Convert Figma logo to code with AI

infosec-au logoaltdns

Generates permutations, alterations and mutations of subdomains and then resolves them

2,314
447
2,314
18

Top Related Projects

57,590

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Fast subdomains enumeration tool for penetration testers

10,098

Fast passive subdomain enumeration tool.

11,936

In-depth attack surface mapping and asset discovery

3,103

A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

Find domains and subdomains related to a given domain

Quick Overview

AltDNS is a subdomain discovery tool that generates permutations, alterations, and mutations of subdomains and then resolves them. It's designed to assist security researchers and penetration testers in finding hidden or non-obvious subdomains that might be vulnerable to attacks.

Pros

  • Generates a wide variety of subdomain permutations, increasing the chances of discovering hidden subdomains
  • Supports input from multiple sources, including files and stdin
  • Can be easily integrated into existing security workflows and automation scripts
  • Offers customizable word lists for permutations

Cons

  • May generate a large number of false positives, requiring manual verification
  • Can be resource-intensive for large-scale scans or when using extensive word lists
  • Lacks advanced filtering options to reduce noise in results
  • Might be considered aggressive and potentially trigger security alerts on target systems

Code Examples

  1. Basic usage:
from altdns import AltDNS

altdns = AltDNS()
results = altdns.run(["example.com"], ["word1", "word2"], 10)
for subdomain in results:
    print(subdomain)
  1. Using custom word list file:
from altdns import AltDNS

altdns = AltDNS()
with open("custom_wordlist.txt", "r") as f:
    words = f.read().splitlines()

results = altdns.run(["example.com"], words, 10)
for subdomain in results:
    print(subdomain)
  1. Resolving discovered subdomains:
from altdns import AltDNS
import dns.resolver

altdns = AltDNS()
results = altdns.run(["example.com"], ["word1", "word2"], 10)

resolver = dns.resolver.Resolver()
for subdomain in results:
    try:
        answers = resolver.resolve(subdomain, "A")
        for rdata in answers:
            print(f"{subdomain}: {rdata.address}")
    except dns.resolver.NXDOMAIN:
        pass

Getting Started

To get started with AltDNS, follow these steps:

  1. Install AltDNS:

    pip install py-altdns
    
  2. Create a Python script (e.g., subdomain_discovery.py):

    from altdns import AltDNS
    
    altdns = AltDNS()
    domains = ["example.com"]
    wordlist = ["dev", "test", "staging", "prod"]
    results = altdns.run(domains, wordlist, 10)
    
    for subdomain in results:
        print(subdomain)
    
  3. Run the script:

    python subdomain_discovery.py
    

This will perform a basic subdomain discovery for "example.com" using the provided word list.

Competitor Comparisons

57,590

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

Pros of SecLists

  • Comprehensive collection of multiple types of lists for various security testing scenarios
  • Regularly updated with community contributions
  • Well-organized directory structure for easy navigation

Cons of SecLists

  • Large repository size may be overwhelming for specific use cases
  • Requires manual filtering to find relevant lists for subdomain enumeration
  • Not specifically optimized for DNS-based operations

Code Comparison

SecLists (example of a wordlist entry):

admin
administrator
webadmin
sysadmin

altdns (example of permutation generation):

for word in words:
    for perm in permutations:
        yield apply_permutation(word, perm)

Summary

SecLists is a comprehensive security testing resource with a wide range of wordlists, while altdns focuses specifically on subdomain permutation and generation. SecLists offers broader applicability but may require more manual filtering, whereas altdns provides a more targeted approach to DNS enumeration with built-in permutation capabilities.

Fast subdomains enumeration tool for penetration testers

Pros of Sublist3r

  • Supports multiple search engines and APIs for subdomain enumeration
  • Includes a built-in DNS resolver for validating discovered subdomains
  • Offers threading for faster subdomain discovery

Cons of Sublist3r

  • Limited to subdomain discovery without permutation capabilities
  • May miss some subdomains that require more advanced techniques
  • Less customizable compared to Altdns

Code Comparison

Sublist3r (Python):

def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines):
    bruteforce_list = []
    subdomains = []
    search_list = []

Altdns (Python):

def generate_altered_domains(domain):
    with open(args.input, "r") as fp:
        for line in fp:
            subdomain = line.strip()

Both tools are written in Python, but they serve different purposes. Sublist3r focuses on subdomain enumeration using various sources, while Altdns specializes in generating permutations of existing subdomains. Sublist3r's code snippet shows its main function with multiple parameters for customization, whereas Altdns' code demonstrates its core functionality of generating altered domain names.

10,098

Fast passive subdomain enumeration tool.

Pros of Subfinder

  • Actively maintained with regular updates and improvements
  • Supports multiple data sources for subdomain enumeration
  • Offers concurrent execution for faster results

Cons of Subfinder

  • Focuses solely on subdomain enumeration, lacking DNS alteration capabilities
  • May require additional configuration for optimal results

Code Comparison

AltDNS (Python):

def insert_all_indexes(domain):
    words = domain.split('.')
    for word in words[:-1]:
        for i in range(1, len(word)):
            yield domain[:domain.index(word) + i] + '.' + domain[domain.index(word) + i:]

Subfinder (Go):

func (s *Source) Run(ctx context.Context, domain string, session *subscraping.Session) <-chan subscraping.Result {
    results := make(chan subscraping.Result)
    go func() {
        defer close(results)
        // Implementation details
    }()
    return results
}

AltDNS focuses on DNS alteration techniques, generating permutations of existing subdomains. It's written in Python and provides a simple approach to discovering new subdomains through manipulation.

