PacketEngine is a service which makes subdomain enumeration easy. It handles passive and active enumeration, wordlists, bruteforcing, alterations and permutations, wildcards, alerts, and much more. It's completely automated, leaving you to focus on research and hunting rather than setting up infrastructure and monitoring.
To get started, you'll need a PacketEngine account and an API token, and have at least one domain added.
Currently, the PacketEngine API provides read-only endpoints. The main goal of the CLI application is to be able to be integrated with other tools, such as httpx, nuclei, bbrf, and others.
The CLI application doesn't perform any scanning itself -- it gives you instant subdomains. The PacketEngine service performs the scans automatically throughout the day.
Using go install:
go install -v github.com/PacketEngine/packetengine/cmd/packetengine@latestUsing Docker:
docker pull packetengine/packetengine:latestUsing Snap:
TODO
Using Brew:
brew tap PacketEngine/packetengine
brew install packetengineStandalone:
$ packetengine init your-api-token
API token set!
$ packetengine subdomains uberinternal.com
devpod-us-or.uberinternal.com
devpod-us.uberinternal.com
crl.pki.uberinternal.com
stack.uberinternal.com
metal-api-preprod.uberinternal.com
creativeproduction.uberinternal.com
ussh.uberinternal.com
team-dev.uberinternal.com
flyte-poc.uberinternal.com
upt-staging.uberinternal.com
lzc-crane.uberinternal.com
stash.uberinternal.com
productops.uberinternal.com
[...]Docker:
$ docker run -v packetengine-config:/home/packetengine/.config/packetengine packetengine/packetengine init your-api-token
API token set!
$ docker run -v packetengine-config:/home/packetengine/.config/packetengine packetengine/packetengine subdomains uberinternal.com
devpod-us-or.uberinternal.com
devpod-us.uberinternal.com
crl.pki.uberinternal.com
stack.uberinternal.com
metal-api-preprod.uberinternal.com
creativeproduction.uberinternal.com
ussh.uberinternal.com
team-dev.uberinternal.com
flyte-poc.uberinternal.com
upt-staging.uberinternal.com
lzc-crane.uberinternal.com
stash.uberinternal.com
productops.uberinternal.com
[...]
httpx:
$ packetengine subdomains uberinternal.com | httpx -silent -status-code -title -mc 200
https://arize.uberinternal.com [200] [Arize AI]
https://emea-vpn-lab.uberinternal.com [200] []
https://chef-staging.uberinternal.com [200] [Chef Automate]
https://chef.uberinternal.com [200] [Chef Automate]
https://metal-api-preprod.uberinternal.com [200] []
https://metal-api-staging.uberinternal.com [200] []
https://metal-api.uberinternal.com [200] []
https://rfa.uberinternal.com [200] [Nuix ECC Server]
https://vpn-emea-any.uberinternal.com [200] []
https://vpn-world-any.awscorp.uberinternal.com [200] []
https://vpn-amere-any.uberinternal.com [200] []
https://vpn-amerw-any.uberinternal.com [200] []
https://vpn-apac-any.uberinternal.com [200] []
[...]nuclei:
packetengine subdomains uberinternal.com | httpx -silent | nucleibbrf:
packetengine subdomains uberinternal.com | bbrf domain add -PacketEngine automatically tags subdomains if their DNS records point to private IP space or IPv6 IP addresses. If you want to exclude any tags you can use the --without-tags flag.
packetengine subdomains --without-tags=ipv6,private-ip uberinternal.com | httpx -silent -status-code -title -mc 200PacketEngine scans for new DNS records every day. By default we don't return subdomains where we haven't seen any DNS records for 3 days. If you want to include subdomains we only have historical DNS records for, use the --all flag.
packetengine subdomains --all uberinternal.comThe PacketEngine CLI is available under the MIT license. See the LICENSE file for more info.