Dictionary based enumeration is another technique to find sub-domains with generic names. You can discover sub-domains by testing common words as subdomains, sometimes even bruteforcing through the possible space of alphanumeric characters. If a non-guessable named subdomain is out there, bruteforcing can sometimes find it. And if you recursively bruteforce each subdomain found, you are on a good path to find assets that may have been forgotten about.
Dictionary based enumeration
- Subbrute DNS meta-query spider that enumerates DNS records, and subdomains.
- This tool can be used to run a brute force or dictionary based enumeration against a domain
DNSRecon is a powerful DNS enumeration tool, one of it’s feature is to conduct dictionary based sub-domain enumeration using a pre-defined wordlist.
$ python dnsrecon.py -n ns1.insecuredns.com -d insecuredns.com -D subdomains-top1mil-5000.txt -t brt
Permutation scanning is another interesting technique to identify sub-domains. In this technique, we identify new sub-domains using permutations, alterations and mutations of already known domains/sub-domains.
Altdns is a tool that allows for the discovery of sub-domains that conform to patterns
$ python altdns.py -i icann.domains -o data_output -w icann.words -r -s results_output.txt