# DNS ## Domain & Subdomain Enumeration [**httprobe**](https://github.com/tomnomnom/httprobe): Take a list of domains and probe for working http and https servers. ``` go get -u github.com/tomnomnom/httprobe ▶ cat recon/example/domains.txt example.com example.edu example.net ▶ cat recon/example/domains.txt | httprobe http://example.com http://example.net http://example.edu https://example.com https://example.edu https://example.net ``` [**domain-check-2**](https://github.com/nixcraft/domain-check-2)**:** A simple shell script to display or notify the user via email about domain status and expiry date. ``` domain-check-2 -d google.com domain-check-2 -f domain-list.txt ``` Output: ``` Domain Registrar Status Expires Days Left ----------------------------------- ---------------------------------------------- -------- ----------- --------- nixcraft.com GoDaddy.com, LLC Valid 10-may-2023 2022 google.org MarkMonitor Inc. Valid 20-oct-2018 359 google.net MarkMonitor Inc. Valid 15-mar-2018 140 google.info MarkMonitor Inc. Valid 31-jul-2018 278 cyberciti.biz GoDaddy.com, Inc. Valid 30-jun-2024 2439 google.in MarkMonitor Inc. (R84-AFIN) Valid 14-Feb-2018 111 google.co.in MarkMonitor Inc. (R84-AFIN) Valid 23-Jun-2018 240 google.us MarkMonitor, Inc. Valid 18-apr-2018 174 google.uk Markmonitor Inc. Valid 11-Jun-2018 228 ``` [**letItGo**](https://github.com/SecurityRiskAdvisors/letItGo): Enumerate and check domains for Azure tenants. ![](/files/74mgbF9xZzcYypZ310Jb) [**altdns**](https://github.com/infosec-au/altdns): Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. ``` altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt ``` [**Sublist3r**](https://github.com/aboul3la/Sublist3r)**:** Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. [**aquatone**](https://github.com/michenriksen/aquatone)**:** Aquatone is a tool for visual inspection of websites across a large number of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.\ \ To use it on Windows OS, you shoud download this version of [**chromium**](https://www.chromium.org/getting-involved/download-chromium)**.** Once downloaded, aquatone must be executed with full paths to take the screenshots: ``` PS C:\Users\IEUser\Desktop > cat .\ips.txt | .\aquatone.exe -chrome-path "C:\Users\IEUser\Desktop\chrome-win\chrome.exe" -out "C:\Users\IEUser\Desktop\output\" ``` [**amass**](https://github.com/OWASP/Amass): The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. ``` amass enum -d domain.org amass intel -active -addr 192.168.x.x -p 80,443,8080" ``` Importing Amass Results into Maltego**:** ``` amass viz -maltego ``` Import the CSV file with the correct Connectivity Table settings: ![](/files/XolG5SogTH6BjDFUsIWR) [**VHostScan**](https://github.com/codingo/VHostScan): A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 ([slidedeck](https://docs.google.com/presentation/d/1KDY7bnCpCGabJn8UpmHGSb6z_hi_WGf3ETxzykTNjWY)). ``` VHostScan -t example.com --ssl echo -e 'a.example.com\b.example.com' | VHostScan -t localhost -w ./wordlists/wordlist.txt cat bank.htb | VHostScan -t 10.10.10.29 ``` [**virtual-host-discovery**](https://github.com/jobertabma/virtual-host-discovery)**:** This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. ``` ruby scan.rb --ip=127.0.0.1 --host=domain ``` [**gobuster**](https://github.com/OJ/gobuster)**:** Gobuster is a tool used to brute-force: URIs, DNS subdomains, Virtual Host names and Open AWS S3 buckets. ``` gobuster dns -d google.com -w ~/wordlists/subdomains.txt ``` [**aiodnsbrute**](https://github.com/blark/aiodnsbrute)**:** A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously. ``` resolver.txt 8.8.8.8 8.8.4.4 1.1.1.1 sudo pip3 install aiodnsbrute aiodnsbrute yahoo.com -w /tmp/11m_sub_wordlist.txt -o csv -t 100000 -r resolver.txt ``` ![](/files/-MWzaKykUelQeE7Rbz62) [**Sudomy**](https://github.com/Screetsec/Sudomy)**:** A subdomain enumeration tool to collect subdomains and analyzing domains performing advanced automated reconnaissance (framework). This tool can also be used for OSINT (Open-source intelligence) activities. ``` ./sudomy -d localhost -dP -eP -rS -cF -pS -tO -gW --httpx --dnsprobe -aI webanalyze -sS ./sudomy -d localhost --bruteforce ``` ![](/files/-MWzbjoz2YqykNJN6YfU) [**Legion**](https://github.com/GoVanguard/legion): Legion is an open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems. ![](/files/kTi2qV2AVufyMwFlx7tR) {% embed url="" %} [**red\_hawk:**](https://github.com/tuhinshubhra/red_hawk) All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers. {% embed url="" %} {% embed url="" %} ## Subdomain Takeover [**subjack**](https://github.com/haccer/subjack)**:** A Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. ``` subjack -w ~/tmp/subdomains.txt -c fingerprints.json -t 100 -timeout 30 -o results.txt -ssl subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl ``` [**SubOver**](https://github.com/Ice3man543/SubOver)**:** Subover is a Hostile Subdomain Takeover tool originally written in python but rewritten from scratch in Golang. ``` go get github.com/Ice3man543/SubOver ./SubOver -l subdomains.txt go run subover.go -l ~/Downloads/subdomains -v ``` [**tko-subs**](https://github.com/anshumanbh/tko-subs)**:** Takeover by CNAME entry. ``` tko-subs -domains ~/Downloads/subdomains.txt ``` [**massdns:** ](https://github.com/blechschmidt/massdns)MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers. ``` massdns -r lists/resolvers.txt -t MX /home/kali/Downloads/all_domains_from_sublister_amass.txt > /home/kali/Downloads/results_MX.txt massdns -r lists/resolvers.txt -t CNAME /home/kali/Downloads/all_domains_from_sublister_amass.txt > /home/kali/Downloads/results_CNAME.txt Options: [A, AAAA, PTR, CNAME, MX] ``` [**autoSubTakeover**](https://github.com/JordyZomer/autoSubTakeover)**:** A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible. Also checks if the domain that a subdomain points to is expired. [**autoSubTakeover:**](https://github.com/JordyZomer/autoSubTakeover) A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible. Also checks if the domain that a subdomain points to is expired. [**puredns**](https://github.com/d3mondev/puredns): puredns is a bash and python application that uses massdns to *accurately* perform DNS bruteforcing and mass resolving. ![](/files/-MX2-Uq1olHl7_OD36ea) [**NtHiM**](https://github.com/TheBinitGhimire/NtHiM)**:** Now, the Host is Mine! - Super Fast Sub-domain Takeover Detection! ``` NtHiM -t https://example.example.com NtHiM -f hostnames.txt ``` ![](/files/-MXqsPUty5JY1NOHr7Zs) **Interact.sh** - an alternative to burp collaborator ;) {% embed url="" %} [**shredos.x86\_64**](https://github.com/PartialVolume/shredos.x86_64)**:** Shredos 64 bit for all Intel 64 bit processors as well as processors from AMD and other vendors which make compatible 64 bit chips. ShredOS - Secure disk erasure. {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/tools/dns.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.