github-actions[bot]
commented
2 years ago 👋 Hi @alph4byt3, Issues is only for reporting a bug/feature request. Please read documentation before raising an issue https://rengine.wiki For very limited support, questions, and discussions, please join reNgine Discord channel: https://discord.gg/azv6fzhNCE Please include all the requested and relevant information when opening a bug report. Improper reports will be closed without any response.
alph4byt3
Subdomain permutation is another way to find uncommon subdomains. Implementing the tool Gotator - https://github.com/Josue87/gotator will allow us to permutate domains/ subdomains.
The pipeline can look something like this:
1) Use tools already implemented to gather all subdomains (Amass, Subfinder etc) 2) Use the tool Puredns (I created a feature request to add this tool) to bruteforce subdomains from a custom wordlist (hopefully reNgine would manage to work with my 42mil line, 800MB wordlist). 3) Store a copy of all the subdomains found. 4) Use Gotator with a custom/ default permutations wordlist to then start permutating the root domain. 5) Append all permutated subdomains found to the first file saved in step 3. 6) Then use Puredns again to resolve all the gathered subdomains (the tool can resolve and bruteforce)
Then reNgine can cleanup unnecessary files left over and have the single main large subdomain file.
Note: Allow users to add their own resolvers for the Puredns tool, a custom list of working resolvers will cut time in half (e.g my 42mil list takes ~ 40 minutes on default Puredns settings) and it will prevent false negatives.
Hopefully this is understandable, this is my subdomain recon methodology that brings me success. I usually do steps 2 and 5 on my own and then add the results I find to reNgine before starting the scan (add custom subdomains) so having it all implemented into the framework will be a big benefit not only to me but all.