Domain Discovery

Check the following locations for additional domains:

  • Certificate Transparency Reports

  • Goole Cache

  • Wordlists in DNS

Discovery

Imagine that a DNS CNAME is for a record which is a separate subdomain on the cloud service, can we search for that record as well! This may give us additional information about new assets.

// Below gives us a new potential set of hostnames, m4lwhereNotes
CNAME notes.m4lwhere.org -> m4lwhereNotes.gitbook.com

Tools

inetdata - https://github.com/hdm/inetdata

DNSRecon.py - https://github.com/darkoperator/dnsrecon

./dnsrecon.py -t brt,crt -d m4lwhere.org -D hosts.txt --iw --threads 10
# Brute Force, Cert Transparency Logs (brt,crt)
# Target domain of m4lwhere.org
# -D is custom dictionary of hosts.txt
# --iw is to ignore the wildcard

ShuffleDNS

Uses massdns to shuffle DNS requests across many different providers, very quick!

shuffledns -d m4lwhere.org -w ./subdomains-5k.txt -r ./resolvers.txt --massdns /opt/bin/massdns -o ./out.txt

gobuster

PreviousDNSNextLayer 2 Config and Analysis

Last updated