loading
Loading content
loading
Learn how to generate subdomain permutations from an initial list of subdomains and brute force them to discover more subdomains.

Carlos Polop · Cloud Pentesting Team Leader
In the previous post about subdomain discovery, we explained what subdomain discovery is and the best techniques to start finding subdomains from a domain. We also created a workflow to search for subdomains given a domain name. We show we could find several subdomains from trickest.com and concluded the post by suggesting some improvements, so let's implement them now!
Currently, if we want to use the previous workflow to search for subdomains of different domains, we would need to launch it several times, modifying the domain used as input.
To avoid this, the first improvement we will develop is to allow the workflow to search for subdomains of several domains running it just once.
To do this, the main change we have to make is to change the initial input string for an input file pointing to
https://gist.githubusercontent.com/carlospolop/5422bdc87a8bdb440b73b4b2e5bef794/raw/f38220dcf987875a36bdf6266405f34326d534c9/trickest_domains.txtThis is a .txt file with the domains:
trickest.com
trickest.ioTherefore, instead of using a "STRING-TO-FILE" to connect the initial subdomains to oneforall, for example, we can directly connect our file input:
But what happened with the tools that expect a domain string as input? We can use the special node "FILE-SPLITTER" to call the tools once per line in the input file:
This way, we can control the domains we will enumerate in a gist and enumerate all of them in just 1 run of the workflow.
This is how the workflow looks like after these changes:
Having names of the already discovered subdomains, you could create permutations of those names and brute-force them to discover even more subdomains. For this technique, you need:
These are the permutation wordlists I will combine into one to use in the workflow:
In this workflow, I will be using the following tools to generate permutations of the discovered subdomains' names:
These are the nodes we will be adding to our workflow to generate permutations of the discovered subdomains and then brute-force them with Puredns (using the same parameters as before):
Finally, we will be combining the found subdomains from the first part of our workflow with the discovered brute forcing name permutations into one list.
Let's give this workflow a try and see what it finds!
For the sake of brevity, I'm not going to list here all the discovered subdomains, but it discovered 63 subdomains:
We improved our previous subdomain's discovery workflow to try to find hidden subdomains with uncommon names. This will help us find those potentially forgotten subdomains exposing outdated webs.
However, could we improve even more this workflow? Yes, we can. You could dedicate tens of hours to improve this kind of workflow, and you will always find new ways to tune them better.
Here are some suggestions:
Furthermore, note that different tools will use the same OSINT platforms to find information and won't find new subdomains. Keep this in mind to optimize your workflow!
All these possibilities allow you to find new subdomains that other hunters or pentesters couldn't find.
Sign up on Trickest and have fun creating your unique workflow!
Get a personalized demo
A 30-minute walkthrough. We map the platform to your stack and answer pricing and deployment questions for your environment.