search

draft2digitalSecond DNS Brute-Force Round

After having found subdomains using open sources and brute-forcing, you could generate alterations of the subdomains found to try to find even more.

Several tools are useful for this purpose:

hashtag
dnsgenarrow-up-right

Given the domains and subdomains generate permutations.

cat subdomains.txt | dnsgen -

hashtag
goaltdnsarrow-up-right

Given the domains and subdomains generate permutations.

circle-info

You can get goaltdns permutations wordlist in herearrow-up-right.

goaltdns -l subdomains.txt -w /tmp/words-permutations.txt -o /tmp/final-words-s3.txt

hashtag
gotatorarrow-up-right

Given the domains and subdomains generate permutations. If not permutations file is indicated gotator will use its own one.

gotator -sub subdomains.txt -silent [-perm /tmp/words-permutations.txt]

hashtag
altdnsarrow-up-right

Apart from generating subdomains permutations, it can also try to resolve them (but it's better to use the previous commented tools).

circle-info

You can get altdns permutations wordlist in herearrow-up-right.

hashtag
dmutarrow-up-right

Another tool to perform permutations, mutations and alteration of subdomains. This tool will brute force the result (it doesn't support dns wild card).

circle-info

You can get dmut permutations wordlist in herearrow-up-right.

hashtag
alterxarrow-up-right

Based on a domain it generates new potential subdomains names based on indicated patterns to try to discover more subdomains.

hashtag
Smart permutations generation

hashtag
regulatorarrow-up-right

For more info read this postarrow-up-right but it will basically get the main parts from the discovered subdomains and will mix them to find more subdomains.

hashtag
subzufarrow-up-right

subzuf is a subdomain brute-force fuzzer coupled with an immensly simple but effective DNS reponse-guided algorithm. It utilizes a provided set of input data, like a tailored wordlist or historical DNS/TLS records, to accurately synthesize more corresponding domain names and expand them even further in a loop based on information gathered during DNS scan.

PreviousDNS Brute forceNextSubdomain Takeover

Last updated