Guide to Permutations Subdomain Enumeration
- What is a subdomain name?
- What is permutation subdomain discovery?
- Permutations Wordlist Generation
- Tools for permutations
- DNS Resolution
- Tips and Conclusion
Subdomain 101
In layman's terms, a subdomain name is a prefix before domain name that highlights a specific service.
For example, google.com is a domain name. mail.google.com, admin.google.com, us-east2.dev.vik.google.com, git.prod.google.com are subdomain names. All these subdomains are providing specific services. prod highlights it's in production, dev is for development, mail is for email services, etc.
Hackers get an idea of what that host serves there by looking at the subdomain.
What is permutation subdomain discovery?
Let's try to understand how permutation subdomain enumeration by a flowchart.
First step, is to do passive subdomain enumeration and find all the subdomain names that are used today or maybe used earlier but are dead now.
Second step, is to use these subdomain names (dev, prod, jenkins, us-east, etc.) to make all possible combinations by adding dashes and dots in between. Keep note of this that we are generating a list of all possible subdomain names. Due to so many for loops and depending on the depth of the generation, the file size may get very huge.
Third step, is to pipe the list of generated subdomain names into a DNS resolver that will resolve the subdomain name to an IP address in order to verify if the subdomain name is actually up or down.
Flow of using tools:
- Subfinder + Amass + other passive subdomain enumeration tools to get the list of subdomain names that exist now or could be up earlier.
- Permutations generation tools like dnsgen, regulator, gotator, goaltdns, etc. to generate the wordlist of possible subdomain names.
- DNS resolution tools like massdns, puredns, shuffledns, etc. to find valid subdomain names.
Permutations Wordlist Generation
There are two parts when talking about wordlists in case of permutations.
- Using a basic wordlist that contains all the possible permutation words that most of the companies are using.
- Contextual wordlist generation: Generate a wordlist from the words that are specific to that particular organization's assets.
For case 1, below are few links of wordlists that contains most of the words that many organizations use.
https://gist.githubusercontent.com/six2dez/ffc2b14d283e8f8eff6ac83e20a3c4b4/raw
https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt
https://raw.githubusercontent.com/infosec-au/altdns/master/words.txt
For case 2, you can use these bash command to generate a wordlist. This is inspired by Hussein Daher @Hussein98d
$ subfinder -d domain.com -rL resolvers.txt -all -o subdomains.txt
$ cat subdomains.txt | tr '.' '\n' | sort -u > perms.txt
$ cat subdomains.txt | tr '-.' '\n' | sort -u > perms2.txt
perms.txt contains words in this format only web-gcp, api-prod, api, prod, dev, etc.
perms2.txt contains words with no dashes like web, prod, gcp, api, dev, etc.
Tools for Permutations
You can use various tools to do permutations. All these tools are open source. You can download them from there github repositories. The installation and usage instructions are also listed there. Some of the popular ones are listed below with the usage commands:
- dnsgen
$ cat subdomains.txt | dnsgen - > output.txt
$ dnsgen --wordlist perms.txt subdomains.txt > output-dnsgen.txt
- goaltdns
$ goaltdns -w perms.txt -l subdomains.txt -o output-goaltdns.txt
- gotator
$ gotator -sub subdomains.txt -perm perms.txt > output-gotator.txt
$ gotator --help
- ripgen
cat subdomains.txt | ripgen > output-ripgen.txt
- regulator
$ python3 main.py domain.com subdomains.txt domain.rules
$ bash make_brute_list.sh domain.rules output-regulator.txt
- Combine all output.txt files
$ cat output*.txt | sort -u > output.txt
DNS Resolution
After getting all possible subdomain names using all these permutation tools. Now, it is the time to do DNS resolution. DNS resolution is the process of resolving a domain name to an IP address. We would be able to verify if the subdomain actually exists or not with DNS resolution.
- Update your resolvers file first
- https://github.com/trickest/resolvers/blob/main/resolvers.txt
- Download this file using wget or curl command as
resolvers.txt
- Install massdns before running puredns or shuffledns
- Puredns
$ cat output.txt | puredns resolve --resolvers resolvers.txt --write subdomains-perm.txt
- Shuffledns
$ shuffledns -r resolvers.txt -l output.txt -d domain.com -o subdomains-perm.txt
Final sweet: subdomains-perm.txt contains all the valid subdomain names that are found after DNS resolution of list of permutated possible subdomain names.
Tips and Conclusion
- Use all the tools present on Internet because the core principle via which these permutations are generated is different for every tool.
- One tool's output will vary from other tools's output.
- Even, one word in perms.txt file matters.
- Always keep your resolvers.txt updated.
- Do your passive subdomain enumeration every week.
- Keep your subdomains and output files managed.
You can find me at https://twitter.com/3nc0d3dGuY
Thank You for reading this post.
Hack the World