live.txt -title -tech-detect -status-code -o http.txt
naabu -l live.txt -top-ports 1000 -o ports.txt
katana -list http.txt -d 3 -o urls.txt
nuclei -list http.txt -severity critical,high

See Bug-Bounty Recon Workflows for full automation (reconftw, axiom, EarlyBird).

Pick this if…

  • Deepest passive + active enum: Amass.
  • Fastest passive subdomain pull: Subfinder + chaos + assetfinder.
  • DNS brute on permuted lists: puredns + alterx.
  • Live probe / fingerprint at scale: httpx.
  • Crawl + URL discovery: katana.
  • Cert transparency only: crt.sh.
  • Cloud bucket sweep: cloud_enum.