Standard procedure to discover assets of a target domain

Bruteforcing

1. Pick Wordlists
2. sed 's/$/.domain.tld/g' wordlist > wordlist.txt
3. Generate an additional wordlist with DNScewl on the wordlist generated at 2
4. Probe both wordlists with aiodnsbrute

Shodan

shodan search --limit 1000 --fields ip_str,port --separator ':' '[ssl.cert.subject.cn](<http://ssl.cert.subject.cn/>):\\*.domain.tld http.status:200' | sed 's/.$//g' | tee -a shodan-un.txt | httpx -silent -o shodan-un-httpx.txt

Tools

1. Subfinder
2. cert.sh