# DNS ## Domain & Subdomain Enumeration [**httprobe**](https://github.com/tomnomnom/httprobe): Take a list of domains and probe for working http and https servers. ``` go get -u github.com/tomnomnom/httprobe ▶ cat recon/example/domains.txt example.com example.edu example.net ▶ cat recon/example/domains.txt | httprobe http://example.com http://example.net http://example.edu https://example.com https://example.edu https://example.net ``` [**domain-check-2**](https://github.com/nixcraft/domain-check-2)**:** A simple shell script to display or notify the user via email about domain status and expiry date. ``` domain-check-2 -d google.com domain-check-2 -f domain-list.txt ``` Output: ``` Domain Registrar Status Expires Days Left ----------------------------------- ---------------------------------------------- -------- ----------- --------- nixcraft.com GoDaddy.com, LLC Valid 10-may-2023 2022 google.org MarkMonitor Inc. Valid 20-oct-2018 359 google.net MarkMonitor Inc. Valid 15-mar-2018 140 google.info MarkMonitor Inc. Valid 31-jul-2018 278 cyberciti.biz GoDaddy.com, Inc. Valid 30-jun-2024 2439 google.in MarkMonitor Inc. (R84-AFIN) Valid 14-Feb-2018 111 google.co.in MarkMonitor Inc. (R84-AFIN) Valid 23-Jun-2018 240 google.us MarkMonitor, Inc. Valid 18-apr-2018 174 google.uk Markmonitor Inc. Valid 11-Jun-2018 228 ``` [**letItGo**](https://github.com/SecurityRiskAdvisors/letItGo): Enumerate and check domains for Azure tenants. ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FYgzsNFToqoIQIiybjJY4%2Fimage.png?alt=media\&token=65a13698-2d2c-4f09-a34d-a9d40dfe00cc) [**altdns**](https://github.com/infosec-au/altdns): Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. ``` altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt ``` [**Sublist3r**](https://github.com/aboul3la/Sublist3r)**:** Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. [**aquatone**](https://github.com/michenriksen/aquatone)**:** Aquatone is a tool for visual inspection of websites across a large number of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.\ \ To use it on Windows OS, you shoud download this version of [**chromium**](https://www.chromium.org/getting-involved/download-chromium)**.** Once downloaded, aquatone must be executed with full paths to take the screenshots: ``` PS C:\Users\IEUser\Desktop > cat .\ips.txt | .\aquatone.exe -chrome-path "C:\Users\IEUser\Desktop\chrome-win\chrome.exe" -out "C:\Users\IEUser\Desktop\output\" ``` [**amass**](https://github.com/OWASP/Amass): The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. ``` amass enum -d domain.org amass intel -active -addr 192.168.x.x -p 80,443,8080" ``` Importing Amass Results into Maltego**:** ``` amass viz -maltego ``` Import the CSV file with the correct Connectivity Table settings: ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FdRXRUkvZOvPlWN38cvpT%2Fimage.png?alt=media\&token=07494878-a796-4790-bf23-5ec8e9e729cd) [**VHostScan**](https://github.com/codingo/VHostScan): A virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages. First presented at SecTalks BNE in September 2017 ([slidedeck](https://docs.google.com/presentation/d/1KDY7bnCpCGabJn8UpmHGSb6z_hi_WGf3ETxzykTNjWY)). ``` VHostScan -t example.com --ssl echo -e 'a.example.com\b.example.com' | VHostScan -t localhost -w ./wordlists/wordlist.txt cat bank.htb | VHostScan -t 10.10.10.29 ``` [**virtual-host-discovery**](https://github.com/jobertabma/virtual-host-discovery)**:** This is a basic HTTP scanner that'll enumerate virtual hosts on a given IP address. ``` ruby scan.rb --ip=127.0.0.1 --host=domain ``` [**gobuster**](https://github.com/OJ/gobuster)**:** Gobuster is a tool used to brute-force: URIs, DNS subdomains, Virtual Host names and Open AWS S3 buckets. ``` gobuster dns -d google.com -w ~/wordlists/subdomains.txt ``` [**aiodnsbrute**](https://github.com/blark/aiodnsbrute)**:** A Python 3.5+ tool that uses asyncio to brute force domain names asynchronously. ``` resolver.txt 8.8.8.8 8.8.4.4 1.1.1.1 sudo pip3 install aiodnsbrute aiodnsbrute yahoo.com -w /tmp/11m_sub_wordlist.txt -o csv -t 100000 -r resolver.txt ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MWz_kMCeecLWhl-JQVA%2F-MWzaKykUelQeE7Rbz62%2Fimage.png?alt=media\&token=e8c95a45-3a02-4c08-94b3-57e42ce1cbe6) [**Sudomy**](https://github.com/Screetsec/Sudomy)**:** A subdomain enumeration tool to collect subdomains and analyzing domains performing advanced automated reconnaissance (framework). This tool can also be used for OSINT (Open-source intelligence) activities. ``` ./sudomy -d localhost -dP -eP -rS -cF -pS -tO -gW --httpx --dnsprobe -aI webanalyze -sS ./sudomy -d localhost --bruteforce ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MWzbeJIEmrAq1jh9xt8%2F-MWzbjoz2YqykNJN6YfU%2Fimage.png?alt=media\&token=e35ed397-8a8a-4302-b65a-ea8151d49f70) [**Legion**](https://github.com/GoVanguard/legion): Legion is an open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems. ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MWd-VcvRHVgUtkahm85%2Fuploads%2FyZhe7obkFJp6ZRPDWRst%2F68747470733a2f2f676f76616e67756172642e636f6d2f77702d636f6e74656e742f75706c6f6164732f323031392f30322f4c6567696f6e44656d6f2e676966.gif?alt=media\&token=07496231-6be0-4b22-82c0-1bb710910d51) {% embed url="" %} [**red\_hawk:**](https://github.com/tuhinshubhra/red_hawk) All in one tool for Information Gathering, Vulnerability Scanning and Crawling. A must have tool for all penetration testers. {% embed url="" %} {% embed url="" %} ## Subdomain Takeover [**subjack**](https://github.com/haccer/subjack)**:** A Subdomain Takeover tool written in Go designed to scan a list of subdomains concurrently and identify ones that are able to be hijacked. ``` subjack -w ~/tmp/subdomains.txt -c fingerprints.json -t 100 -timeout 30 -o results.txt -ssl subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl ``` [**SubOver**](https://github.com/Ice3man543/SubOver)**:** Subover is a Hostile Subdomain Takeover tool originally written in python but rewritten from scratch in Golang. ``` go get github.com/Ice3man543/SubOver ./SubOver -l subdomains.txt go run subover.go -l ~/Downloads/subdomains -v ``` [**tko-subs**](https://github.com/anshumanbh/tko-subs)**:** Takeover by CNAME entry. ``` tko-subs -domains ~/Downloads/subdomains.txt ``` [**massdns:** ](https://github.com/blechschmidt/massdns)MassDNS is a simple high-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions. Without special configuration, MassDNS is capable of resolving over 350,000 names per second using publicly available resolvers. ``` massdns -r lists/resolvers.txt -t MX /home/kali/Downloads/all_domains_from_sublister_amass.txt > /home/kali/Downloads/results_MX.txt massdns -r lists/resolvers.txt -t CNAME /home/kali/Downloads/all_domains_from_sublister_amass.txt > /home/kali/Downloads/results_CNAME.txt Options: [A, AAAA, PTR, CNAME, MX] ``` [**autoSubTakeover**](https://github.com/JordyZomer/autoSubTakeover)**:** A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible. Also checks if the domain that a subdomain points to is expired. [**autoSubTakeover:**](https://github.com/JordyZomer/autoSubTakeover) A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible. Also checks if the domain that a subdomain points to is expired. [**puredns**](https://github.com/d3mondev/puredns): puredns is a bash and python application that uses massdns to *accurately* perform DNS bruteforcing and mass resolving. ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MX1lrISeO0iH_PsSjrv%2F-MX2-Uq1olHl7_OD36ea%2F88879682-ee665580-d1f8-11ea-9239-eb895790aa63.gif?alt=media\&token=43d789dc-f8ff-4cc2-8115-56dbf58cb1f8) [**NtHiM**](https://github.com/TheBinitGhimire/NtHiM)**:** Now, the Host is Mine! - Super Fast Sub-domain Takeover Detection! ``` NtHiM -t https://example.example.com NtHiM -f hostnames.txt ``` ![](https://4052868066-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWd-VcvRHVgUtkahm85%2F-MXqrJaoMp1Z-SM0lyEC%2F-MXqsPUty5JY1NOHr7Zs%2Fdemonstration.gif?alt=media\&token=c0476a0f-cd95-4b39-8ace-2bb7db52c0f0) **Interact.sh** - an alternative to burp collaborator ;) {% embed url="" %} [**shredos.x86\_64**](https://github.com/PartialVolume/shredos.x86_64)**:** Shredos 64 bit for all Intel 64 bit processors as well as processors from AMD and other vendors which make compatible 64 bit chips. ShredOS - Secure disk erasure. {% embed url="" %}