Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
From these two lists that are provided as input to altdns, the tool then generates a _ massive _ output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool.
-r flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file.
Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated.
pip install -r requirements.txt
# ./altdns.py -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt
subdomains.txtcontains the known subdomains for an organization
data_outputis a file that will contain the _ massive _ list of altered and permuted subdomains
words.txtis your list of words that you'd like to permute your current subdomains with (i.e.
qa) - one word per line
-rcommand resolves each generated, permuted subdomain
-scommand tells altdns where to save the results of the resolved permuted subdomains.
results_output.txtwill contain the final list of permuted subdomains found that are valid and have a DNS record.
-tcommand limits how many threads the resolver will use simultaneously
-d 188.8.131.52overrides the system default DNS resolver and will use the specified IP address as the resolving server. Setting this to the authoritative DNS server of the target domain _ may _ increase resolution performance