DNS Hunting

massdns : DNS brute-force. It's very fast however it's prone to false positives.

sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt
grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt

gobuster : 1 resolver/layer

gobuster dns -d mysite.com -t 50 -w subdomains.txt

shuffledns : wrapper around massdns

shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt

puredns : It also uses massdns.

puredns bruteforce all.txt domain.com

aiodnsbrute : uses asyncio to brute force domain names asynchronously.

aiodnsbrute -r resolvers -w wordlist.txt -vv -t 1024 domain.com

Second Round DNS Brute-Force

dnsgen : Given the domains and subdomains generate permutations.

cat subdomains.txt | dnsgen -

VHOST

ffuf -c -w /path/to/wordlist -u http://victim.com -H "Host: FUZZ.victim.com"

gobuster vhost -u https://mysite.com -t 50 -w subdomains.txt

wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100

#From https://github.com/allyshka/vhostbrute
vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com" --vhosts="vhosts_full.list"

#https://github.com/codingo/VHostScan
VHostScan -t example.com

CORS Brute Force

Sometimes you will find pages that only return the header Access-Control-Allow-Origin when a valid domain/subdomain is set in the Origin header. In these scenarios, you can abuse this behaviour to discover new subdomains.

ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body

Wordlists

PreviousReconNextWeb Tech Hunting

Last updated