Amass
Amass Amass is the comprehensive OSINT enumerator that pulls subdomains from passive sources like cert transparency logs and search engines, blending active brute-force for exhaustive mapping. Configure via CLI with -d for domains, outputting JSON for piped workflows in recon chains. Open-source from OWASP, it's the subdomain summoner for pentesters conjuring hidden assets from public whispers.
Explore →Subfinder
Subfinder Subfinder is the passive resolver that queries APIs and search engines for subdomains, resolving uniques with fast DNS brute for clean, deduped lists in seconds. Run its Go binary with -d for targets and -all for full sources, exporting for masscan feeds. Open-source from projectdiscovery, it's the quiet querier for OSINT pros templating subdomain intel silently.
Explore →Sublist3r
Sublist3r Sublist3r leverages search engines like Bing and VirusTotal for subdomain enum, resolving with massdns for verified hosts without active noise in footprints. Launch its Python script with -d for domains and -b for engines, saving outputs for further bruteforce. Open-source from aboul3la, it's the search sleuth for recon rangers gathering subs from passive pools.
Explore →Assetfinder
Assetfinder Assetfinder is the speedy passive enumerator that hits CRTs, APIs, and search for subdomains, resolving uniques with minimal dependencies for quick recon starters. Run its Go CLI with --subs-only for clean lists, piping to httpx for alive checks. Open-source from tomnomnom, it's the asset amasser for pentesters bootstrapping scopes efficiently.
Explore →Findomain
Findomain Findomain is the multi-source enumerator blending passive queries with active bruteforce, resolving subdomains via APIs and wordlists for hybrid discovery. Configure via Rust CLI with --quiet for outputs, exporting to files for chaining. Open-source from Findomain, it's the domain diviner for OSINT enthusiasts templating full-spectrum subdomain sweeps.
Explore →Gobuster
Gobuster Gobuster's DNS mode bruteforces subdomains with wordlists, resolving via queries for wildcard detection and valid hosts in targeted enum phases. Run with -m dns -w for dicts, filtering status for uniques. Open-source from OJ, it's the DNS dirbuster for pentesters wordlisting subs the direct way.
Explore →Massdns
Massdns Massdns resolves massive subdomain lists against DNS servers with high concurrency, outputting sorted uniques for efficient validation in passive-active hybrids. Compile its C code, feed lists via stdin with resolvers, and grep for hits. Open-source from blechschmidt, it's the mass resolver for recon scale-ups templating DNS bulk checks.
Explore →Dnsrecon
Dnsrecon Dnsrecon enumerates subdomains via zone transfers, bruteforce, and reverse lookups, mapping records for full DNS footprints in targeted recon. Run its Perl CLI with -d for domains and -t brt for brute, exporting to XML. Open-source from darkoperator, it's the DNS detective for pentesters piecing record puzzles.
Explore →Aquatone
Aquatone Aquatone discovers and screenshots subdomains from wordlists or passive sources, resolving for HTTP enum with visual reports for quick asset triage. Run its Go binary with --domain for targets, chaining to browsers for captures. Open-source from michenriksen, it's the visual voyager for web mappers templating subdomain snapshots.
Explore →Sublist3r