Using dnsmap command to scan for subdomains (with examples)
- Linux
- November 5, 2023
Scan for subdomains using the internal wordlist
Code:
dnsmap example.com
Motivation: This command is useful when we want to quickly scan a domain for common subdomains using the internal wordlist provided by dnsmap. It can be helpful in identifying potential subdomains, such as smtp.domain.org, that may be associated with the main domain.
Explanation:
By running the dnsmap example.com command, we instruct dnsmap to scan the domain “example.com” using its internal wordlist. The internal wordlist contains a list of common subdomains that dnsmap will check for. This command will provide a list of found subdomains.
Example Output:
[*] Performing DNS reconnaissance for example.com
[-] No subdomains found for example.com
Specify a list of subdomains to check for
Code:
dnsmap example.com -w path/to/wordlist.txt
Motivation: In some cases, we may want to use a custom wordlist for subdomain enumeration instead of the internal wordlist provided by dnsmap. This allows us to tailor the scan to our specific needs and potentially discover additional subdomains that may not be included in the default wordlist.
Explanation:
By running the dnsmap example.com -w path/to/wordlist.txt command, we specify a path to a custom wordlist file that contains a list of subdomains we want to check for. Dnsmap will use this wordlist instead of its internal one. This command can be useful when we have a specific set of subdomains we want to scan for and want to bypass the default wordlist.
Example Output:
[*] Performing DNS reconnaissance for example.com
[+] Discovered subdomain: mail.example.com
[+] Discovered subdomain: ftp.example.com
[-] No more subdomains found for example.com
Store results to a CSV file
Code:
dnsmap example.com -c path/to/file.csv
Motivation: When performing subdomain enumeration, it can be useful to store the results in a structured format that can be easily analyzed or shared with others. Saving the results to a CSV file allows us to organize and manipulate the data using spreadsheet software or other data analysis tools.
Explanation:
By running the dnsmap example.com -c path/to/file.csv command, dnsmap will save the scan results to a CSV file located at the provided file path. Each discovered subdomain will be stored as a separate row in the CSV file, including relevant information such as the subdomain name, IP address, and DNS server.
Example Output:
[*] Performing DNS reconnaissance for example.com
[+] Discovered subdomain: mail.example.com
[+] Discovered subdomain: ftp.example.com
[-] No more subdomains found for example.com
Results saved to path/to/file.csv
Ignore false-positive IPs
Code:
dnsmap example.com -i 123.45.67.89,98.76.54.32
Motivation: Sometimes, during the subdomain enumeration process, we may come across false-positive IPs that are erroneously identified as subdomains. Ignoring these false-positive IPs can help improve the accuracy of the results and avoid unnecessary noise in the output.
Explanation:
By running the dnsmap example.com -i 123.45.67.89,98.76.54.32 command, we tell dnsmap to ignore the specified IP addresses during the scan. In this example, we are ignoring two false-positive IPs: 123.45.67.89 and 98.76.54.32. By providing these IP addresses, dnsmap will exclude them from the final list of discovered subdomains.
Example Output:
[*] Performing DNS reconnaissance for example.com
[+] Discovered subdomain: mail.example.com
[+] Discovered subdomain: ftp.example.com
[-] No more subdomains found for example.com (after ignoring 2 false-positive IPs)
Ignored IPs: 123.45.67.89, 98.76.54.32
By understanding and using the above examples of the dnsmap command, users can effectively scan domains for subdomains, customize the wordlist, store results in a CSV file, and avoid false-positive IPs. These commands and options give users flexibility and control over the subdomain enumeration process, helping them gain better insights into their target domains.
