Recon-NG and Altdns
Jason Haddix has fantastic script to execute Recon-NG combined with AltDNS and a subdomain wordlist. If you like it, star his repo.
Configure Recon-NG google API
If not done already, use can follow the instructions here:
Install altdns
Clone the repo from here
$ cd altdns
$ pip install -r requirements
It should be ready to use.
Download brute force list
Download it from here.
$ curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/shubs-subdomains.txt
Clone domain script
$ git clone https://github.com/jhaddix/domain.git
Use script
Simple usage
$ cd ./domain
$ ./enumall.py your_target_domain.com
Advanced usage
Configure config.py
$ cp config_sample.py config.py
$ nano config.py
reconPath = “/usr/share/recon-ng/”
altDnsPath = “/path-to-altdns/altdns-master/”
$ ./enumall.py your-target-domain.com -a -w ../shubs-subdomains.txt