Recon-NG and Altdns

Jason Haddix has fantastic script to execute Recon-NG combined with AltDNS and a subdomain wordlist. If you like it, star his repo.

Configure Recon-NG google API

If not done already, use can follow the instructions here:

Recon-NG How-To I

Install altdns

Clone the repo from here

$ https://github.com/infosec-au/altdns.git

$ cd altdns

$ pip install -r requirements

It should be ready to use.

Download brute force list

Download it from here.

$ curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/shubs-subdomains.txt

Clone domain script

$ git clone https://github.com/jhaddix/domain.git

Use script

Simple usage

$ cd ./domain

$ ./enumall.py your_target_domain.com

Advanced usage

Configure config.py

$ cp config_sample.py config.py

$ nano config.py

reconPath = “/usr/share/recon-ng/”
altDnsPath = “/path-to-altdns/altdns-master/”

$ ./enumall.py your-target-domain.com -a -w ../shubs-subdomains.txt