Unearthing Hidden Assets: The Power of Active DNS Brute Forcing in Subdomain Discovery
Hello everyone, this is my second write-up. I want to keep it small and simple. As we all know, while doing recon, there are two popular ways to find subdomains: passive and active. Passive means we collect subdomains from different websites like crt.sh or use tools like Subfinder or Amass to get a list of subdomains. Active DNS brute forcing means we actively try to brute force to find more subdomains.
My take on doing Active DNS Brute Forcing as a BB hunter
See, this is my personal take on this. Feel free to comment if you have other ideas or disagree with what I say. Over time, I’ve seen that many top bug bounty hunters have automation set up to constantly look for any changes in the production side, whether it be making a subdomain active for some time, a change in a feature, or an update in a JavaScript file. Hunting on an asset that is completely new can give you an edge.
However, you have to keep in mind that active DNS brute forcing is resource-intensive. If you plan to do it on your home router, make sure you have a good internet plan, or your router might crash. A VPS is highly preferred.
I was once looking at a heavily tested target, so I started my recon process and began to enumerate subdomains. I usually don’t do active DNS brute forcing much, but this time I decided to try it. During my search for unique results, I found a unique subdomain. This led me to a subdomain where Laravel Debug Mode was enabled, leaking some environment variables containing very sensitive information. I reported it and got a bounty.It was in a out of scope asset but the company awarded me with a bonus since the severity was good.
What tool or command I used?
I used pure dns by d3mondev , make sure to give him a follow https://x.com/d3mondev?lang=en
Command Used
puredns bruteforce 2m-subdomains.txt — resolvers resolvers.txt x.com — trusted-only — rate-limit-trusted 100
Thank you for reading :)
Follow me on X : https://x.com/bunny_0417
Follow me on LinkedIn: https://www.linkedin.com/in/bunny0417/
