Monday, December 26, 2016

subdomain discovery with nmap and custom subdomain files


how to discover/brute force subdomains of a domain with nmap dns-brute script and custom subdomain files.


nmaps dns-brute script knows only 127 common subdomains, therefore i use it with this custom subdomain  files. most common 1000, 10.000. 100.000 and 1.000.000 subdomains.

sometimes at bug bounties there are some domains excluded but *. included. i use this to discover domains which are in scope but the bounty owner does not consider that they are in scope :)


nmap --script dns-brute --script-args dns-brute.domain=amazon.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000.lst

nmap --script dns-brute --script-args dns-brute.domain=amazon.com,dns-brute.threads=6,dns-brute.hostlist=./sub10000.lst

nmap --script dns-brute --script-args dns-brute.domain=amazon.com,dns-brute.threads=6,dns-brute.hostlist=./sub100000.lst

nmap --script dns-brute --script-args dns-brute.domain=amazon.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000000.lst
nmap --script dns-brute --script-args dns-brute.domain=amazon.com,dns-brute.threads=6,dns-brute.hostlist=./sub1000000.txt


source of the subdomain files

nmap dns-brute documentation