Everyone has their list of hostnames they brute force domains with. In my last post I even mentioned a few ways to use one with XARGS or PARALLEL. But one fact about wordlist brute forcing is that there is no “one list to rule them all”. But over the years of doing DNS record collection I have noticed one thing, most domains have a large number of short hostnames that are easy to remember, usually 4 characters or less.
I’m sure you already know where I’m going with this, I wanted to brute force all possible hostnames up to 4 characters. For a long time I struggled with coding this, but couldn’t wrap my head around it. I would come back to it every so often, finally a few days ago I happened upon a script on gist: https://gist.github.com/petehamilton/4755855 that suited my needs perfectly.
I modified it to suite my needs (just use the yield method) and here is what I ended up with (remember DNS is case insensitive):
Notice: This script doesn’t end, it will keep doing lookups on longer and longer hostnames until you hit CTRL-C
c.microsoft.com. 2 IN CNAME c.microsoft.akadns.net.
c.microsoft.akadns.net. 499 IN A 184.108.40.206
e.microsoft.com. 3599 IN A 220.127.116.11
g.microsoft.com. 2798 IN CNAME g.msn.com.
g.msn.com. 99 IN CNAME g.msn.com.nsatc.net.
g.msn.com.nsatc.net. 148 IN A 18.104.22.168
i.microsoft.com. 779 IN CNAME i.toggle.www.ms.akadns.net.
i.toggle.www.ms.akadns.net. 44 IN CNAME i.g.www.ms.akadns.net.
i.g.www.ms.akadns.net. 225 IN CNAME i.microsoft.com.edgesuite.net.
i.microsoft.com.edgesuite.net. 116 IN CNAME a1475.g.akamai.net.
a1475.g.akamai.net. 16 IN A 22.214.171.124
a1475.g.akamai.net. 16 IN A 126.96.36.199
m.microsoft.com. 3599 IN CNAME origin.mobile.ms.akadns.net.
origin.mobile.ms.akadns.net. 299 IN A 188.8.131.52
s.microsoft.com. 3599 IN CNAME reroute.microsoft.com.
reroute.microsoft.com. 3599 IN A 184.108.40.206
reroute.microsoft.com. 3599 IN A 220.127.116.11
cs.microsoft.com. 81 IN CNAME wedcs.trafficmanager.net.
wedcs.trafficmanager.net. 7 IN CNAME wedcseus.cloudapp.net.
wedcseus.cloudapp.net. 8 IN A 18.104.22.168
Happy bruting. Both scripts can be found on my gists page: