DNS Subdomain Enumeration

Wordlist - Exegol

  • /opt/seclists/Discovery/DNS/fierce-hostlist.txt

  • /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

GoBuster

git clone https://github.com/danielmiessler/SecLists
sudo apt install seclists -y

Add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file

gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

Pattern found

Example: lert-api-shv-{NUMBER}-sin6.facebook.com

pattern.txt:

lert-api-shv-{GOBUSTER}-sin6
atlas-pp-shv-{GOBUSTER}-sin6
$ export TARGET="facebook.com"
$ export NS="d.ns.facebook.com"
$ export WORDLIST="numbers.txt"
$ gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"

Dig

$ for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

ns.inlanefreight.htb.   604800  IN      A       10.129.34.136
mail1.inlanefreight.htb. 604800 IN      A       10.129.18.201
app.inlanefreight.htb.  604800  IN      A       10.129.18.15
for sub in $(cat /opt/seclists/Discovery/DNS/fierce-hostlist.txt);do dig $sub.inlanefreight.htb @10.129.104.34 | grep -v ';\|MX' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

DNSenum

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

Other tools

Knock

LogoGitHub - guelfoweb/knock: Knock Subdomain ScanGitHub

Sublister

LogoGitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testersGitHub

Subfinder

LogoGitHub - projectdiscovery/subfinder: Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.GitHub
./subfinder -d inlanefreight.com -v

Assetfinder

LogoGitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domainGitHub
assetfinder githubapp.com

Subbrute

$ git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
$ cd subbrute
$ echo "ns1.inlanefreight.com" > ./resolvers.txt
$ ./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt

Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.com
ns2.inlanefreight.com
www.inlanefreight.com
ms1.inlanefreight.com
support.inlanefreight.com

<SNIP>

DNSRecon

LogoGitHub - darkoperator/dnsrecon: DNS Enumeration ScriptGitHub

Virtual Host

Virtual Host

Ffuf

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/

Resources

PreviousIDS IPS AV EvasionNextVirtual Host

Last updated