It would be difficult for a person to perform all the above-mentioned techniques. Hence, we need to rely on some kind of tool to automate such intensive steps. Wouldn't it be good if we just had to give our target name BOOM !!💥 the tool performs subdomain enumeration via all these techniques?
Yess this tool outperforms the work of subdomain enumeration via 6 unique techniques. Currently if configured well, gives the most number of subdomains compared to any other open-source tool 🚀 . Let's take a look at the enumeration techniques it performs:-
The installer script installs all the required dependencies and tools required.
git clone https://github.com/six2dez/reconftw
ReconFTW has a -s flag that performs subdomain enumeration & web probing.
Out of all the 6 techniques if we want to skip any step we can do it through its config file. Just set the value of a particular function to false
Also, you can provide your own wordlist for bruteforcing by specifying them in the reconftw config file.
Highly recommended that you run this tool in a VPS.
./reconftw.sh -d example.com -s
d - target domain
s - Perform subdomain enumeration
Tip: 🧙♂ Using --deep mode will run more time taking steps but return more subdomains
Taking Subdomain Enumeration to next level 🚀 🚀
The biggest fear while performing subdomain enumeration is that the public DNS resolvers we are using should give us a ban/timeout as we are querying them at a high rate for a prolonged period of time. Since we would be querying the public resolvers using our single VPS IP address they might give us a ban. But what we perform the same task by distributing the workload amongst several VPS instances? The chances of a ban would be less right? Also, the execution time would be considerably less right?
Axiom is a dynamic infrastructure that helps to distribute the workload of a single task equally among several cloud instances. A perfect tool while performing mass recon. You will first need to install Axiom on your VPS/system from where you will be able to spin up/down the cloud instances.
How does axiom work?
Let's consider want to perform DNS bruteforcing. For this first, you will need to initialize a fleet of instances. This can be any number of instances you want/authorize to make. Within a matter of 4-5 minutes that many instances would be initialized and ready to accept your commands.
Divide the bruteforce wordlist into equal number(total number of instances) of parts
Transfer each part to the respective instances
Perform standalone execution in separate instances
Merge the output results from all instances
Create a single output
Axiom has an interactive installer that will first ask for your cloud provider, API key, which provision to install, which region to choose, default instance size, etc.