Advanced Recon Automation (Subdomains) case 1

Th3Law
Th3Law
Feb 25, 2019 · 3 min read

The advanced in simple Recon!

For bug hunter, pentester, OSINTer, hacker =))))

Why we not create the auto with reconnaissance in a complex world. If really use full/right, we will save many time!

Eg: Like CORS scan etc.

You can also get some nice vulnerabilities for which you have done nothing! WTF =)))

We have to automate everything we can, not to miss it. I give a simple idea like workflow below to sequence problems.

1. Go to subdomain gathering

- Tools using:

+ Massdns

+ Altdns

+ Subfinder

We will using custom wordlist subdomain, write script for task.

  • Bruceforce subdomain with massdns + wordlist subdomain
  • After, run subfinder to get subdomains from many internet sources.
  • after a moments, run altdns to get some change versions of the subdomains.
  • Final, we can recursion to get levels deep for task get subdomains.

One more:

- Using massdns resolve list of subdomain generate.

#!/usr/bin/env bashwhile getopts ":d:" opt; do
case $opt in
d)
domain=$OPTARG
;;
esac
done
if [[ -z "${domain// }" ]];
then
echo "* Error fucking. Use -d example.com"
echo "* Exit!"
exit 1
fi
while read -r line
do
echo "$line.$2" >> $3
done < $1
  • Arguments:

+ Subdomain wordlist

+ Domain for generate subdomains

+ Output file

Subdomains wordlist:

+ https://github.com/danielmiessler/SecLists

+ https://github.com/Tim1512/subdomain_scanner/tree/master/wordlist

+ https://gist.github.com/jhaddix/86a06c5dc309d08580a018c66354a056

+ https://github.com/assetnote/commonspeak2-wordlists/blob/master/subdomains/subdomains.txt

+ https://github.com/pentester-io/commonspeak/blob/master/stackoverflow/output/compiled/stackoverflow_2017_10_22.urls_subdomains.txt

+ https://github.com/rbsec/dnscan

Example shell:

bash subdomains.sh subdomains-wordlist.txt $domain "wordlist.txt"

Resolve to online:

massdns -r resolvers.txt -q -t A -o S -w "result-online.txt" "wordlist.txt"

Filter subdomain output, eliminate miscellaneous things.

awk -F ". " '{print $1}' "result-online.txt" > "result-filtered.txt" && mv "wordlist-filtered.txt" "result-online.txt"

- Gather subdomains from many internet sources. Using Subfinder

subfinder -d $domain -nW -o "gather-online.txt" -rL resolvers.txt > /dev/null 2>&1

resolvers.txt is file with resolvers.

  • After finish gather internet, we will unify them.
cat result-online.txt gather-online.txt > subdomains.txtsort -u "subdomains.txt" -o "subdomains.txt"
  • Altdns change the subdomains with a list of given words.
  • Using technique, we can discover subdomains others wouldn’t have found.
./altdns.py -i "subdomains.txt"  -o "altdns-word.txt" -w words.txt
  • After have list of all existing subdomains genarate, we will recursion them. Eg: demo.staging.dev.xnxx.com
  • You can repeat bruteforcing before and thinking.

Final, we can remember example:

+ There might be a wildcard for subdomains, so there may be many false positive cases => Can insert a code snippet to detect wildcards.

if [[ "$(dig @1.1.1.1 A,CNAME {testxnxx123,testingforwildcard,xnxxxthinking}.$domain +short | wc -l)" -gt "1" ]]; then
echo "* Possible wildcard. You can checking"
fi

+ Giving your own resolvers list to your tools, them can might increase the speed.
+ Clean your -online.txt files if output to big file.
+ Can using — verbose option for massdns
+ https://opendata.rapid7.com/sonar.fdns_v2/

Good luck. To be continue!

SoulSecTeam

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store