Subdomain Enumeration Guide
Searchโ€ฆ
Home ๐Ÿ 
Introduction
What's the need ?๐Ÿค”
Prerequisites
Types
Horizontal Enumeration
Vertical Enumeration
Passive Techniques
Passive Sources
Certificate Logs
Recursive Enumeration
Active Techniques
DNS Bruteforcing
Permutation/Alterations
Scraping(JS/Source code)
Google analytics
TLS, CSP, CNAME Probing
VHOST probing
Web probing
Automation ๐Ÿค–
Powered By GitBook
Permutation/Alterations
It is almost similar to the previous DNS wordlist bruteforcing but instead of simply performing a dictionary attack we generate combinations/permutations of the already known subdomains.
One more thing to be noted here is, we also need a small wordlist with us in this method, which would contain common words like mail , internal, dev, demo, accounts, ftp, admin(similar to DNS bruteforcing but smaller)
For instance, let's consider a subdomain dev.example.com . Now we will generate different variations/permutations of this domain.
Isn't it good that we can generate such great combinations? This is the power of permutation bruteforcing. Now that we have generated these combinations, we further need to DNS resolve them and check if we get any valid subdomains. If so it would be a WIN ! WIN ! ๐Ÿ situation for us.

Tools:

โ€‹Gotatorโ€‹

Gotator is DNS wordlist generator tool. It is used to generate various combinations or permutations of a root domain with the user-supplied wordlist. Capable of generating 1M combinations in almost 2 secs.

Features:

  • Permute numbers up and down (dev2 --> dev0, dev1, dev2, dev3,dev4)
  • 3 levels of depth (dev.demo.admin.example.com)
  • Controls generation of duplicate permutations
  • Option to add external permutation list
  • Option to permute amongst the subdomains

Installation:

1
go install -v github.com/Josue87/[email protected]
Copied!

Running:

  • First, we need to make a combined list of all the subdomains(valid/invalid) we collected from all the above steps whose permutations we will create.
  • To generate combinations you need to provide a small wordlist that contains common domain names like admin, demo, backup, api, ftp, email, etc.
  • โ€‹This is a good wordlist of 1K permutation words that we will need.
  • The below command generates a huge list of non-resolved subdomains.
1
gotator -sub subdomains.txt -perm permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md > gotator1.txt
Copied!

Flags:

  • sub - Specify subdomain list
  • perm - Specify permutation/append list
  • depth - Configure the depth
  • numbers - Configure the number of iterations to the numbers found in the permutations (up and down)
  • mindup - Set this flag to minimize duplicates. (For heavy workloads, it is recommended to activate this flag).
  • md - Extract 'previous' domains and subdomains from subdomains found in the list 'sub'.
  • adv - Advanced option. Generate permutations words with subdomains and words with -. And joins permutation word in the back

Resolution:

  • Now that we have made a huge list of all the possible subdomains that could exist, now it's time to DNS resolve them and check for valid ones.
  • For this, we will again use Puredns.
  • It's always better to generate fresh public DNS resolvers every time we use them.
1
puredns resolve permutations.txt -r resolvers.txt
Copied!
Flags:
  • resolve - Use resolution mode
  • r - public DNS resolvers list
In such a way, we have got those strange name subdomains and increased our attack surface.

โ€‹

Active Techniques - Previous
DNS Bruteforcing
Next - Active Techniques
Scraping(JS/Source code)
Last modified 1mo ago
Copy link
Contents
Tools:
Gotator
Features:
Installation:
Running:
Resolution: