Where the dnsenum command really shines is brute-forcing, which it does recursively. This means that when it identifies subdomain.domain.com, it will start brute-forcing subdomain.subdomain.domain.com. Obviously, this can take a while even though it is a multithreaded script.
In the next example, we will use the dnsenum command to brute-force subdomains, but first, we need a list of subdomains for dnsenum to use. There is a very interesting project called dnspop that identifies top subdomains.
The project can be found here at https://github.com/bitquark/dnspop. We do not need to download and install the Python script, as the results are also published at https://github.com/bitquark/dnspop/tree/master/results. I have downloaded the list with the top 1,000 most popular subdomains and placed it in the /usr/share/wordlists/subdomains/ directory.
Now we have a list of names dnsenum can use to brute-force with. The command to brute-force subdomains uses the file (-f) flag followed by the file path/name and, if you want, the recursive (-r) flag to enumerate the subdomains recursively. The command looks like this:
dnsenum -f /usr/share/wordlists/subdomains/subdomains_popular_1000 -r google.com
The aforementioned command does the following:
- First, the dnsenum command performs the default lookups:
- Next, dnsenum begins brute-forcing subdomains:
- Once it has completed brute-forcing the subdomains, it will begin brute-forcing recursively:
