Pentest & Bug Bounty Resources and Techniques
  • Pentest & Bug Bounty Resources and Techniques
    • Introduction
    • Tests Checklist
    • OSINT
    • Communications Security
      • SSL/TLS
    • Networking
      • Subdomains Discovery
        • DNS & OSINT
        • DNS Brute force
          • Second DNS Brute-Force Round
      • Subdomain Takeover
      • Network Host Scan/Discovery
        • External/Internal
        • Internal only
      • Network Vulnerability Scanning
      • Network Hacking
      • Parsing
      • Reporting
    • Brute Force
      • Wordlists
      • Databases
      • SSH
    • Web
      • Endpoint Discovery
      • Infrastructure & Configuration
        • Headers
        • WAF Detection/ Evasion
      • Injection
        • GraphQL
        • Cross-Site Scripting (XSS)
        • SQL Injection
        • Payloads
      • SSRF & XXE
        • Labs & Resources
        • Tools
        • SVG SSRF Cheatsheet
        • XXE - XEE - XML External Entity
      • JWT Vulnerabilities (Json Web Tokens)
      • HTTP/S DoS
    • Mobile
      • Both
        • SAST
          • MobSF
        • DAST
          • Installing Frida and Objection
      • Android
        • Create a Lab
          • Rooting Android Emulator
          • Rooting Android Emulator Cheat Sheet
        • APK Certificates
        • SAST
          • APKs
            • Get Information from APK
            • GDA (GJoy Dex Analysizer)
            • Scanning APK for URIs, endpoints & secrets
            • Google Maps API Scanner
        • DAST
          • Rooting the Android Studio AVDs
          • non-Rooted devices
            • Bypass SSL Pinning - non-rooted devices
              • Method 1: apk-mitm
              • Instrumentation with Frida and Objection
                • Bypass SSL Pinning - Method 2: With Objection Explore
                • Bypass SSL Pinning - Method 3: With root_bypass.js
          • Rooted Devices
            • Run frida-server in the emulator or device
            • Inject Frida
            • Bypass SSL Pinning - rooted devices
              • Install Burp CA as a system-level CA on the device
      • iOS
        • SAST
          • Building a reverse iOS engineering environment for free
          • Test Vulnerabilities
  • Lets Practice
    • Virtual Machines
    • Vulnerable App
    • Guided Labs
    • CTFs
  • Group 1
    • AI
Powered by GitBook
On this page
  • dnsgen
  • goaltdns
  • gotator
  • altdns
  • dmut
  • alterx
  • Smart permutations generation
  1. Pentest & Bug Bounty Resources and Techniques
  2. Networking
  3. Subdomains Discovery
  4. DNS Brute force

Second DNS Brute-Force Round

After having found subdomains using open sources and brute-forcing, you could generate alterations of the subdomains found to try to find even more.

PreviousDNS Brute forceNextSubdomain Takeover

Last updated 7 months ago

Several tools are useful for this purpose:

Given the domains and subdomains generate permutations.

cat subdomains.txt | dnsgen -

Given the domains and subdomains generate permutations.

You can get goaltdns permutations wordlist in .

goaltdns -l subdomains.txt -w /tmp/words-permutations.txt -o /tmp/final-words-s3.txt

Given the domains and subdomains generate permutations. If not permutations file is indicated gotator will use its own one.

gotator -sub subdomains.txt -silent [-perm /tmp/words-permutations.txt]

Apart from generating subdomains permutations, it can also try to resolve them (but it's better to use the previous commented tools).

altdns -i subdomains.txt -w /tmp/words-permutations.txt -o /tmp/asd3

Another tool to perform permutations, mutations and alteration of subdomains. This tool will brute force the result (it doesn't support dns wild card).

cat subdomains.txt | dmut -d /tmp/words-permutations.txt -w 100 --dns-errorLimit 10 --use-pb --verbose -s /tmp/resolvers-trusted.txt

Based on a domain it generates new potential subdomains names based on indicated patterns to try to discover more subdomains.

Smart permutations generation

python3 main.py adobe.com adobe adobe.rules
make_brute_list.sh adobe.rules adobe.brute
puredns resolve adobe.brute --write adobe.valid

subzuf is a subdomain brute-force fuzzer coupled with an immensly simple but effective DNS reponse-guided algorithm. It utilizes a provided set of input data, like a tailored wordlist or historical DNS/TLS records, to accurately synthesize more corresponding domain names and expand them even further in a loop based on information gathered during DNS scan.

echo www | subzuf facebook.com

You can get altdns permutations wordlist in .

You can get dmut permutations wordlist in .

For more info read this but it will basically get the main parts from the discovered subdomains and will mix them to find more subdomains.

dnsgen
goaltdns
here
gotator
altdns
here
dmut
here
alterx
regulator
post
subzuf