Advanced Recon Automation (Subdomains) case 1
The advanced in simple Recon!
For bug hunter, pentester, OSINTer, hacker =))))
Why we not create the auto with reconnaissance in a complex world. If really use full/right, we will save many time!
Eg: Like CORS scan etc.
You can also get some nice vulnerabilities for which you have done nothing! WTF =)))
We have to automate everything we can, not to miss it. I give a simple idea like workflow below to sequence problems.
1. Go to subdomain gathering
- Tools using:
+ Massdns
+ Altdns
We will using custom wordlist subdomain, write script for task.
- Bruceforce subdomain with massdns + wordlist subdomain
- After, run subfinder to get subdomains from many internet sources.
- after a moments, run altdns to get some change versions of the subdomains.
- Final, we can recursion to get levels deep for task get subdomains.
One more:
- Using massdns resolve list of subdomain generate.
#!/usr/bin/env bashwhile getopts ":d:" opt; do
case $opt in
d)
domain=$OPTARG
;;
esac
doneif [[ -z "${domain// }" ]];
then
echo "* Error fucking. Use -d example.com"
echo "* Exit!"
exit 1
fiwhile read -r line
do
echo "$line.$2" >> $3
done < $1
- Arguments:
+ Subdomain wordlist
+ Domain for generate subdomains
+ Output file
Subdomains wordlist:
+ https://github.com/danielmiessler/SecLists
+ https://github.com/Tim1512/subdomain_scanner/tree/master/wordlist
+ https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056
+ https://github.com/assetnote/commonspeak2-wordlists/blob/master/subdomains/subdomains.txt
+ https://github.com/rbsec/dnscan
Example shell:
bash subdomains.sh subdomains-wordlist.txt $domain "wordlist.txt"
Resolve to online:
massdns -r resolvers.txt -q -t A -o S -w "result-online.txt" "wordlist.txt"
Filter subdomain output, eliminate miscellaneous things.
awk -F ". " '{print $1}' "result-online.txt" > "result-filtered.txt" && mv "wordlist-filtered.txt" "result-online.txt"
- Gather subdomains from many internet sources. Using Subfinder
subfinder -d $domain -nW -o "gather-online.txt" -rL resolvers.txt > /dev/null 2>&1
resolvers.txt is file with resolvers.
- After finish gather internet, we will unify them.
cat result-online.txt gather-online.txt > subdomains.txtsort -u "subdomains.txt" -o "subdomains.txt"
- Altdns change the subdomains with a list of given words.
- Using technique, we can discover subdomains others wouldn’t have found.
./altdns.py -i "subdomains.txt" -o "altdns-word.txt" -w words.txt
- After have list of all existing subdomains genarate, we will recursion them. Eg: demo.staging.dev.xnxx.com
- You can repeat bruteforcing before and thinking.
Final, we can remember example:
+ There might be a wildcard for subdomains, so there may be many false positive cases => Can insert a code snippet to detect wildcards.
if [[ "$(dig @1.1.1.1 A,CNAME {testxnxx123,testingforwildcard,xnxxxthinking}.$domain +short | wc -l)" -gt "1" ]]; then
echo "* Possible wildcard. You can checking"
fi
+ Giving your own resolvers list to your tools, them can might increase the speed.
+ Clean your -online.txt files if output to big file.
+ Can using — verbose option for massdns
+ https://opendata.rapid7.com/sonar.fdns_v2/
Good luck. To be continue!