A tool written in golang to perform permutations, mutations and alteration of subdomains and brute force the result.
I'm doing some work on automatization for bug bounty, and I found myself needing something to brute force for new subdomains using these techniques.
Doing some research I found altdns, a tool that does what I need but written in python.
Speed is everything in bug bounty, usually, you have many subdomains to scan so I put myself in the task of writing a new tool that did the same as altdns but focused on speed and adding some improvements to the complete process.
The main subdomain is a.b.com from a word list, where you have for example the word stage, dmut will generate and try for a positive response:
- stagea.b.com
- astage.b.com
- stage.a.b.com
- a.stage.b.com
- stage-a.b.com
- a-stage.b.com
To get the best from dmut, you need a DNS server list.
Using dnsFaster, I have created a github action to run this tool again a public list generated from (https://public-dns.info/nameserver/us.txt).
this action runs one time a day and update the repo automatically.
You can download this list from the repo dmut-resolvers or running dmut with the flag --update-dnslist to update your local copy.
dmut --update-dnslist
and the new list would be saved to /~/.dmut/resolvers.txt
it's really important to have your list in the best shape possible. The resolution times varied from one DNS server to another, you have some server doing DNS hijacking for some domains or responding with errors after several connections. Be careful and take your time to test your list.
dmut is significantly much faster than his python brother.
I did some tests to compare his speed using the same options and an accurate DNS server list.
root@dnsMaster# time python3 altdns.py -i list.txt -o data_output -r -w words.txt -t 100 -f /root/.dmut/resolvers.txt -s results.txt
...
real 9m44.712s
user 7m7.741s
sys 1m6.288s
root@dnsMaster# wc -l results.txt
55
root@dnsMaster# time cat list.txt | dmut -w 100 -d words.txt --dns-retries 3 -o results.txt -s /root/.dmut/resolvers.txt --dns-errorLimit 50 --dns-timeout 350 --show-stats
...
real 5m31.318s
user 1m4.024s
sys 0m41.876s
root@dnsMaster# wc -l results.txt
55
If you run the same test but using a default DNS server list downloaded from public-dns.info, the difference is just too much. Here is where the anti-hijacking, found confirmations, DNS timeout and extra checks come to play in favor of dmut.
root@dnsMaster# time python3 altdns.py -i list.txt -o data_output -r -w words.txt -t 100 -f dnsinfo-list.txt -s results.txt
...
real 112m6.295s
user 8m17.104s
sys 1m14.583s
cat list.txt | ./dmut-binary -w 100 -d words.txt --dns-retries 3 -o results.txt -s dnsinfo-list.txt --dns-errorLimit 10 --dns-timeout 300 --show-stats
real 8m21.627s
user 1m14.191s
sys 0m48.982s
just wow!
Install is quick and clean
go get -u github.com/bp0lr/dmut
You need a mutations list to make dmut works.
You can use my list downloading the file from here
dmut -u "test.example.com" -d mutations.txt -w 100 --dns-timeout 300 --dns-retries 5 --dns-errorLimit 25 --show-stats -o results.txt
this will run dmut again test.example.com, using the word list mutations.txt, using 100 workers, having a DNS timeout of 300ms and 5 retries for each error. If a DNS server reaches 25 errors, this server is blacklisted and not used again.
Show stats add some verbose to the process.
If we found something would be saved to results.txt
cat subdomainList.txt | dmut -d mutations.txt -w 100 --dns-timeout 300 --dns-retries 5 --dns-errorLimit 25 --show-stats -o results.txt
the same but using a subdomain list.
Usage of dmut:
-d, --dictionary string Dictionary file containing mutation list
--dns-errorLimit int How many errors until we the DNS is disabled (default 25)
--dns-retries int Amount of retries for failed dns queries (default 3)
--dns-timeout int Dns Server timeOut in millisecond (default 500)
-s, --dnsFile string Use DNS servers from this file
-l, --dnsServers string Use DNS servers from a list separated by ,
-o, --output string Output file to save the results to
--save-gen save generated permutations to a file and exit
--save-to save generated permutations to this location
--show-ip Display info for valid results
--show-stats Display stats about the current job
--update-dnslist Download a list of periodically validated public DNS resolvers
--update-files Download all the default files to work with dmut. (default mutation list, resolvers, etc)
-u, --url string Target URL
--use-pb use a progress bar
-v, --verbose Add verboicity to the process
-w, --workers int Number of workers (default 25)
--disable-addnumbers Disable add numbers generation
--disable-addseparator Disable add separator generation
--disable-permutations Disable permutations generation
dmut will test each subdomain for wildcards, requesting a not supposed to exist subdomain.
If we get a positive response the job will be ignored.
Everyone is encouraged to contribute to dmut by forking the Github repository and making a pull request or opening an issue.
altdns was originaly created by infosec-au and can be found here (https://github.com/infosec-au/altdns)
Looks like the project was abandoned at some point, so I had forked and did my own version with some improvements. (https://github.com/bp0lr/altdns)
I want to thank infosec-au because his work was my inspiration for dmut.