238 words
1 minutes
Subdomain Bruteforcing
2025-04-21
Web Information Gathering
Cyber

Subdomain Bruteforcing – Active Enumeration Technique#

Subdomain brute-force enumeration is a methodical approach to uncovering hidden or lesser-known subdomains by appending potential names from a wordlist to a target domain and checking if they resolve via DNS.

Key Steps in the Bruteforce Process#

  1. Wordlist Selection

    Choose the right wordlist for your target:

    • General-Purpose: Covers common names like admin, dev, test, mail.
    • Targeted: Tailored to specific industries or known patterns.
    • Custom: Crafted from recon intel, breach data, etc.

  2. Iteration & Querying

    Tools systematically generate combinations like:

    dev.example.com
staging.example.com
test.example.com

  3. DNS Lookup

    Each subdomain is checked to see if it resolves (usually via A/AAAA records).

  4. Filtering & Validation

    Valid entries (resolving subdomains) are collected. Optional steps:

    • Web request probing
    • Port scanning
    • Screenshotting (with tools like Aquatone or EyeWitness)

Tools for Subdomain Brute-Forcing#

ToolDescription
dnsenumPerl-based tool with brute-forcing, zone transfer, Google scraping, WHOIS, and reverse lookups.
fierceRecursive subdomain discovery with wildcard detection.
dnsreconMulti-technique DNS recon with customizable output.
amassPowerful recon platform with passive/active modes and data source integration.
assetfinderLightweight subdomain finder for quick scans.
purednsHigh-speed brute-forcing tool with mass resolver support and wildcard filtering.

Tool in Action: Using dnsenum#

We’ll perform enumeration on the domain inlanefreight.com using a top 5000 wordlist:

dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

Optional recursive brute-force:

dnsenum --enum inlanefreight.com -f /path/to/wordlist.txt -r

Sample Output#

----- inlanefreight.com -----
Host's addresses:
inlanefreight.com. 300 IN A 134.209.24.248

Brute forcing with subdomains-top1million-5000.txt:
www.inlanefreight.com. 300 IN A 134.209.24.248
support.inlanefreight.com. 300 IN A 134.209.24.248

Tips for Better Results#

  • Always check for wildcard DNS responses to avoid false positives.
  • Use tools like massdns, puredns, or dnsx for high-performance enumeration.
  • Combine passive subdomain enumeration (e.g., crt.sh, VirusTotal) with brute-force for full coverage.
Subdomain Bruteforcing
https://fuwari.vercel.app/posts/subdomain-bruteforcing/
Author
Ranjung Yeshi Norbu
Published at
2025-04-21
robots.txt
Subdomains
© 2025 Ranjung Yeshi Norbu. All Rights Reserved. / RSS / Sitemap
Powered by Astro & Fuwari