https://github.com/tomnomnom/assetfinder/
assetfinder -subs-only offsecnewbie.com
amass enum -d tesla.com -ip
setup config.ini file get access to a lot more data than baseline tool
subfinder # not used much but has a few extra sources
subfinder -d tesla.com -t 25 -timeout 5 -silent
DNS bruteforcing https://youtu.be/La3iWKRX-tE?t=802
all.txt + goaltdns + commonspeak --> massdns / gobuster3
https://github.com/subfinder/goaltdns
sed -e 's/$/.tesla.com/' -i all.txt #adds tesla.com to start of each line - overrides file
massdns -r lists/resolvers.txt -t CNAME all.txt -o S > results
#massdns much faster than gobuster but can get you blacklisted from dns resolovers - a lot of false positives and negatives
#download latest file here: https://opendata.rapid7.com/sonar.fdns_v2/
pv 2019-10-27-1572199582-fdns_cname.json.gz | pigz -dc | grep -E "\.tesla\.org\"," | jq -r '.name'
certstream | grep -E "\.tesla\.comquot;
#Real-time certificate transparency log update stream