It's a technique where the person takes a long list of common subdomain names and append their target to them and based on the response determines whether they are valid or not. This is similar to the dictionary attack.
Below we can what happens in bruteforcing:
- admin ----> admin.target.com
- internal.dev ----> internal.dev.target.com
- secret ----> secret.target.com
- backup01 ----> backup01.target.com
Now that we have a list of probable domain names we need to check whether any of these predicted subdomains exist or not. For that, we need to do a mass DNS resolution. After this process, if any of these subdomains is found valid, it's a win-win situation for us.
At times passive DNS data doesn't give all the hosts/subdomains associated with our target. Also, there would some newer subdomains that still wouldn't have been crawled by the internet crawlers. In such a case subdomain bruteforcing proves beneficial.
Earlier DNS zone transfer vulnerabilities were the key to get the whole DNS infrastructure of a particular organization. But lately, the DNS servers have been secured and zone transfers are found very rarely.
A wildcard DNS record is a record that matches requests for non-existent domain names. Wildcards are denoted by specifying a
*of the left part of a domain name such as *.target.com. That means even if a subdomain doesn't exist it will return a valid response. See the example below:-
doesntexists.target.com ----> valid
Strange right? So in short, if a domain is a wildcard domain we will get all valid responses(false positives) while bruteforcing and wouldn't be able to differentiate which are valid and which aren't. To avoid this various wildcard filtering techniques are used by subdomain bruteforcing tools.
2) Open Public resolvers
While bruteforcing we tend to use a long wordlist of common subdomain names to get those hidden domains, hence the domains to be resolved will also be large. Such large resolutions cannot be performed by your system's DNS resolver, hence we depend on freely available public resolvers. Also, using public resolvers eliminates the changes of DNS rate limits.
Table of execution time and false positives.Using an 11 million wordlist on ibm.com
Puredns outperforms the work of DNS bruteforcing & resolving millions of domains at once.
1) Sanitize the input wordlist
The input wordlist is first sanitized to include only valid characters(
[a-z0-9.-]) and sets all words to lowercase.
2) Mass resolve using the public resolvers
To perform mass resolution of millions of domains at a high speed Massdns is used. Massdns using the public DNS resolvers provided; checks whether the probable subdomains generated by us are valid or not by querying those public resolvers. This is generally performed at an unlimited rate and generates a huge amount of traffic.
3) Wildcard detection
As discussed earlier wildcards should be properly detected to eliminate false positives. Puredns then uses its wildcard detection algorithm to detect and extract all the wildcard subdomain roots from the previous massdns output file.
4) Validating results with trusted resolvers
Now the issue with using public DNS resolvers is that they can be DNS cache poisoned. This issue arrives because DNSSEC(a secure way of querying authoritative name servers) is not widely adopted. To avoid DNS poisoning we verify our final results once again with trusted resolvers like Goggle DNS resolvers (
18.104.22.168). We can trust the results from trusted resolvers because they use DNSSEC.To avoid over abuse of trusted public DNS resolvers puredns has set a query limit of 500/qps(queries per second).
Since this tool is written in Go, your Go environment should be configured properly.
GO111MODULE=on go get github.com/d3mondev/puredns/v2
git clone https://github.com/vortexau/dnsvalidator.git
python3 setup.py install
Generating list of open public resolvers
It's very important to note that even if one of your public resolver is failing/not working you have a greater chance of missing an important subdomain. Hence, it's always advised that you generate a fresh public DNS resolvers list before execution.
dnsvalidator -tL https://public-dns.info/nameservers.txt -threads 100 -o resolvers.txt
Now that we have generated our public DNS resolver we are good to move ahead and perform subdomain bruteforcing using puredns.
puredns bruteforce wordlist.txt example.com -r resolvers.txt -w output.txt
- bruteforce - use the bruteforcing mode
- r - Specify your public resolvers
- w - Output filename
The whole idea DNS bruteforcing is of no use if you don't use a great wordlist. Selection of the wordlist is the most important aspect of bruteforcing. Let's look at what best wordlist:- 1) Assetnote best-dns-wordlist.txt (9 Million) ⭐ Assetnote wordlists are the best. No doubt this is the best subdomain bruteforcing wordlist. But highly recommended that you run this in your VPS. Running on a home system will take hours also the results wouldn't be accurate. This wordlist will definitely give you those hidden subdomains.
Usually, if you provide a very large wordlist(50M) and your target contains significant wildcards then sometimes puredns crashes out due to less memory while filtering wildcards. To overcome this issue you can use
--wildcard-batch 1000000flag. By default, puredns puts all the domains in a single batch to save on the number of DNS queries and execution time. Using this flag takes in a batch of only 1million subdomains at a time for wildcard filtering and after completion of the task takes in the next batch for wildcard filtering.
2) Puredns kills my home router
Massdns is the one to be blamed for. Massdns tries to perform DNS resolution using public resolvers at an unlimited rate. This generates large traffic and makes your home router unable to use for that specific period of time. To overcome this you can use the
-lflag. This flag throttles the massdns threads to your specified amount. It's advisable that you set the value anywhere between