There are many tools available on GitHub, but these tools are best. There are many bug bounty programs with big scope, so I will show you usage of tools on some programs.
Cero
This is a best tool to find out new domains or subdomains of any company. I would recommend Amass for subdomains because you will find more subdomains in Amass as compared to Cero. So this tool will help you to find new domains using their CIDR range or with their server IP.
Simple Usage:-
Get the IP from VirusTotal and if you click on any IP in relations, you will get its CIDR range
We can see all domains on this IP address with this command
~/go/bin/cero 52.54.18.9
Now lets try the CIDR range to find all domains under that
~/go/bin/cero 52.54.0.0/15
Here you will get many new domains of sony, but there will be useless domains here. So use httprobe to fetch only live domains from the list. So this is how you can use this tool.
Censys
Censys is also a good tool for recon as there are many features for searching. I will show you few commands of censys which I have used in recon.
Installation:-
pip install censys
censys config
sudo apt-get install jqSince this require signup on their website, you can get your API keys from here and enter it in terminal.
Usage:-
This command will fetch you all website IP's with title "Sony" in its html page. I am using "jq" for json formatting.
censys search 'services.http.response.html_title: "Sony"' --index-type hosts | jq -c '.[] | {ip: .ip}'
Use this command to fetch domains under any IP. You can remove "jq" command to see raw result and which variable values I am taking.
censys search '17.172.224.26' --index-type ipv4 --fields ip protocols | jq -c '.[] | {ip: ."443.https.tls.certificate.parsed.extensions.subject_alt_name.dns_names"}'
This tool will give you limited result as it has paid plans for more result.
Google Dorks
Google can also help you to find new domains or subdomains and many hackers are using these techniques.
intext:"© 2018 Sony Electronics Inc. All rights reserved" site:"sony.com.*"
site:.s3.amazonaws.com "Sony"First command requires footer text of any website and it will definitely give you some new domains. Last command will give you AWS links of Sony.
So these were a few tools that I use to find new domains or subdomains of a company. If you have anything to share, comment below. Also, follow these tools creators for updates and more tips. Thank you!
