Subdomain Enumeration: Doing it a Bit Smarter

My last post about subdomain enumeration received great feedback. In the meantime, I thought of some other improvements I could make to increase the chances of finding new assets. This post presents a new tool that resulted in several critical reports during the past weeks.

Current state

When I use altdns, I use it solely to generate possibilities. Even though it contains own DNS resolver, it is much wiser to use a faster approach such as massdns.

Firstly, let's explain what altdns does and why it works. Imagine having a list of active domain names that you found for the target:

app1.example.com
customer.example.com
...

Developers usually test the application before going into production. From the experience, they usually use domain prefixes/suffixes such as staging or test to distinguish between testing and production environment. Thus, the sibling domains for the above examples might look like:

app1-staging.example.com
test-customer.example.com
...

Altdns does exactly this: it generates the possible combinations of original domain with the words from the wordlist (example). To make altdns generate possibilities, you simply run:

$ python altdns.py -i input_domains.txt -o ./output/path -w altdns/words.txt

This command generates a huge list of possible domain names for the target. I say possible, because most of them do not exist. To verify the existence of some domain, you need to run a DNS resolution.

When I looked under the hood of altdns, I noticed that it is missing one crucial thing. Targets may use custom words for their domain names. That's why you see many people in the community recommend to "look for patterns" during the recon phase. Unfortunately, this is a pretty vague statement. Also, there is no automated way to do it.

By custom words, I mean words that are not included in your fundamental wordlist. These words are usually unique to the target environment, such as the name of the company, the name of the application and so on. The domain names might look like:

pkjapp-testing.example.com
customers-indiadatacenter.example.com
...

You see, pkjapp and indiadatacenter are not words that you would consider to include in your wordlist.

YOU CANNOT INCLUDE ALL THESE WORDS IN YOUR WORDLIST. It is much wiser to smartly extend your wordlist per target.

Alternations

I created a tool that pretty much replaces the altdns functionality and adds several extra layers. It uses generic wordlist which is automatically extended when needed.

You can find the source code here!

Let's look into the techniques that happen behind the scenes:

(For demo purposes, let's say that wordlist contains just one word: stage)

  • Insert word on every index — Creates new subdomain levels by inserting the words between existing levels. foo.example.com -> stage.foo.example.com, foo.stage.example.com

  • Insert num on every index — Creates new subdomain levels by inserting the numbers between existing levels. foo.bar.example.com -> 1.foo.bar.example.com, foo.1.bar.example.com, 01.foo.bar.example.com, ...

  • Increase/Decrease num found — If the number is found in an existing subdomain, increase/decrease this number without any other alteration. foo01.example.com -> foo02.example.com, foo03.example.com, ...

  • Prepend word on every index — On every subdomain level, prepend existing content with WORD and WORD-. foo.example.com -> stagefoo.example.com, stage-foo.example.com

  • Append word on every index — On every subdomain level, append existing content with WORD and WORD-. foo.example.com -> foostage.example.com, foo-stage.example.com

  • Replace the word with word — If word longer than 3 is found in an existing subdomain, replace it with other words from the wordlist. (If we have more words than one in our wordlist). stage.foo.example.com -> otherword.foo.example.com, anotherword.foo.example.com, ...

  • Extract custom words — Extend the wordlist based on target's domain naming conventions. Such words are either whole subdomain levels, or - is used for a split on some subdomain level. For instance mapp1-current.datastream.example.com has mapp1, current, datastream words. To prevent the overflow, user-defined word length is used for word extraction. The default value is set to 6. This means that only words strictly longer than 5 characters are included (from the previous example, mapp1 does not satisfy this condition).

dnsgen

Refer to GitHub project's page to learn more about installation and usage.

Until next time!

Patrik