Active Subdomain Enumeration

This process involves sending DNS queries or HTTP requests to potential subdomains to identify which ones exist and are accessible. DNS bruteforcing is probably one of the most effective way of finding subdomains. This involves using a wordlist of commonly known subdomains.

Be aware that active subdomain enumeration can generate significant server-side noise and hence potentially leading to rate-limiting by a WAF.

That is why the key to success lies in the balance between stealth and speed.

DNSValidator

Before starting subdomain enumeration it's important to verify that the DNS resolver is supported and effective. For this purpose, DNSValidator can be utilized.

We will feed DNSValidator with a wordlist of external resolvers available at public-dns.info:

dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o resolvers.txt

ShuffleDNS

Shuffledns is a fast subdomain enumeration tool that performs DNS resolution by combining wordlists with public or custom DNS resolvers. It primarily focuses on resolving subdomains by brute-forcing them from a list and quickly checking which ones are valid.

shuffledns -d $domain -mode bruteforce -w <wordlist> -r resolvers.txt

Amass

amass enum -d $domain -active -brute 

 # List saved scans in database
 amass db -list

Wordlists

Public-dns.info -> https://public-dns.info/nameservers.txt
SecLists -> https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
AssetNote -> https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt

PreviousSubdomain Enumeration NextPassive Subdomain Enumeration

Last updated 8 months ago

Was this helpful?