There is a difference, between enumerating sub-domains of a website and brute-forcing sub-domain names. Netcraft does a great job of listing us the DNS entries of sub-domains, but this is not always complete. For example, cisco.com might have a web server cluster (multiple web servers) to handle the high traffic of their site.

Below is what we see if we search for all the sub-domains for cisco.com on Netcraft’s website:

What I have not told you yet is that this list above is missing at least a few sub-domains, such as www2 and www3.

In order to brute-force these missing DNS sub-domains, we are going to need to write a Bash script to handle this quickly.  The Bash script will leverage the Linux host command to lookup our sub-domain’s from a pre-defined list.  We can make this list up, or utilize other’s that can be found online.

The one I will be using for this example is sublist.txt, and it can be downloaded here.

sublist.txt = www ftp forum mail app api owa server server1 server01 proxy router cdn git admin www2 www3 firewall ms …etc.

Next, we will need a simple Bash script to utilize the host command with each sub-domain entry in sublist.txt.

subsearch.sh

for sub in $(cat $1);do
host $sub.$2|grep "has address" |cut -d" " -f1,4
done

The subsearch.sh script takes two command parameters.  The first is our list of sub-domains, and the second is the parent domain name we wish to test.  In this case, cisco.com.

As we can see from the results above, we have discovered the www2 and www3 sub-domains, along with some others as well.