DNS Hunting
massdns : DNS brute-force. It's very fast however it's prone to false positives.
sed 's/$/.domain.com/' subdomains.txt > bf-subdomains.txt
./massdns -r resolvers.txt -w /tmp/results.txt bf-subdomains.txt
grep -E "tesla.com. [0-9]+ IN A .+" /tmp/results.txt
gobuster : 1 resolver/layer
gobuster dns -d mysite.com -t 50 -w subdomains.txt
shuffledns : wrapper around massdns
massdns
shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt
puredns : It also uses massdns
.
massdns
.puredns bruteforce all.txt domain.com
aiodnsbrute : uses asyncio to brute force domain names asynchronously.
aiodnsbrute -r resolvers -w wordlist.txt -vv -t 1024 domain.com
Second Round DNS Brute-Force
dnsgen : Given the domains and subdomains generate permutations.
cat subdomains.txt | dnsgen -
VHOST
ffuf -c -w /path/to/wordlist -u http://victim.com -H "Host: FUZZ.victim.com"
gobuster vhost -u https://mysite.com -t 50 -w subdomains.txt
wfuzz -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt --hc 400,404,403 -H "Host: FUZZ.example.com" -u http://example.com -t 100
#From https://github.com/allyshka/vhostbrute
vhostbrute.py --url="example.com" --remoteip="10.1.1.15" --base="www.example.com" --vhosts="vhosts_full.list"
#https://github.com/codingo/VHostScan
VHostScan -t example.com
CORS Brute Force
Sometimes you will find pages that only return the header Access-Control-Allow-Origin when a valid domain/subdomain is set in the Origin header. In these scenarios, you can abuse this behaviour to discover new subdomains.
ffuf -w subdomains-top1million-5000.txt -u http://10.10.10.208 -H 'Origin: http://FUZZ.crossfit.htb' -mr "Access-Control-Allow-Origin" -ignore-body
Wordlists
https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
Last updated
Was this helpful?