Automation 🤖
Last updated
Last updated
It would be difficult for a person to perform all the above-mentioned techniques. Hence, we need to rely on some kind of tool to automate such intensive steps. Wouldn't it be good if we just had to give our target name BOOM !!💥 the tool performs subdomain enumeration via all these techniques?
Author: six2dez
Language: Bash
Yess this tool outperforms the work of subdomain enumeration via 6 unique techniques. Currently if configured well, gives the most number of subdomains compared to any other open-source tool 🚀 . Let's take a look at the enumeration techniques it performs:-
Passive Enumeration ( subfinder, assetfinder, amass, findomain, crobat, waybackurls, github-subdomains, Anubis, gauplus and mildew)
Certificate transparency (ctfr, tls.bufferover and dns.bufferover)
Bruteforce (puredns)
Permutations (DNScewl)
JS files & Source Code Scraping (gospider, analyticsRelationship)
DNS Records (dnsx) 🤖
The installer script installs all the required dependencies and tools required.
ReconFTW has a -s flag that performs subdomain enumeration & web probing.
Out of all the 6 techniques if we want to skip any step we can do it through its config file. Just set the value of a particular function to false
Also, you can provide your own wordlist for bruteforcing by specifying them in the reconftw config file.
Highly recommended that you run this tool in a VPS.
Flags:
d - target domain
s - Perform subdomain enumeration
Tip: 🧙♂ Using --deep mode will run more time taking steps but return more subdomains
The biggest fear while performing subdomain enumeration is that the public DNS resolvers we are using should give us a ban/timeout as we are querying them at a high rate for a prolonged period of time. Since we would be querying the public resolvers using our single VPS IP address they might give us a ban. But what we perform the same task by distributing the workload amongst several VPS instances? The chances of a ban would be less right? Also, the execution time would be considerably less right?
That's when Axiom comes to the rescue.
Author: pyrocc
Language: Bash
Supports: Digital Ocean, Linode, Azure, GCP, IBM
Axiom is a dynamic infrastructure that helps to distribute the workload of a single task equally among several cloud instances. A perfect tool while performing mass recon. You will first need to install Axiom on your VPS/system from where you will be able to spin up/down the cloud instances.
Let's consider want to perform DNS bruteforcing. For this first, you will need to initialize a fleet of instances. This can be any number of instances you want/authorize to make. Within a matter of 4-5 minutes that many instances would be initialized and ready to accept your commands.
Divide the bruteforce wordlist into equal number(total number of instances) of parts
Transfer each part to the respective instances
Perform standalone execution in separate instances
Merge the output results from all instances
Create a single output
Axiom has an interactive installer that will first ask for your cloud provider, API key, which provision to install, which region to choose, default instance size, etc.
Task
Axiom (15 instances) ✅
Single VPS (4cpu/8gb)
DNS bruteforcing (11M wordlist)
1m 16s
10m 28s
Web probing (50k subdomains)
1m 40s
21m 22s
Yes, it's possible to integrate Axiom in ReconFTW. Isn't that great? Do try this out !!😍
It's necessary to first install ReconFTW first on your controller/main system and then install/setup axiom.
Before running ReconFTW over Axiom it's recommended that you first initialize your fleet.
The thing to note here is to run ReconFTW over Axiom you have to use another script called reconftw_axiom.sh