Subfinder, on the other hand, is a more comprehensive subdomain enumeration tool written in Go. It leverages multiple data sources and offers concurrent execution for efficient subdomain discovery. While it doesn't perform DNS alterations like AltDNS, it provides a broader range of subdomain enumeration capabilities.

Both tools serve different purposes in the subdomain discovery process and can be complementary when used together in a comprehensive reconnaissance workflow.

11,936

In-depth attack surface mapping and asset discovery

Pros of Amass

  • More comprehensive subdomain enumeration, including active and passive techniques
  • Supports multiple data sources and APIs for gathering information
  • Offers advanced features like DNS zone transfers and certificate transparency logs

Cons of Amass

  • Steeper learning curve due to more complex configuration options
  • May be overkill for simple subdomain enumeration tasks
  • Requires more system resources and time to run compared to AltDNS

Code Comparison

AltDNS:

def insert_all_indexes(domain):
    words = domain.split('.')
    for word in words[:-1]:
        for index, char in enumerate(word):
            yield domain[:domain.index(word) + index] + '-' + domain[domain.index(word) + index:]

Amass:

func (e *Enumeration) submitKnownNames() {
    for _, src := range e.Sys.DataSources() {
        for _, name := range src.GetAllSourceNames() {
            e.Bus.Publish(requests.NewNameTopic, &requests.DNSRequest{
                Name:   name,
                Domain: e.Config.Domain(),
                Tag:    src.String(),
                Source: src.String(),
            })
        }
    }
}

The code snippets show that AltDNS focuses on permutation-based subdomain generation, while Amass handles more complex enumeration tasks and data source management.

3,103

A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)

Pros of massdns

  • Significantly faster DNS resolution due to its C implementation
  • Supports multiple DNS record types (A, AAAA, ANY, etc.)
  • Can handle large-scale DNS enumeration tasks efficiently

Cons of massdns

  • Requires more setup and configuration compared to altdns
  • Less focused on subdomain permutation and alteration
  • May require additional post-processing for specific use cases

Code comparison

massdns:

int main(int argc, char **argv) {
    // Initialize massdns
    // Parse command-line arguments
    // Perform DNS resolution
    // Output results
}

altdns:

def main():
    # Parse command-line arguments
    # Generate altered subdomains
    # Resolve subdomains
    # Output results

Key differences

  • massdns is written in C, while altdns is written in Python
  • massdns focuses on high-speed DNS resolution, while altdns specializes in subdomain permutation
  • massdns offers more flexibility in DNS record types, but altdns provides built-in subdomain alteration techniques

Use cases

massdns is ideal for:

  • Large-scale DNS enumeration projects
  • Performance-critical DNS resolution tasks

altdns is better suited for:

  • Targeted subdomain discovery
  • Penetration testing and bug bounty hunting

Both tools can be complementary in a comprehensive subdomain enumeration workflow.

Find domains and subdomains related to a given domain

Pros of assetfinder

  • Written in Go, offering faster execution and easier cross-platform compatibility
  • Utilizes multiple data sources for subdomain discovery, including web archives and certificate transparency logs
  • Lightweight and easy to integrate into existing workflows or scripts

Cons of assetfinder

  • Focuses solely on subdomain enumeration, lacking the permutation capabilities of altdns
  • May require additional tools for comprehensive subdomain analysis and validation
  • Less customizable in terms of output formatting compared to altdns

Code Comparison

altdns:

def generate_altered_domains(domain):
    with open(args.input_file, 'r') as f:
        for line in f:
            parts = line.strip().split('.')
            for i in range(0, len(parts)):
                for word in words:
                    altered = parts[:]
                    altered.insert(i, word)
                    yield '.'.join(altered)

assetfinder:

func enumerate(domain string) chan string {
    out := make(chan string)
    go func() {
        defer close(out)
        for _, source := range sources {
            for result := range source(domain) {
                out <- result
            }
        }
    }()
    return out
}

The code snippets highlight the different approaches: altdns focuses on permutation-based subdomain generation, while assetfinder emphasizes efficient enumeration from multiple sources.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Altdns - Subdomain discovery through alterations and permutations

Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.

From these two lists that are provided as input to altdns, the tool then generates a massive output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool.

Alternatively, the -r flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file.

Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated.

Further information on attack methodology and this tool release can be found here: https://docs.google.com/presentation/d/1PCnjzCeklOeGMoWiE2IUzlRGOBxNp8K5hLQuvBNzrFY/

Installation

Python 2:

pip install py-altdns==1.0.0

Python 3:

pip3 install py-altdns==1.0.2

Usage

# altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt

  • subdomains.txt contains the known subdomains for an organization
  • data_output is a file that will contain the massive list of altered and permuted subdomains
  • words.txt is your list of words that you'd like to permute your current subdomains with (i.e. admin, staging, dev, qa) - one word per line
  • the -r command resolves each generated, permuted subdomain
  • the -s command tells altdns where to save the results of the resolved permuted subdomains. results_output.txt will contain the final list of permuted subdomains found that are valid and have a DNS record.
  • the -t command limits how many threads the resolver will use simultaneously
  • -d 1.2.3.4 overrides the system default DNS resolver and will use the specified IP address as the resolving server. Setting this to the authoritative DNS server of the target domain may increase resolution performance

Screenshots

Show some love

If this tool was useful at all to you during DNS recon stages - we'd love to know. Any suggestions or ideas for this tool are welcome - just tweet @infosec_au or @nnwakelam and we'll work on it.