Subdomain Bruteforcing
4 steps of subdomain bruteforcing
- Wordlist Selection
- The process begins with selecting a wordlist containing potential subdomain names. These wordlists can be:
General-Purpose: Containing a broad range of common subdomain names (e.g.,dev,staging,blog,mail,admin,test). This approach is useful when you don't know the target's naming conventions.Targeted: Focused on specific industries, technologies, or naming patterns relevant to the target. This approach is more efficient and reduces the chances of false positives.Custom: You can create your own wordlist based on specific keywords, patterns, or intelligence gathered from other sources.
- The process begins with selecting a wordlist containing potential subdomain names. These wordlists can be:
- Iteration and Querying
- A script or tool iterates through the wordlist, appending each word or phrase to the main domain (e.g.,
example.com) to create potential subdomain names (e.g.,dev.example.com,staging.example.com).
- A script or tool iterates through the wordlist, appending each word or phrase to the main domain (e.g.,
- DNS Lookup
- A script or tool iterates through the wordlist, appending each word or phrase to the main domain (e.g.,
example.com) to create potential subdomain names (e.g.,dev.example.com,staging.example.com).
- A script or tool iterates through the wordlist, appending each word or phrase to the main domain (e.g.,
- Filtering and Validation
- If a subdomain resolves successfully, it's added to a list of valid subdomains. Further validation steps might be taken to confirm the subdomain's existence and functionality (e.g., by attempting to access it through a web browser).
There are several tools available that excel at brute-force enumeration:
| Tool | Description |
|---|---|
| dnsenum | Comprehensive DNS enumeration tool that supports dictionary and brute-force attacks for discovering subdomains. |
| fierce | User-friendly tool for recursive subdomain discovery, featuring wildcard detection and an easy-to-use interface. |
| dnsrecon | Versatile tool that combines multiple DNS reconnaissance techniques and offers customisable output formats. |
| amass | Actively maintained tool focused on subdomain discovery, known for its integration with other tools and extensive data sources. |
| assetfinder | Simple yet effective tool for finding subdomains using various techniques, ideal for quick and lightweight scans. |
| puredns | Powerful and flexible DNS brute-forcing tool, capable of resolving and filtering results effectively. |
DNSEnum
dnsenum is a versatile and widely-used command-line tool written in Perl. It is a comprehensive toolkit for DNS reconnaissance, providing various functionalities to gather information about a target domain's DNS infrastructure and potential subdomains. The tool offers several key functions:
DNS Record Enumeration:dnsenumcan retrieve various DNS records, including A, AAAA, NS, MX, and TXT records, providing a comprehensive overview of the target's DNS configuration.Zone Transfer Attempts: The tool automatically attempts zone transfers from discovered name servers. While most servers are configured to prevent unauthorised zone transfers, a successful attempt can reveal a treasure trove of DNS information.Subdomain Brute-Forcing:dnsenumsupports brute-force enumeration of subdomains using a wordlist. This involves systematically testing potential subdomain names against the target domain to identify valid ones.Google Scraping: The tool can scrape Google search results to find additional subdomains that might not be listed in DNS records directly.Reverse Lookup:dnsenumcan perform reverse DNS lookups to identify domains associated with a given IP address, potentially revealing other websites hosted on the same server.WHOIS Lookups: The tool can also perform WHOIS queries to gather information about domain ownership and registration details.
Let's see dnsenum in action by demonstrating how to enumerate subdomains for our target, inlanefreight.com. In this demonstration, we'll use the subdomains-top1million-20000.txt wordlist from SecLists, which contains the top 20000 most common subdomains.
dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r
In this command:
dnsenum --enum inlanefreight.com: We specify the target domain we want to enumerate, along with a shortcut for some tuning options--enum.-f /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt: We indicate the path to the SecLists wordlist we'll use for brute-forcing. Adjust the path if your SecLists installation is different.-r: This option enables recursive subdomain brute-forcing, meaning that ifdnsenumfinds a subdomain, it will then try to enumerate subdomains of that subdomain.
Output:
dnsenum VERSION:1.2.6
----- inlanefreight.com -----
Host's addresses:
__________________
inlanefreight.com. 300 IN A 134.209.24.248
[...]
Brute forcing with /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt:
_______________________________________________________________________________________
www.inlanefreight.com. 300 IN A 134.209.24.248
support.inlanefreight.com. 300 IN A 134.209.24.248
[...]
done.
Exercise
Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com.
Using dnsenum
┌──(macc㉿kaliLab)-[~/Downloads/SecLists]
└─$ dnsenum --enum inlanefreight.com -f Discovery/DNS/subdomains-top1million-20000.txt -r
Output:
dnsenum VERSION:1.3.1
----- inlanefreight.com -----
Host's addresses:
__________________
inlanefreight.com. 377 IN A 134.209.24.248
Name Servers:
______________
ns1.inlanefreight.com. 377 IN A 178.128.39.165
ns2.inlanefreight.com. 377 IN A 206.189.119.186
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for inlanefreight.com on ns1.inlanefreight.com ...
AXFR record query failed: Connection timed out
Trying Zone Transfer for inlanefreight.com on ns2.inlanefreight.com ...
AXFR record query failed: Connection timed out
Scraping inlanefreight.com subdomains from Google:
___________________________________________________
---- Google search page: 1 ----
Google Results:
________________
perhaps Google is blocking our queries.
Check manually.
Brute forcing with Discovery/DNS/subdomains-top1million-20000.txt:
___________________________________________________________________
www.inlanefreight.com. 377 IN A 134.209.24.248
ns1.inlanefreight.com. 366 IN A 178.128.39.165
ns2.inlanefreight.com. 366 IN A 206.189.119.186
blog.inlanefreight.com. 377 IN A 134.209.24.248
ns3.inlanefreight.com. 377 IN A 134.209.24.248
support.inlanefreight.com. 377 IN A 134.209.24.248
my.inlanefreight.com. 377 IN A 134.209.24.248
customer.inlanefreight.com. 377 IN A 134.209.24.248
...
- The only missing subdomain here is
my.inlanefreight.com
flag: my.inlanefreight.com