altdns
Generates permutations, alterations and mutations of subdomains and then resolves them
Top Related Projects
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Fast subdomains enumeration tool for penetration testers
Fast passive subdomain enumeration tool.
In-depth attack surface mapping and asset discovery
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
Find domains and subdomains related to a given domain
Quick Overview
AltDNS is a subdomain discovery tool that generates permutations, alterations, and mutations of subdomains and then resolves them. It's designed to assist security researchers and penetration testers in finding hidden or non-obvious subdomains that might be vulnerable to attacks.
Pros
- Generates a wide variety of subdomain permutations, increasing the chances of discovering hidden subdomains
- Supports input from multiple sources, including files and stdin
- Can be easily integrated into existing security workflows and automation scripts
- Offers customizable word lists for permutations
Cons
- May generate a large number of false positives, requiring manual verification
- Can be resource-intensive for large-scale scans or when using extensive word lists
- Lacks advanced filtering options to reduce noise in results
- Might be considered aggressive and potentially trigger security alerts on target systems
Code Examples
- Basic usage:
from altdns import AltDNS
altdns = AltDNS()
results = altdns.run(["example.com"], ["word1", "word2"], 10)
for subdomain in results:
print(subdomain)
- Using custom word list file:
from altdns import AltDNS
altdns = AltDNS()
with open("custom_wordlist.txt", "r") as f:
words = f.read().splitlines()
results = altdns.run(["example.com"], words, 10)
for subdomain in results:
print(subdomain)
- Resolving discovered subdomains:
from altdns import AltDNS
import dns.resolver
altdns = AltDNS()
results = altdns.run(["example.com"], ["word1", "word2"], 10)
resolver = dns.resolver.Resolver()
for subdomain in results:
try:
answers = resolver.resolve(subdomain, "A")
for rdata in answers:
print(f"{subdomain}: {rdata.address}")
except dns.resolver.NXDOMAIN:
pass
Getting Started
To get started with AltDNS, follow these steps:
-
Install AltDNS:
pip install py-altdns
-
Create a Python script (e.g.,
subdomain_discovery.py
):from altdns import AltDNS altdns = AltDNS() domains = ["example.com"] wordlist = ["dev", "test", "staging", "prod"] results = altdns.run(domains, wordlist, 10) for subdomain in results: print(subdomain)
-
Run the script:
python subdomain_discovery.py
This will perform a basic subdomain discovery for "example.com" using the provided word list.
Competitor Comparisons
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Pros of SecLists
- Comprehensive collection of multiple types of lists for various security testing scenarios
- Regularly updated with community contributions
- Well-organized directory structure for easy navigation
Cons of SecLists
- Large repository size may be overwhelming for specific use cases
- Requires manual filtering to find relevant lists for subdomain enumeration
- Not specifically optimized for DNS-based operations
Code Comparison
SecLists (example of a wordlist entry):
admin
administrator
webadmin
sysadmin
altdns (example of permutation generation):
for word in words:
for perm in permutations:
yield apply_permutation(word, perm)
Summary
SecLists is a comprehensive security testing resource with a wide range of wordlists, while altdns focuses specifically on subdomain permutation and generation. SecLists offers broader applicability but may require more manual filtering, whereas altdns provides a more targeted approach to DNS enumeration with built-in permutation capabilities.
Fast subdomains enumeration tool for penetration testers
Pros of Sublist3r
- Supports multiple search engines and APIs for subdomain enumeration
- Includes a built-in DNS resolver for validating discovered subdomains
- Offers threading for faster subdomain discovery
Cons of Sublist3r
- Limited to subdomain discovery without permutation capabilities
- May miss some subdomains that require more advanced techniques
- Less customizable compared to Altdns
Code Comparison
Sublist3r (Python):
def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines):
bruteforce_list = []
subdomains = []
search_list = []
Altdns (Python):
def generate_altered_domains(domain):
with open(args.input, "r") as fp:
for line in fp:
subdomain = line.strip()
Both tools are written in Python, but they serve different purposes. Sublist3r focuses on subdomain enumeration using various sources, while Altdns specializes in generating permutations of existing subdomains. Sublist3r's code snippet shows its main function with multiple parameters for customization, whereas Altdns' code demonstrates its core functionality of generating altered domain names.
Fast passive subdomain enumeration tool.
Pros of Subfinder
- Actively maintained with regular updates and improvements
- Supports multiple data sources for subdomain enumeration
- Offers concurrent execution for faster results
Cons of Subfinder
- Focuses solely on subdomain enumeration, lacking DNS alteration capabilities
- May require additional configuration for optimal results
Code Comparison
AltDNS (Python):
def insert_all_indexes(domain):
words = domain.split('.')
for word in words[:-1]:
for i in range(1, len(word)):
yield domain[:domain.index(word) + i] + '.' + domain[domain.index(word) + i:]
Subfinder (Go):
func (s *Source) Run(ctx context.Context, domain string, session *subscraping.Session) <-chan subscraping.Result {
results := make(chan subscraping.Result)
go func() {
defer close(results)
// Implementation details
}()
return results
}
AltDNS focuses on DNS alteration techniques, generating permutations of existing subdomains. It's written in Python and provides a simple approach to discovering new subdomains through manipulation.
