Subdomain brute forcing using negative matching with grep

While doing some subdomain brute forcing/enumeration on a target today, the target domain in question had wildcard DNS resolution enabled. So, when a query was made to determine if the subdomain example.domain.com was in existence, the response provided was “yes”. This is not ideal because that subdomain does not actually exist. Our goal with DNS subdomain enumeration is to identify potential entry points into a network and then identify running services that might be exploitable.

To work around the issue with DNS wildcard resolution, consider using negative matching with grep in order to filter out all of the wildcard resolution responses – which are basically junk to us. The following command provides an example of subdomain enumeration while also combing negative matching with grep:

dnsrecon -d domain.com -D /wordlists/deepmagic.com_top50kprefixes.txt -t brt -f -n 8.8.8.8 –iw | grep -v 12.34.56.78

Advertisements

One thought on “Subdomain brute forcing using negative matching with grep

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s