> For the complete documentation index, see [llms.txt](https://jackmeister.gitbook.io/jackmeister-playbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://jackmeister.gitbook.io/jackmeister-playbook/web-pentest/recon/dns-hunting.md).

# DNS Hunting

#### massdns : DNS brute-force. It's very fast however it's prone to false positives.

```bash
sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt
grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt
```

#### gobuster : 1 resolver/layer

```bash
gobuster dns -d mysite.com -t 50 -w subdomains.txt
```

#### shuffledns : wrapper around `massdns`

```
shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt
```

#### puredns : It also uses `massdns`.

```
puredns bruteforce all.txt domain.com
```

#### aiodnsbrute : uses asyncio to brute force domain names asynchronously.

```
aiodnsbrute -r resolvers -w wordlist.txt -vv -t 1024 domain.com
```

### Second Round DNS Brute-Force

#### dnsgen : Given the domains and subdomains generate permutations.

```
cat subdomains.txt | dnsgen -
```

### VHOST

```bash
ffuf -c -w /path/to/wordlist -u http://victim.com -H "Host: FUZZ.victim.com"

gobuster vhost -u https://mysite.com -t 50 -w subdomains.txt

wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100

#From https://github.com/allyshka/vhostbrute
vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com" --vhosts="vhosts_full.list"

#https://github.com/codingo/VHostScan
VHostScan -t example.com
```

### CORS Brute Force

Sometimes you will find pages that only return the header ***Access-Control-Allow-Origin*** when a valid domain/subdomain is set in the ***Origin*** header. In these scenarios, you can abuse this behaviour to **discover** new **subdomains**.

```bash
ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body
```

#### Wordlists

* <https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056>
* <https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt>
* <https://localdomain.pw/subdomain-bruteforce-list/all.txt.zip>
* <https://github.com/pentester-io/commonspeak>
* <https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS>
