Hey everyone, welcome back. In today's video, I'm going to walk you through one of the most underrated recon techniques that can help you uncover hidden subdomains and expand your attack surface like a pro. As always, ethical hacking requires proper authorization. Make sure you have explicit permission before testing any assets. This video is for educational purposes only. Let's get started. Let's begin with one of the most effective and easy methods for subdomain discovery. CRT.sh. Just enter your target domain and it will show you a list of both recent and historical subdomains along with issue dates. But since it returns a lot of extra details, we only need the subdomains. You can use this simple script to fetch clean subdomains directly from the crt. s- database in seconds. To remove duplicates, pipe the output through the sort command. This gives you only unique entries. Now, let's move on to another powerful platform, Project Discoveries Chaos. It allows you to download subdomains directly from public bug bounty program scope pages and passive sources. Perfect for those who don't want to use tools. Chaos also provides a CLI version so you can query everything right from your terminal. I'm using Altrax tool with it because it can generate subdomain permutations using existing subs from Chaos database of given domain. If you're targeting a single domain, just use this command. You can also generate relevant keyword-based subdomains quickly using own word list to create permutations for your target. For powerful lists, check out seclists in the DNS directory. It has plenty of curated word lists that you can use. After this, use DNSX to tool with it to resolve subdomains and get only live active subs. You can also combine it with HTTPX toolkit to see which ones are alive. Next up is the well-known tool amass. Running this amass command will provide comprehensive subdomain enumeration using passive sources, but it often includes unnecessary data. For cleaner output, you can use this specific oneliner to extract just the subdomains part. You can also apply sort command for unique entries. You can even perform active scanning same way. Now let's try something advanced. ASNbased discovery. Use a mass intel to find an organization's ESN number and CR ranges. Then use ESN map to find its CDR IP ranges. Same you can use this amass command to extract all domains linked to that ASN and CDR IP ranges. This method often reveals hidden assets that most people miss. Another solid technique is using the GitHub subdomains tool. It scrapes subdomains from public GitHub repositories of organizations or users. Make sure to use a GitHub API key to avoid rate limiting issues. After scan complete, the tool stores the results in a TX file so you can analyze them later at your convenience. Now, let's talk about using the Wayback Machine. You can pull archived subdomains using the CDX API using this simple curl command. It's a great way to discover forgotten or deprecated subdomains that might still be active. Let's move on to virus total method. With this command and its API key, you can get subdomains directly from its web results. You can also pull IP addresses using this alternative command. Then run HTTPX tool to find live IPs. This method helped me once bypass a W by identifying the origin server IP behind firewall. You can also use Alien Vault to retrieve IP addresses and validate them with HTTPX to find accessible assets. Another solid method is using URL scan to pull IP addresses and discover live hosts by combining it with other tools like HTTPX or DNSX. Now we come to show method powerful resource. You can find subdomains using this tool and combine with HTTPX to check live hosts. [Music] Or you can also use this command to extract IPs tied to a domain. This is especially helpful in locating origin IPs that might be exposed. Let's now talk about subdomain brute forcing using FFUF tool. Just provide a custom word list and FBF will try all entries against the target domain to find hidden subdomains not listed anywhere else. This method is perfect for discovering non-indexed or untouched subdomains. Gold mine for finding bugs. Make sure to use rate limit flag according to server response so you don't get blocked by W. Here's a unique method many people miss. Go to any WOIS lookup tool and search your target domain. Look for the registered email address. Then use this website for reverse WOW service to find all domains registered under that email. You can also export the results and use HTTPX to check which of those domains are live, then manually hunt for bugs on them. This tactic can uncover assets that aren't tied to your primary domain, but belong to the same organization. After collecting all subdomains from various sources, use this httpx command to scan not just ports 80 and 443, but also other popular ports where dashboards, login pages, or admin panels might exist. This gives you a much broader attack surface. Once you have your list of live domains, use a screenshotting tool like Aquatone. It captures screenshots of homepage interfaces, helping you visually inspect targets faster. It's fast, clean, and superefficient. And finally, automate your vulnerability scanning with Nuclei. Use the batch size flag to set how many templates to run at once and the concurrency flag to define how many domains to scan simultaneously. This massively speeds up the process and helps you detect known issues quickly. So, that wraps up a quick but powerful overview of subdomain enumeration techniques. All of them practical, proven, and effective. The more subdomains you collect, the higher your chances of finding valid non-duplicate bugs and staying one step ahead of other hunters. I'm working on a full walkthrough from recon to advanced methodology that will cover more things in my upcoming recon checklist article. Make sure to follow me there and turn on notifications so you don't miss it when it drops. That's a wrap for today's video. If you're new to the channel, make sure to hit that subscribe button and turn on the notification bell and follow me on Medium so you're always updated with our latest content. Thank you for watching and I'll see you in the next video. Take care.