Second DNS Brute-Force Round
After having found subdomains using open sources and brute-forcing, you could generate alterations of the subdomains found to try to find even more.
Several tools are useful for this purpose:
Given the domains and subdomains generate permutations.
cat subdomains.txt | dnsgen -Given the domains and subdomains generate permutations.
goaltdns -l subdomains.txt -w /tmp/words-permutations.txt -o /tmp/final-words-s3.txtGiven the domains and subdomains generate permutations. If not permutations file is indicated gotator will use its own one.
gotator -sub subdomains.txt -silent [-perm /tmp/words-permutations.txt]Apart from generating subdomains permutations, it can also try to resolve them (but it's better to use the previous commented tools).
altdns -i subdomains.txt -w /tmp/words-permutations.txt -o /tmp/asd3Another tool to perform permutations, mutations and alteration of subdomains. This tool will brute force the result (it doesn't support dns wild card).
cat subdomains.txt | dmut -d /tmp/words-permutations.txt -w 100 --dns-errorLimit 10 --use-pb --verbose -s /tmp/resolvers-trusted.txtBased on a domain it generates new potential subdomains names based on indicated patterns to try to discover more subdomains.
Smart permutations generation
For more info read this post but it will basically get the main parts from the discovered subdomains and will mix them to find more subdomains.
python3 main.py adobe.com adobe adobe.rules
make_brute_list.sh adobe.rules adobe.brute
puredns resolve adobe.brute --write adobe.validsubzuf is a subdomain brute-force fuzzer coupled with an immensly simple but effective DNS reponse-guided algorithm. It utilizes a provided set of input data, like a tailored wordlist or historical DNS/TLS records, to accurately synthesize more corresponding domain names and expand them even further in a loop based on information gathered during DNS scan.
echo www | subzuf facebook.comLast updated