0. dns zone transfer
1. HTTPS证书
https://transparencyreport.google.com/https/certificates
https://censys.io/certificates?q=0sec.com.cn
查看https证书
2. 文件泄漏
crossdomain.xml
robots.txt
3. 搜索引擎
shadon
site:xxx.com
4. 在线工具
云悉
http://tool.chinaz.com/subdomain/
https://spyse.com/site/not-found?q=domain%3A%22github%22&criteria=cert
5. 挖掘工具
layer,subdomainbrute等等
6. 数据聚合网站
threatcrowd
https://scans.io/study/sonar.rdns_v2
https://opendata.rapid7.com/
7. 子域名监控
sublert/get_domain/assetnote/LangSrcCurise
8. 其他
流量(burp插件domain_hunter)
github