Bruteforce subdomains

Knowing the domain of a site and its DNS server IP, we could bruteforce the subdomains to get access to other exposed sites

Bruteforce using a dictionary of well-known names

for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.<Domain> @<DNSip> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

We have to set the Domain and DNSip values and the result will be saved in subdomains.txt

Use the dnsenum tool to brute force the subdomains

dnsenum --dnsserver $DNSip --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt $domain

PreviousMount accesible NFS Shares NextTools and Utilities

Last updated 2 months ago

Was this helpful?

Bruteforce subdomains

Knowing the domain of a site and its DNS server IP, we could bruteforce the subdomains to get access to other exposed sites

Bruteforce using a dictionary of well-known names

for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.<Domain> @<DNSip> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

We have to set the Domain and DNSip values and the result will be saved in subdomains.txt

Use the dnsenum tool to brute force the subdomains

dnsenum --dnsserver $DNSip --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt $domain

PreviousMount accesible NFS Shares NextTools and Utilities

Last updated 2 months ago

Was this helpful?