Second DNS Brute-Force Round

After having found subdomains using open sources and brute-forcing, you could generate alterations of the subdomains found to try to find even more.

Several tools are useful for this purpose:

dnsgen

Given the domains and subdomains generate permutations.

cat subdomains.txt | dnsgen -

goaltdns

Given the domains and subdomains generate permutations.

You can get goaltdns permutations wordlist in here.

goaltdns -l subdomains.txt -w /tmp/words-permutations.txt -o /tmp/final-words-s3.txt

gotator

Given the domains and subdomains generate permutations. If not permutations file is indicated gotator will use its own one.

gotator -sub subdomains.txt -silent [-perm /tmp/words-permutations.txt]

altdns

Apart from generating subdomains permutations, it can also try to resolve them (but it's better to use the previous commented tools).

You can get altdns permutations wordlist in here.

dmut

Another tool to perform permutations, mutations and alteration of subdomains. This tool will brute force the result (it doesn't support dns wild card).

You can get dmut permutations wordlist in here.

alterx

Based on a domain it generates new potential subdomains names based on indicated patterns to try to discover more subdomains.

Smart permutations generation

regulator

For more info read this post but it will basically get the main parts from the discovered subdomains and will mix them to find more subdomains.

subzuf

subzuf is a subdomain brute-force fuzzer coupled with an immensly simple but effective DNS reponse-guided algorithm. It utilizes a provided set of input data, like a tailored wordlist or historical DNS/TLS records, to accurately synthesize more corresponding domain names and expand them even further in a loop based on information gathered during DNS scan.

PreviousDNS Brute forceNextSubdomain Takeover

Last updated