Domain Discovery
Check the following locations for additional domains:
Certificate Transparency Reports
Goole Cache
Wordlists in DNS
Discovery
Imagine that a DNS CNAME is for a record which is a separate subdomain on the cloud service, can we search for that record as well! This may give us additional information about new assets.
// Below gives us a new potential set of hostnames, m4lwhereNotes
CNAME notes.m4lwhere.org -> m4lwhereNotes.gitbook.com
Tools
inetdata - https://github.com/hdm/inetdata
DNSRecon.py - https://github.com/darkoperator/dnsrecon
./dnsrecon.py -t brt,crt -d m4lwhere.org -D hosts.txt --iw --threads 10
# Brute Force, Cert Transparency Logs (brt,crt)
# Target domain of m4lwhere.org
# -D is custom dictionary of hosts.txt
# --iw is to ignore the wildcard
ShuffleDNS
Uses massdns
to shuffle DNS requests across many different providers, very quick!
shuffledns -d m4lwhere.org -w ./subdomains-5k.txt -r ./resolvers.txt --massdns /opt/bin/massdns -o ./out.txt
gobuster
Last updated
Was this helpful?