- nuclei
- amass
- assetfinder
- subfinder
- Change nuclei templates location
- Change amass's config.ini location and enter passive subdomains enums api ex. securitytrails , you can find it in https://github.com/OWASP/Amass/blob/master/examples/config.ini
it will extract subdomains passively form sourced like ex. security trails and then check for any 443 or 80 port listening on them then make a file containing all the subdomains and test them with nuclei default templates.