DNS Subdomain Enumeration

Google Dorks

Google Dorks

Online

Subdomain Finder - C99.nlsubdomainfinder.c99.nl

Free subdomain finder online 🛡️ find subdomains of domainPentest-Tools.com

DNSDumpster - Find & lookup dns records for recon & researchDNSDumpster.com

Wordlist

Subdomain megalist

subfuz/subdomain_megalist.txt at master · netsecurity-as/subfuzGitHub

Exegol

• /opt/seclists/Discovery/DNS/fierce-hostlist.txt

• /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt

Generate subdomains wordlist

GitHub - AlephNullSK/dnsgen: DNSGen is a powerful and flexible DNS name permutation tool designed for security researchers and penetration testers. It generates intelligent domain name variations to assist in subdomain discovery and security assessments.GitHub

Get only resolved domains with massdns:

$ dnsgen hosts.txt >> dnsgen_wordlist.txt
$ massdns -r ~/tools/massdns/lists/resolvers.txt -o S dnsgen_wordlist.txt | grep -e ' A ' | cut -d 'A' -f 1 | rev | cut -d "." -f1 --complement | rev | sort | uniq  > dnsgen_massdns_resolved

GitHub - trickest/mksub: Generate tens of thousands of subdomain combinations in a matter of secondsGitHub

Using AI

GitHub - jthack/cewlai: ai-based domain name generationGitHub

GoBuster

git clone https://github.com/danielmiessler/SecLists
sudo apt install seclists -y

Add a DNS Server such as 1.1.1.1 to the /etc/resolv.conf file

gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt

Pattern found

Example: lert-api-shv-{NUMBER}-sin6.facebook.com

pattern.txt:

lert-api-shv-{GOBUSTER}-sin6
atlas-pp-shv-{GOBUSTER}-sin6

$ export TARGET="facebook.com"
$ export NS="d.ns.facebook.com"
$ export WORDLIST="numbers.txt"
$ gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt"

Dig

$ for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

ns.inlanefreight.htb.   604800  IN      A       10.129.34.136
mail1.inlanefreight.htb. 604800 IN      A       10.129.18.201
app.inlanefreight.htb.  604800  IN      A       10.129.18.15

for sub in $(cat /opt/seclists/Discovery/DNS/fierce-hostlist.txt);do dig $sub.inlanefreight.htb @10.129.104.34 | grep -v ';\|MX' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

DNSenum

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

Skanuvaty

GitHub - Esc4iCEscEsc/skanuvaty: Dangerously fast DNS/network/port scannerGitHub

Other tools

Frogy

https://github.com/iamthefrogy/frogygithub.com

Subdominator

GitHub - RevoltSecurities/Subdominator: SubDominator helps you discover subdomains associated with a target domain efficiently and with minimal impact for your Bug BountyGitHub

Amass

amass enum -d target.com

Hacker tools: Amass - hunting for subdomainsIntigriti

Knock

GitHub - guelfoweb/knock: Knock Subdomain ScanGitHub

Sublister

GitHub - aboul3la/Sublist3r: Fast subdomains enumeration tool for penetration testersGitHub

Subfinder

GitHub - projectdiscovery/subfinder: Fast passive subdomain enumeration tool.GitHub

./subfinder -d inlanefreight.com -v   

subfinder -d canva.com | shuffledns -d canva;com -r resolvers.txt -mode resolve

Assetfinder

GitHub - tomnomnom/assetfinder: Find domains and subdomains related to a given domainGitHub

assetfinder githubapp.com

Subbrute

$ git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
$ cd subbrute
$ echo "ns1.inlanefreight.com" > ./resolvers.txt
$ ./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt

Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.com
ns2.inlanefreight.com
www.inlanefreight.com
ms1.inlanefreight.com
support.inlanefreight.com

<SNIP>

DNSRecon

GitHub - darkoperator/dnsrecon: DNS Enumeration ScriptGitHub

Complete guide to DNSrecon - Hackercool MagazineHackercool Magazine

PureDNS

GitHub - d3mondev/puredns: Puredns is a fast domain resolver and subdomain bruteforcing tool that can accurately filter out wildcard subdomains and DNS poisoned entries.GitHub

puredns -r dnsresolve.txt bruteforce wordlist.txt target.com

Dnsx

GitHub - projectdiscovery/dnsx: dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.GitHub

Takeover

DNS or subdomain Takeover ?

DNS (53)

Virtual Host

Virtual Host

Ffuf

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/

Online Hosts

$ httpx -probe -list targets.subdomains -tech-detect -status-code -fr -o targets.httpx
$ cat targets.httpx | grep SUCCESS | grep 200 | awk '{print $1}' > targets.200.httpx

Resources

Subdomain enumeration: A guide to active and passive methodsYesWeHack

Subdomains enumeration | The Hacker Recipeswww.thehacker.recipes

Reconnaissance 102: Subdomain Enumeration — ProjectDiscovery BlogProjectDiscovery