What is your go-to DNS enumeration methodology? [Discussion]

pry0cc · March 31, 2020, 7:28pm

Hey 0x00ers!

I have been doing a lot of research lately around getting the best coverage when it comes to DNS enumeration. If you’re on a red team and doing asset discovery, or if you’re a bug bounty hunter and you get given scope with *.example.com, DNS enumeration is usually massively important to get right but also not miss anything in the process.

Personally, my DNS enumeration looks a lot like the following:

I run subfinder:

subfinder -d uber.com >>

Then I’ll use amass, Amass is great because it pulls from a LOT of different sources and perms a lot of enumeration techniques to get really great coverage, this includes certificate transparency, DNS dumpster, Rapid7 Sonar, Google and loads of other sources.

amass enum -d uber.com

Then, just to make sure I didn’t miss anything, I’ll do a full on DNS bruteforce using MassDNS or ZDNS.

I’ve recently taken to using my new tool subgen, which just takes a wordlist as STDIN, concates your domain with the wordlist, and doesn’t allow the same subdomain string to be printed more than once (unique).

From this, you can pipe into whatever resolver tool you like best.

As far as wordlists go, I am a big fan of a sorted Jason Haddix’s all.txt, https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

cat ~/lists/sorted-all.txt | subgen -d uber.com | zdns A | jq -r "select(.data.answers[0].name) | .name"

This is truly one of the fastest ways to all out bruteforce right now, a full bruteforce using that 25MB list takes a total of 20 minutes with Cloudflare DNS on a Digital Ocean SFO2 droplet, if you use MassDNS you can get it down to 10 minutes, just make sure you use the right resolvers with MassDNS.

cat ~/lists/jhaddix-all.txt | subgen -d uber.com |  massdns -r dns.txt -t A -o S -w results.txt

And use this for DNS (my best list right now, credit to @R3D_Z3R0 on Twitter.)

1.1.1.1
1.0.0.1
8.8.8.8
8.8.4.4
8.26.56.26
8.20.247.20
9.9.9.9
149.112.112.112
64.6.64.6
64.6.65.6
208.67.222.222
208.67.220.220
185.228.168.9
185.228.169.9
198.101.242.72
23.253.163.53
176.103.130.130
176.103.130.131

So - this brings me onto you, what do you use for your DNS enumeration methodology? Share with everybody so that we have a big resource here!

vict0ni · April 1, 2020, 5:23pm

I almost do the same steps:

subfinder -d domain.com | tee -a domains
assetfinder -subs-only domain.com | tee -a domains
crobat-client -s domain.com | tee -a domains

Then of course sort -u to remove duplicates. I have to add the bruteforce solution at the end to find things I missed, like you said. For that I use subEnum.

When it comes to bug hunting, recon and DNS enumeration is probably half of the job. The more assets you find, the bigger the attack surface, thus the more the chances of finding something!

pry0cc · April 1, 2020, 5:39pm

Absolutely!

Finding the path less travelled, and finding more assets, gives you a place to actually start looking. Half-assing recon will only cause you headaches down the road.

pry0cc · April 4, 2020, 12:39am

Hey - just reading this again, can you run these three commands at the same time? Will tee allow you to write from multiple processes at once?

DamaneDz · April 4, 2020, 2:06pm

Maybe you’ll find this tool useful.

vict0ni · April 4, 2020, 4:06pm

Just tested it, turns out you can. Did subfinder -d domain.com | tee -a domains in one terminal and assetfinder -subs-only anotherdomain.com | tee -a domains in another terminal and all results were saved in domains

pry0cc · April 4, 2020, 8:37pm

In PHP?

There’s no way that can be performant?

DamaneDz · April 4, 2020, 9:56pm

the tool isn’t that bad give it a try at least !

pry0cc · July 31, 2020, 11:28am

This topic was automatically closed after 121 days. New replies are no longer allowed.