DNS Brute force

Let's try to find new subdomains brute-forcing DNS servers using possible subdomain names.

For this action you will need some common subdomains wordlists: Wordlists

The most recommended tools for DNS brute-force are:

massdns

Info: MassDNS is a simple high-performance DNS stub resolver targetting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.

sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt

grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt

---

Gobuster

Info: Directory/file & DNS busting tool written in Go Gobuster is a tool used to brute-force:

• URIs (directories and files) in web sites.

• DNS subdomains (with wildcard support).

Installation

apt-get install gobuster

Examples

# With Proxy
gobuster -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" -e -fw -r -u domain.com -p http://127.0.0.1:8081 -v -w /usr/share/wordlists/dirb/big.txt

# Without Proxy
gobuster -a "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" -e -fw -r -u http://www.domain.com/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/apache.txt

---

shuffledns

A wrapper around massdns, written in go, that allows you to enumerate valid subdomains using active bruteforce, as well as resolve subdomains with wildcard handling and easy input-output support.

shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt

---

puredns

It also uses massdns.

puredns bruteforce all.txt domain.com

---

aiodnsbrute

uses asyncio to brute force domain names asynchronously.

aiodnsbrute -r resolvers -w wordlist.txt -vv -t 1024 domain.com