Add subbrute, move AQUATONE and OWASP Amass to net recon section.

Both AQUATONE and OWASP Amass are not actually direct network device
discovery tools, but OSINT and DNS-specific mass querying tools. A
domain (or subdomain) is not technicall a network device, and thus I
feel like these tools were mis-categorized by being grouped with actual
network device discovery search engines like Shodan.

README.md

@@ -378,9 +378,11 @@ See also [awesome-industrial-control-system-security](https://github.com/hslatma
 ### Network Reconnaissance Tools
 
 * [ACLight](https://github.com/cyberark/ACLight) - Script for advanced discovery of sensitive Privileged Accounts - includes Shadow Admins.
+* [AQUATONE](https://github.com/michenriksen/aquatone) - Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.
 * [CloudFail](https://github.com/m0rtem/CloudFail) - Unmask server IP addresses hidden behind Cloudflare by searching old database records and detecting misconfigured DNS.
 * [DNSDumpster](https://dnsdumpster.com/) - Online DNS recon and search service.
 * [Mass Scan](https://github.com/robertdavidgraham/masscan) - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
+* [OWASP Amass](https://github.com/OWASP/Amass) - Subdomain enumeration via scraping, web archives, brute forcing, permutations, reverse DNS sweeping, TLS certificates, passive DNS data sources, etc.
 * [ScanCannon](https://github.com/johnnyxmas/ScanCannon) - Python script to quickly enumerate large networks by calling `masscan` to quickly identify open ports and then `nmap` to gain details on the systems/services on those ports.
 * [XRay](https://github.com/evilsocket/xray) - Network (sub)domain discovery and reconnaissance automation tool.
 * [dnsenum](https://github.com/fwaeytens/dnsenum/) - Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results.
@@ -393,6 +395,7 @@ See also [awesome-industrial-control-system-security](https://github.com/hslatma
 * [passivedns](https://github.com/gamelinux/passivedns) - Network sniffer that logs all DNS server replies for use in a passive DNS setup.
 * [scanless](https://github.com/vesche/scanless) - Utility for using websites to perform port scans on your behalf so as not to reveal your own IP.
 * [smbmap](https://github.com/ShawnDEvans/smbmap) - Handy SMB enumeration tool.
+* [subbrute](https://github.com/TheRook/subbrute) - DNS meta-query spider that enumerates DNS records, and subdomains.
 * [zmap](https://zmap.io/) - Open source network scanner that enables researchers to easily perform Internet-wide network studies.
 
 ### Protocol Analyzers and Sniffers
@@ -530,9 +533,7 @@ See also [awesome-industrial-control-system-security](https://github.com/hslatma
 
 ### Network device discovery tools
 
-* [AQUATONE](https://github.com/michenriksen/aquatone) - Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.
 * [Censys](https://www.censys.io/) - Collects data on hosts and websites through daily ZMap and ZGrab scans.
-* [OWASP Amass](https://github.com/OWASP/Amass) - Subdomain enumeration via scraping, web archives, brute forcing, permutations, reverse DNS sweeping, TLS certificates, passive DNS data sources, etc.
 * [Shodan](https://www.shodan.io/) - World's first search engine for Internet-connected devices.
 * [ZoomEye](https://www.zoomeye.org/) - Search engine for cyberspace that lets the user find specific network components.