Brute Forcing

Overview

DNS records hold a surprising amount of host information. By brute forcing them we can reveal additional targets. Also, DNS entries often give away information, for example “mail” indicating that we are obviously dealing with the mail server, or Cloudflare’s default DNS entry “direct” which most of the time will point to the IP that they are trying to protect.

Technique used

Most of those tools are based on a dictionary of common server names, and a DNS request for each entries as a sub-domain of the domain you’re testing.

Type of brute forcing

Popular open-source tools for each of those type of those attacks are given below

Domain name

It is possible to enumerate all records for a given domain name.

Tools

Name Description Language
DNSRecon Subdomain enumeration tool Python

Sub-domain

Tools will normally attempts to enumerate DNS hostnames by brute force guessing of common sub-domains using a dictionary.

Tools

Name Description Language
SubBrute Subdomain enumeration tool Python
Sublist3r Enumerate subdomains of websites using OSINT Python
DNS-Discovery A multithreaded subdomain bruteforcer C
dns-brute Attempts to enumerate DNS hostnames Nmap Script
Knockpy enumerate subdomains on a target domain Python
Anubis a subdomain enumerator and information gathering tool Python 

Real case abuse

Research

Mitigation

References

https://www.foo.be/papers/sdbf.pdf