Bruteforce subdomains

Knowing the domain of a site and its DNS server IP, we could bruteforce the subdomains to get access to other exposed sites

• Bruteforce using a dictionary of well-known names

for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.<Domain> @<DNSip> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

We have to set the Domain and DNSip values and the result will be saved in subdomains.txt

---

• Use the dnsenum tool to brute force the subdomains

dnsenum --dnsserver $DNSip --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt $domain