As extensive nmap scans take forever, the current idea is to run nmap against all the discovered subdomain before HTTP enum, but without an execution hold based on it's completion.
Another idea is to nmap only interesting hosts, i.e., hosts with multiple services or with interesting words within the FQDN, such as "internal".
As extensive
nmapscans take forever, the current idea is to runnmapagainst all the discovered subdomain before HTTP enum, but without an execution hold based on it's completion.Another idea is to
nmaponly interesting hosts, i.e., hosts with multiple services or with interesting words within the FQDN, such as "internal".