Domain Spray and Pray
To get a list of government domains (as an example) you can either masscan the internet using zmap for port 443 and then proceed to grab banners and certificates using zgrab and then grep for .gov TLDs or you can download a list of domains from popular cloud providers (limiting) such as Amazon, Digital Ocean, Google, Microsoft and Oracle.
NOTE: This is very loud and not recommended. However for large scale hacktivist operations where the operation seeks to target as much as possible in regards to specific TLDs or countries this method works quite well in regards to identifying low hanging fruit vulnerabilities. A more targeted penetration test against a target list will be much better and more effective.
Domains
To begin, download all of the cloud providers text files and parse them.
Output all text files into one big file:
user@host:~/sni_ip_ranges$ cat *.txt > all.txt
Parse all.txt for domains:
grep -E -o '[a-zA-Z0-9_-]+(\.[a-zA-Z0-9_-]+)+(\.[a-zA-Z]{2,})' ~/sni_ip_ranges/all.txt > domains.txt
Grep specifically for your targets TLDs:
grep -i '\.gov$' domains.txt > gov_domains.txt
Enumerate Subdomains
To be thorough in our scanning we will enumerate all the domains in the domains.txt file for their subdomains to ensure complete coverage (nuclei will filter duplicates).
subfinder -dL gov_domains.txt -o government_domains.txt
Port scan
To ensure a thorough vulnerability scan we will want to port scan our targets for their open ports to ensure we scan all their services.
naabu -l government_domains.txt -o government_domains_final.txt
Vulnerability Scan
Finally we vulnerability scan the targeted domains to later exploit.
nuclei -l government_domains_final.txt -s critical,high -o vuln_gov_domains.txt