DNS

Domain & Subdomain Enumeration

httprobe: Take a list of domains and probe for working http and https servers.
1
go get -u github.com/tomnomnom/httprobe
2
3
▶ cat recon/example/domains.txt
4
example.com
5
example.edu
6
example.net
7
▶ cat recon/example/domains.txt | httprobe
8
http://example.com
9
http://example.net
10
http://example.edu
11
https://example.com
12
https://example.edu
13
https://example.net
Copied!
domain-check-2: A simple shell script to display or notify the user via email about domain status and expiry date.
1
domain-check-2 -d google.com
2
domain-check-2 -f domain-list.txt
Copied!
Output:
1
Domain Registrar Status Expires Days Left
2
----------------------------------- ---------------------------------------------- -------- ----------- ---------
3
nixcraft.com GoDaddy.com, LLC Valid 10-may-2023 2022
4
google.org MarkMonitor Inc. Valid 20-oct-2018 359
5
google.net MarkMonitor Inc. Valid 15-mar-2018 140
6
google.info MarkMonitor Inc. Valid 31-jul-2018 278
7
cyberciti.biz GoDaddy.com, Inc. Valid 30-jun-2024 2439
8
google.in MarkMonitor Inc. (R84-AFIN) Valid 14-Feb-2018 111
9
google.co.in MarkMonitor Inc. (R84-AFIN) Valid 23-Jun-2018 240
10
google.us MarkMonitor, Inc. Valid 18-apr-2018 174
11
google.uk Markmonitor Inc. Valid 11-Jun-2018 228
Copied!
letItGo: Enumerate and check domains for Azure tenants.
altdns: Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns.
1
altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
Copied!
Sublist3r: Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT.
aquatone: Aquatone is a tool for visual inspection of websites across a large number of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface. To use it on Windows OS, you shoud download this version of chromium. Once downloaded, aquatone must be executed with full paths to take the screenshots:
1
PS C:\Users\IEUser\Desktop > cat .\ips.txt | .\aquatone.exe -chrome-path "C:\Users\IEUser\Desktop\chrome-win\chrome.exe" -out "C:\Users\IEUser\Desktop\output\"
Copied!
amass: The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
1
amass enum -d domain.org
2
amass intel -active -addr 192.168.x.x -p 80,443,8080"
Copied!
VHostScan: A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 (slidedeck).
1
VHostScan -t example.com --ssl
2
echo -e 'a.example.com\b.example.com' | VHostScan -t localhost -w ./wordlists/wordlist.txt
3
cat bank.htb | VHostScan -t 10.10.10.29
Copied!
virtual-host-discovery: This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address.
1
ruby scan.rb --ip=127.0.0.1 --host=domain
Copied!
gobuster: Gobuster is a tool used to brute-force: URIs, DNS subdomains, Virtual Host names and Open AWS S3 buckets.
1
gobuster dns -d google.com -w ~/wordlists/subdomains.txt
Copied!
aiodnsbrute: A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously.
1
resolver.txt
2
8.8.8.8
3
8.8.4.4
4
1.1.1.1
5
6
sudo pip3 install aiodnsbrute
7
aiodnsbrute yahoo.com -w /tmp/11m_sub_wordlist.txt -o csv -t 100000 -r resolver.txt
Copied!
Sudomy: A subdomain enumeration tool to collect subdomains and analyzing domains performing advanced automated reconnaissance (framework). This tool can also be used for OSINT (Open-source intelligence) activities.
1
./sudomy -d localhost -dP -eP -rS -cF -pS -tO -gW --httpx --dnsprobe -aI webanalyze -sS
2
./sudomy -d localhost --bruteforce
Copied!
Legion: Legion is an open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems.
GitHub - GoVanguard/legion: Legion is an open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems.
GitHub
red_hawk: All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers.
GitHub - Tuhinshubhra/RED_HAWK: All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers
GitHub

Subdomain Takeover

subjack: A Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked.
1
subjack -w ~/tmp/subdomains.txt -c fingerprints.json -t 100 -timeout 30 -o results.txt -ssl
2
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
Copied!
SubOver: Subover is a Hostile Subdomain Takeover tool originally written in python but rewritten from scratch in Golang.
1
go get github.com/Ice3man543/SubOver
2
./SubOver -l subdomains.txt
3
go run subover.go -l ~/Downloads/subdomains -v
Copied!
tko-subs: Takeover by CNAME entry.
1
tko-subs -domains ~/Downloads/subdomains.txt
Copied!
massdns: MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers.
1
massdns -r lists/resolvers.txt -t MX /home/kali/Downloads/all_domains_from_sublister_amass.txt > /home/kali/Downloads/results_MX.txt
2
massdns -r lists/resolvers.txt -t CNAME /home/kali/Downloads/all_domains_from_sublister_amass.txt > /home/kali/Downloads/results_CNAME.txt
3
4
Options:
5
[A, AAAA, PTR, CNAME, MX]
Copied!
autoSubTakeover: A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible. Also checks if the domain that a subdomain points to is expired.
autoSubTakeover: A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible. Also checks if the domain that a subdomain points to is expired.
puredns: puredns is a bash and python application that uses massdns to accurately perform DNS bruteforcing and mass resolving.
NtHiM: Now, the Host is Mine! - Super Fast Sub-domain Takeover Detection!
1
NtHiM -t https://example.example.com
2
NtHiM -f hostnames.txt
Copied!
Interact.sh - an alternative to burp collaborator ;)
https://interact.projectdiscovery.io/#/
shredos.x86_64: Shredos 64 bit for all Intel 64 bit processors as well as processors from AMD and other vendors which make compatible 64 bit chips. ShredOS - Secure disk erasure.
GitHub - PartialVolume/shredos.x86_64: Shredos Disk Eraser 64 bit for all Intel 64 bit processors as well as processors from AMD and other vendors which make compatible 64 bit chips. ShredOS - Secure disk erasure/wipe
GitHub
Last modified 2mo ago