​

Enumerate Hostnames via Permutation DNS Brute Force

​

Description

Enumerate hostnames by checking for permutations of known hostnames. This module finds different environments, regions, and associated software. It has an effective built-in wordlist but you can also use a custom wordlist tailored to your organization’s naming conventions.

​

Features

• Discovers different environments, regions, and associated software based on the input hostnames.
• Built-in wordlists with the option to use custom ones tailored to your target.
• A daily validated list of resolvers to ensure accuracy.
• Result verification using manually curated trusted resolvers.
• A wildcard filter takes care of false positives.

​

Inputs

​

Required

• hostnames: a list of hostnames

dashboard.example.com

shop.example.com

payments.example.com

​

Outputs

• subdomains: a list of found subdomains

dev-dashboard.example.com

shop.us-east-1.example.com

payments-log.example.com

• subdomain-details: JSONLines records of subdomain discovery details.

{"hostname": "dev-dashboard.example.com", "domain_name": "example.com", "data_source": "dns brute force", "context": "permutation brute force"}

{"hostname": "shop.us-east-1.example.com", "domain_name": "example.com", "data_source": "dns brute force", "context": "permutation brute force"}

{"hostname": "payments-log.example.com", "domain_name": "example.com", "data_source": "dns brute force", "context": "permutation brute force"}

​

Changelog

• v1.0.0
  • Initial release
• v1.0.1
  • Improve coverage by increasing the number of tested permutations
• v1.0.2
  • Improve wildcard filtering