Advanced Recon Automation (Subdomains) case 1

The advanced in simple Recon!

For bug hunter, pentester, OSINTer, hacker =))))

Why we not create the auto with reconnaissance in a complex world. If really use full/right, we will save many time!

Eg: Like CORS scan etc.

You can also get some nice vulnerabilities for which you have done nothing! WTF =)))

We have to automate everything we can, not to miss it. I give a simple idea like workflow below to sequence problems.

1. Go to subdomain gathering

- Tools using:

+ Massdns

+ Altdns

+ Subfinder

We will using custom wordlist subdomain, write script for task.

  • Bruceforce subdomain with massdns + wordlist subdomain
  • After, run subfinder to get subdomains from many internet sources.
  • after a moments, run altdns to get some change versions of the subdomains.
  • Final, we can recursion to get levels deep for task get subdomains.

One more:

- Using massdns resolve list of subdomain generate.

#!/usr/bin/env bash
while getopts ":d:" opt; do
case $opt in
d)
domain=$OPTARG
;;
esac
done
if [[ -z "${domain// }" ]];
then
echo "* Error fucking. Use -d example.com"
echo "* Exit!"
exit 1
fi
while read -r line
do
echo "$line.$2" >> $3
done < $1
  • Arguments:

+ Subdomain wordlist

+ Domain for generate subdomains

+ Output file

Subdomains wordlist:

+ https://github.com/danielmiessler/SecLists

+ https://github.com/Tim1512/subdomain_scanner/tree/master/wordlist

+ https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

+ https://github.com/assetnote/commonspeak2-wordlists/blob/master/subdomains/subdomains.txt

+ https://github.com/pentester-io/commonspeak/blob/master/stackoverflow/output/compiled/stackoverflow_2017_10_22.urls_subdomains.txt

+ https://github.com/rbsec/dnscan

Example shell:

bash subdomains.sh subdomains-wordlist.txt $domain "wordlist.txt"

Resolve to online:

massdns -r resolvers.txt -q -t A -o S -w "result-online.txt" "wordlist.txt"

Filter subdomain output, eliminate miscellaneous things.

awk -F ". " '{print $1}' "result-online.txt" > "result-filtered.txt" && mv "wordlist-filtered.txt" "result-online.txt"

- Gather subdomains from many internet sources. Using Subfinder

subfinder -d $domain -nW -o "gather-online.txt" -rL resolvers.txt > /dev/null 2>&1

resolvers.txt is file with resolvers.

  • After finish gather internet, we will unify them.
cat result-online.txt gather-online.txt > subdomains.txt
sort -u "subdomains.txt" -o "subdomains.txt"
  • Altdns change the subdomains with a list of given words.
  • Using technique, we can discover subdomains others wouldn’t have found.
./altdns.py -i "subdomains.txt"  -o "altdns-word.txt" -w words.txt
  • After have list of all existing subdomains genarate, we will recursion them. Eg: demo.staging.dev.xnxx.com
  • You can repeat bruteforcing before and thinking.

Final, we can remember example:

+ There might be a wildcard for subdomains, so there may be many false positive cases => Can insert a code snippet to detect wildcards.

if [[ "$(dig @1.1.1.1 A,CNAME {testxnxx123,testingforwildcard,xnxxxthinking}.$domain +short | wc -l)" -gt "1" ]]; then
echo "* Possible wildcard. You can checking"
fi

+ Giving your own resolvers list to your tools, them can might increase the speed.
 + Clean your -online.txt files if output to big file.
 + Can using — verbose option for massdns
 + https://opendata.rapid7.com/sonar.fdns_v2/

Good luck. To be continue!