Free Link | Friend Link

Hi geeks, it4chis3c (Twitter) came-up with another bounty earning write-up in the Bug Bounty Hunting Series:

Bug Bounty Hunting Series

Edit description

medium.com
None
Credit: DALL-E

Advanced Wordlists for Subdomain Bruteforcing

There are multiple high-quality wordlists available for subdomain enumeration. Below are some of the best:

GitHub Repositories

  1. SecLists (by Daniel Miessler) URL: https://github.com/danielmiessler/SecLists
  • Discovery/DNS/subdomains-top1million-5000.txt
  • Discovery/DNS/fierce-hostlist.txt
  • Discovery/DNS/dns-Jhaddix.txt

2. Assetnote Wordlists URL: https://wordlists.assetnote.io/

  • Regularly updated with real-world data
  • Includes DNS subdomain lists

3. Project Discovery (Nuclei & Subfinder Lists) URL: https://github.com/projectdiscovery

  • Includes DNS wordlists
  • Compatible with Subfinder, Nuclei, and other tools

4. Commonspeak2 (by Assetnote) URL: https://github.com/assetnote/commonspeak2

  • Machine-learning-based wordlist generation
  • Extracts DNS subdomains dynamically

Performing Advanced Subdomain Bruteforcing

Now, let's dive into practical techniques to enumerate subdomains effectively.

Bruteforce Subdomains Using Multiple Tools

  1. MassDNS — Fast DNS Resolution
massdns -r resolvers.txt -t A -o S -w live_subs.txt all_subs.txt

2. Subfinder — Passive + Bruteforce

subfinder -d target.com -b -w ~/SecLists/Discovery/DNS/dns-Jhaddix.txt -o subdomains.txt

3. puredns

puredns bruteforce all_subs.txt resolvers.txt -w resolved.txt

4. dnsx

dnsx -l resolved.txt -silent -resp-only

Enhancing Subdomain Enumeration with Smart Mutations

Using altdns or custom scripts, you can generate new subdomains using patterns like:

  • dev., staging., uat., test.
  • api., payments., vault., sso.
altdns -i subdomains.txt -o mutated_subs.txt -w ~/altdns-words.txt

Example Output:

dev.api.target.com
staging.dashboard.target.com
test.internal.target.com

Now, pass the new list through MassDNS, Subfinder, or puredns to check for valid subdomains.

Pro Tips for Maximum Results

Use Fresh Resolvers:

resolvers.txt: Cloudflare, Google, Quad9, OpenDNS

Combine Passive + Active: Always use passive methods first.

Monitor for Dynamic Updates: Automate wordlist updates with GitHub scripts.

Extract Subdomains from Public JS Files:

This step is just a glance, I'll discuss it in detail in upcoming Recon Series.

grep -Eo "[a-zA-Z0-9.-]+\.target\.com" target.js | sort -u