DNS Subdomain Enumeration

Google Dorks

Google Dorks

Online

Subdomain Finder - C99.nl

Free subdomain finder online 🛡️ find subdomains of domainPentest-Tools.com

https://dnsdumpster.com/dnsdumpster.com

Wordlist

Subdomain megalist

subfuz/subdomain_megalist.txt at master · netsecurity-as/subfuzGitHub

Exegol

• /opt/seclists/Discovery/DNS/fierce-hostlist.txt

• /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Generate subdomains wordlist

GitHub - AlephNullSK/dnsgen: Generates combination of domain names from the provided input.GitHub

Get only resolved domains with massdns:

$ dnsgen hosts.txt >> dnsgen_wordlist.txt
$ massdns -r ~/tools/massdns/lists/resolvers.txt -o S dnsgen_wordlist.txt | grep -e ' A ' | cut -d 'A' -f 1 | rev | cut -d "." -f1 --complement | rev | sort | uniq  > dnsgen_massdns_resolved

GitHub - trickest/mksub: Generate tens of thousands of subdomain combinations in a matter of secondsGitHub

Using AI

GitHub - jthack/cewlai: ai-based domain name generationGitHub

GoBuster

git clone https://github.com/danielmiessler/SecLists
sudo apt install seclists -y

Add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file

gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

Pattern found

Example: lert-api-shv-{NUMBER}-sin6.facebook.com

pattern.txt:

lert-api-shv-{GOBUSTER}-sin6
atlas-pp-shv-{GOBUSTER}-sin6

$ export TARGET="facebook.com"
$ export NS="d.ns.facebook.com"
$ export WORDLIST="numbers.txt"
$ gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"

Dig

$ for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

ns.inlanefreight.htb.   604800  IN      A       10.129.34.136
mail1.inlanefreight.htb. 604800 IN      A       10.129.18.201
app.inlanefreight.htb.  604800  IN      A       10.129.18.15

for sub in $(cat /opt/seclists/Discovery/DNS/fierce-hostlist.txt);do dig $sub.inlanefreight.htb @10.129.104.34 | grep -v ';\|MX' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

DNSenum

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

Skanuvaty

GitHub - Esc4iCEscEsc/skanuvaty: Dangerously fast DNS/network/port scannerGitHub

Other tools

Frogy

GitHub - iamthefrogy/frogy: My subdomain enumeration script. It's unique in the way it is built upon.GitHub

Subdominator

GitHub - RevoltSecurities/Subdominator: SubDominator helps you discover subdomains associated with a target domain efficiently and with minimal impact for your Bug BountyGitHub

Amass

amass enum -d target.com

Hacker tools: Amass - hunting for subdomainsIntigriti

Knock

GitHub - guelfoweb/knock: Knock Subdomain ScanGitHub

Sublister

GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testersGitHub

Subfinder

GitHub - projectdiscovery/subfinder: Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.GitHub

./subfinder -d inlanefreight.com -v   

subfinder -d canva.com | shuffledns -d canva;com -r resolvers.txt -mode resolve

Assetfinder

GitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domainGitHub

assetfinder githubapp.com

Subbrute

$ git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
$ cd subbrute
$ echo "ns1.inlanefreight.com" > ./resolvers.txt
$ ./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt

Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.com
ns2.inlanefreight.com
www.inlanefreight.com
ms1.inlanefreight.com
support.inlanefreight.com

<SNIP>

DNSRecon

GitHub - darkoperator/dnsrecon: DNS Enumeration ScriptGitHub

Complete guide to DNSrecon - Hackercool MagazineHackercool Magazine

PureDNS

GitHub - d3mondev/puredns: Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.GitHub

puredns -r dnsresolve.txt bruteforce wordlist.txt target.com

Dnsx

GitHub - projectdiscovery/dnsx: dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.GitHub

Takeover

DNS or subdomain Takeover ?

DNS (53)

Virtual Host

Virtual Host

Ffuf

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/

Online Hosts

$ httpx -probe -list targets.subdomains -tech-detect -status-code -fr -o targets.httpx
$ cat targets.httpx | grep SUCCESS | grep 200 | awk '{print $1}' > targets.200.httpx

Resources

Subdomain enumeration: A guide to active and passive methods

Subdomains enumeration | The Hacker Recipes

Reconnaissance 102: Subdomain EnumerationProjectDiscovery.io | Blog