rengine icon indicating copy to clipboard operation
rengine copied to clipboard

Published 20 hours ago verified publisher icon yogeshojha

Feature - Implement the tool 'Gotator' to permutate subdomains

Open alph4byt3 opened this issue 3 years ago • 2 comments

Subdomain permutation is another way to find uncommon subdomains. Implementing the tool Gotator - https://github.com/Josue87/gotator will allow us to permutate domains/ subdomains.

The pipeline can look something like this:

  1. Use tools already implemented to gather all subdomains (Amass, Subfinder etc)
  2. Use the tool Puredns (I created a feature request to add this tool) to bruteforce subdomains from a custom wordlist (hopefully reNgine would manage to work with my 42mil line, 800MB wordlist).
  3. Store a copy of all the subdomains found.
  4. Use Gotator with a custom/ default permutations wordlist to then start permutating the root domain.
  5. Append all permutated subdomains found to the first file saved in step 3.
  6. Then use Puredns again to resolve all the gathered subdomains (the tool can resolve and bruteforce)

Then reNgine can cleanup unnecessary files left over and have the single main large subdomain file.

Note: Allow users to add their own resolvers for the Puredns tool, a custom list of working resolvers will cut time in half (e.g my 42mil list takes ~ 40 minutes on default Puredns settings) and it will prevent false negatives.

Hopefully this is understandable, this is my subdomain recon methodology that brings me success. I usually do steps 2 and 5 on my own and then add the results I find to reNgine before starting the scan (add custom subdomains) so having it all implemented into the framework will be a big benefit not only to me but all.

alph4byt3 avatar Dec 05 '21 13:12 alph4byt3

👋 Hi @alph4byt3, Issues is only for reporting a bug/feature request. Please read documentation before raising an issue https://rengine.wiki For very limited support, questions, and discussions, please join reNgine Discord channel: https://discord.gg/azv6fzhNCE Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.

github-actions[bot] avatar Dec 05 '21 13:12 github-actions[bot]

I forgot to mention that obviously between 5 and 6 you would sort and uniq all the subdomains before resolving them.

alph4byt3 avatar Dec 05 '21 18:12 alph4byt3