Subfinder, on the other hand, is a more comprehensive subdomain enumeration tool written in Go. It leverages multiple data sources and offers concurrent execution for efficient subdomain discovery. While it doesn't perform DNS alterations like AltDNS, it provides a broader range of subdomain enumeration capabilities.
Both tools serve different purposes in the subdomain discovery process and can be complementary when used together in a comprehensive reconnaissance workflow.
In-depth attack surface mapping and asset discovery
Pros of Amass
- More comprehensive subdomain enumeration, including active and passive techniques
- Supports multiple data sources and APIs for gathering information
- Offers advanced features like DNS zone transfers and certificate transparency logs
Cons of Amass
- Steeper learning curve due to more complex configuration options
- May be overkill for simple subdomain enumeration tasks
- Requires more system resources and time to run compared to AltDNS
Code Comparison
AltDNS:
def insert_all_indexes(domain):
words = domain.split('.')
for word in words[:-1]:
for index, char in enumerate(word):
yield domain[:domain.index(word) + index] + '-' + domain[domain.index(word) + index:]
Amass:
func (e *Enumeration) submitKnownNames() {
for _, src := range e.Sys.DataSources() {
for _, name := range src.GetAllSourceNames() {
e.Bus.Publish(requests.NewNameTopic, &requests.DNSRequest{
Name: name,
Domain: e.Config.Domain(),
Tag: src.String(),
Source: src.String(),
})
}
}
}
The code snippets show that AltDNS focuses on permutation-based subdomain generation, while Amass handles more complex enumeration tasks and data source management.
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
Pros of massdns
- Significantly faster DNS resolution due to its C implementation
- Supports multiple DNS record types (A, AAAA, ANY, etc.)
- Can handle large-scale DNS enumeration tasks efficiently
Cons of massdns
- Requires more setup and configuration compared to altdns
- Less focused on subdomain permutation and alteration
- May require additional post-processing for specific use cases
Code comparison
massdns:
int main(int argc, char **argv) {
// Initialize massdns
// Parse command-line arguments
// Perform DNS resolution
// Output results
}
altdns:
def main():
# Parse command-line arguments
# Generate altered subdomains
# Resolve subdomains
# Output results
Key differences
- massdns is written in C, while altdns is written in Python
- massdns focuses on high-speed DNS resolution, while altdns specializes in subdomain permutation
- massdns offers more flexibility in DNS record types, but altdns provides built-in subdomain alteration techniques
Use cases
massdns is ideal for:
- Large-scale DNS enumeration projects
- Performance-critical DNS resolution tasks
altdns is better suited for:
- Targeted subdomain discovery
- Penetration testing and bug bounty hunting
Both tools can be complementary in a comprehensive subdomain enumeration workflow.
Find domains and subdomains related to a given domain
Pros of assetfinder
- Written in Go, offering faster execution and easier cross-platform compatibility
- Utilizes multiple data sources for subdomain discovery, including web archives and certificate transparency logs
- Lightweight and easy to integrate into existing workflows or scripts
Cons of assetfinder
- Focuses solely on subdomain enumeration, lacking the permutation capabilities of altdns
- May require additional tools for comprehensive subdomain analysis and validation
- Less customizable in terms of output formatting compared to altdns
Code Comparison
altdns:
def generate_altered_domains(domain):
with open(args.input_file, 'r') as f:
for line in f:
parts = line.strip().split('.')
for i in range(0, len(parts)):
for word in words:
altered = parts[:]
altered.insert(i, word)
yield '.'.join(altered)
assetfinder:
func enumerate(domain string) chan string {
out := make(chan string)
go func() {
defer close(out)
for _, source := range sources {
for result := range source(domain) {
out <- result
}
}
}()
return out
}
The code snippets highlight the different approaches: altdns focuses on permutation-based subdomain generation, while assetfinder emphasizes efficient enumeration from multiple sources.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
Altdns - Subdomain discovery through alterations and permutations
Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
From these two lists that are provided as input to altdns, the tool then generates a massive output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool.
Alternatively, the -r
flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file.
Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated.
Further information on attack methodology and this tool release can be found here: https://docs.google.com/presentation/d/1PCnjzCeklOeGMoWiE2IUzlRGOBxNp8K5hLQuvBNzrFY/
Installation
Python 2:
pip install py-altdns==1.0.0
Python 3:
pip3 install py-altdns==1.0.2
Usage
# altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
subdomains.txt
contains the known subdomains for an organizationdata_output
is a file that will contain the massive list of altered and permuted subdomainswords.txt
is your list of words that you'd like to permute your current subdomains with (i.e.admin
,staging
,dev
,qa
) - one word per line- the
-r
command resolves each generated, permuted subdomain - the
-s
command tells altdns where to save the results of the resolved permuted subdomains.results_output.txt
will contain the final list of permuted subdomains found that are valid and have a DNS record. - the
-t
command limits how many threads the resolver will use simultaneously -d 1.2.3.4
overrides the system default DNS resolver and will use the specified IP address as the resolving server. Setting this to the authoritative DNS server of the target domain may increase resolution performance
Screenshots
Show some love
If this tool was useful at all to you during DNS recon stages - we'd love to know. Any suggestions or ideas for this tool are welcome - just tweet @infosec_au or @nnwakelam and we'll work on it.
Top Related Projects
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Fast subdomains enumeration tool for penetration testers
Fast passive subdomain enumeration tool.
In-depth attack surface mapping and asset discovery
A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
Find domains and subdomains related to a given domain
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot