I have been doing a lot of research lately around getting the best coverage when it comes to DNS enumeration. If you’re on a red team and doing asset discovery, or if you’re a bug bounty hunter and you get given scope with
*.example.com, DNS enumeration is usually massively important to get right but also not miss anything in the process.
Personally, my DNS enumeration looks a lot like the following:
I run subfinder:
subfinder -d uber.com >>
Then I’ll use amass, Amass is great because it pulls from a LOT of different sources and perms a lot of enumeration techniques to get really great coverage, this includes certificate transparency, DNS dumpster, Rapid7 Sonar, Google and loads of other sources.
amass enum -d uber.com
Then, just to make sure I didn’t miss anything, I’ll do a full on DNS bruteforce using MassDNS or ZDNS.
I’ve recently taken to using my new tool subgen, which just takes a wordlist as STDIN, concates your domain with the wordlist, and doesn’t allow the same subdomain string to be printed more than once (unique).
From this, you can pipe into whatever resolver tool you like best.
As far as wordlists go, I am a big fan of a sorted Jason Haddix’s all.txt, https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
cat ~/lists/sorted-all.txt | subgen -d uber.com | zdns A | jq -r "select(.data.answers.name) | .name"
This is truly one of the fastest ways to all out bruteforce right now, a full bruteforce using that 25MB list takes a total of 20 minutes with Cloudflare DNS on a Digital Ocean SFO2 droplet, if you use MassDNS you can get it down to 10 minutes, just make sure you use the right resolvers with MassDNS.
cat ~/lists/jhaddix-all.txt | subgen -d uber.com | massdns -r dns.txt -t A -o S -w results.txt
And use this for DNS (my best list right now, credit to @R3D_Z3R0 on Twitter.)
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206
So - this brings me onto you, what do you use for your DNS enumeration methodology? Share with everybody so that we have a big resource here!