Description
AltDNS generates permutations, alterations, and mutations of subdomains and then resolves them. It takes existing subdomains and creates variations (e.g., dev-api, api-dev, staging-api) to discover subdomains that traditional enumeration misses. A must-have for thorough recon.
Installation
BASH
pip3 install py-altdns
# From source
git clone https://github.com/infosec-au/altdns.git
cd altdns && pip3 install .Basic Usage
BASH
# Generate permutations and resolve
altdns -i subdomains.txt -o permutations.txt -w words.txt -r -s resolved.txt
# Just generate permutations (no resolution)
altdns -i subdomains.txt -o permutations.txt -w words.txtAdvanced Usage
BASH
# Custom wordlist for mutations
# words.txt should contain: dev, staging, test, uat, qa, api, admin, internal, corp, vpn
altdns -i subs.txt -o data_output -w custom_words.txt -r -s results.txt
# Use custom resolver
altdns -i subs.txt -o data_output -w words.txt -r -s results.txt -d 8.8.8.8
# High-performance with threads
altdns -i subs.txt -o data_output -w words.txt -r -s results.txt -t 100Common Workflows
BASH
# Step 1: Collect subdomains
subfinder -d target.com -silent > subs.txt
# Step 2: Generate mutations
echo -e "dev\nstaging\ntest\nqa\nuat\nprod\nadmin\ninternal\ncorp\nvpn\napi\napp" > words.txt
altdns -i subs.txt -o permutations.txt -w words.txt
# Step 3: Resolve permutations
cat permutations.txt | massdns -r resolvers.txt -t A -o S | grep -v NXDOMAIN > alive.txt
# Step 4: Probe for web services
cat alive.txt | awk '{print $1}' | httpx -silent