# DNS Subdomain Enumeration ## Google Dorks {% content-ref url="/pages/yJvJ17kdWiGpCtDCxAZF" %} [Google Dorks](/0xss0rz/pentest/recon/google-dorks.md) {% endcontent-ref %} ## Online {% embed url="" %} {% embed url="" %} {% embed url="" %} {% embed url="" %} ## Wordlist ### Subdomain megalist {% embed url="" %} ### Exegol * `/opt/seclists/Discovery/DNS/fierce-hostlist.txt` * `/usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt` ## Generate subdomains wordlist {% embed url="" %} Get only resolved domains with massdns: ``` $ dnsgen hosts.txt >> dnsgen_wordlist.txt $ massdns -r ~/tools/massdns/lists/resolvers.txt -o S dnsgen_wordlist.txt | grep -e ' A ' | cut -d 'A' -f 1 | rev | cut -d "." -f1 --complement | rev | sort | uniq > dnsgen_massdns_resolved ``` {% embed url="" %} Using AI {% embed url="" %} ## GoBuster ``` git clone https://github.com/danielmiessler/SecLists sudo apt install seclists -y ``` Add a DNS Server such as 1.1.1.1 to the `/etc/resolv.conf` file ``` gobuster dns -d inlanefreight.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt ``` ### **Pattern found** Example: `lert-api-shv-{NUMBER}-sin6.facebook.com` pattern.txt: ```shell-session lert-api-shv-{GOBUSTER}-sin6 atlas-pp-shv-{GOBUSTER}-sin6 ``` ```shell-session $ export TARGET="facebook.com" $ export NS="d.ns.facebook.com" $ export WORDLIST="numbers.txt" $ gobuster dns -q -r "${NS}" -d "${TARGET}" -w "${WORDLIST}" -p ./patterns.txt -o "gobuster_${TARGET}.txt" ``` ## Dig ```shell-session $ for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done ns.inlanefreight.htb. 604800 IN A 10.129.34.136 mail1.inlanefreight.htb. 604800 IN A 10.129.18.201 app.inlanefreight.htb. 604800 IN A 10.129.18.15 ``` ``` for sub in $(cat /opt/seclists/Discovery/DNS/fierce-hostlist.txt);do dig $sub.inlanefreight.htb @10.129.104.34 | grep -v ';\|MX' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done ``` ## DNSenum ```shell-session dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb ``` ## Skanuvaty {% embed url="" %} ## Other tools ### Frogy {% embed url="" %} ### Subdominator {% embed url="" %} ### Amass ``` amass enum -d target.com ``` {% embed url="" %} ### Knock {% embed url="" %} ### Sublister {% embed url="" %} ### Subfinder {% embed url="" %} ```shell-session ./subfinder -d inlanefreight.com -v ``` ``` subfinder -d canva.com | shuffledns -d canva;com -r resolvers.txt -mode resolve ``` ### Assetfinder {% embed url="" %} ``` assetfinder githubapp.com ``` ### Subbrute ```shell-session $ git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1 $ cd subbrute $ echo "ns1.inlanefreight.com" > ./resolvers.txt $ ./subbrute inlanefreight.com -s ./names.txt -r ./resolvers.txt Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt. inlanefreight.com ns2.inlanefreight.com www.inlanefreight.com ms1.inlanefreight.com support.inlanefreight.com ``` ### DNSRecon {% embed url="" %} {% embed url="" %} ### PureDNS {% embed url="" %} ``` puredns -r dnsresolve.txt bruteforce wordlist.txt target.com ``` ### Dnsx {% embed url="" %} ## Takeover {% hint style="success" %} DNS or subdomain Takeover ? {% endhint %} {% content-ref url="/pages/ZAb8rsXaiN0YOqEZMyCb" %} [DNS (53)](/0xss0rz/pentest/protocols/dns-53.md) {% endcontent-ref %} ## Virtual Host {% content-ref url="/pages/ll4ySN9pOr2xc7Gdun0S" %} [Virtual Host](/0xss0rz/pentest/recon/virtual-host.md) {% endcontent-ref %} ## Ffuf ```shell-session ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/ ``` ## Online Hosts ``` $ httpx -probe -list targets.subdomains -tech-detect -status-code -fr -o targets.httpx $ cat targets.httpx | grep SUCCESS | grep 200 | awk '{print $1}' > targets.200.httpx ``` ## [Earn Free Crypto / BTC with Cointiply](https://cointiply.com/r/pkZxp) [**Play Games Earn Cash Rewards**](https://cointiply.com/r/pkZxp)

## Resources {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/recon/dns-subdomain-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.