While tools like subfinder or amass are excellent for finding known subdomains through public records, they often miss “hidden” environments like development servers or internal staging areas. This is where altdns becomes an essential part of the security toolkit.
What is Altdns?
Altdns is an open-source DNS reconnaissance tool designed to discover subdomains that follow specific naming patterns. Unlike traditional tools that rely solely on existing lists or search engine scraping, Altdns uses permutation scanning. It takes a known list of subdomains (e.g., dev.example.com, api.example.com) and systematically alters them to predict others that might exist.
How It Works: Permutations and Mutations
The core “magic” of Altdns lies in its ability to generate thousands of potential subdomains based on common organizational naming conventions. It operates through three primary mechanisms:
- Word Insertion: If you provide a wordlist containing terms like “test,” “qa,” or “staging,” Altdns will insert these into your known subdomains. For instance, api.example.com might become api-test.example.com.
- Alterations: It swaps existing words with others from your list. If the tool sees dev.example.com, it might try prod.example.com or staging.example.com.
- Number Suffixing: Organizations often number their servers (e.g., web01, web02<). Altdns can automatically append numbers to known subdomains to find these incremental assets.
From Generation to Resolution
Generating a list of a million potential subdomains is only half the battle; the tool must then verify if those domains actually exist. Altdns includes a built-in multi-threaded resolver (activated by the -r flag). This allows the tool to take its massive list of “guesses” and check them against DNS servers in real-time. If a “guessed” domain returns a valid IP address, it is flagged as a successful discovery.
Altdns represents a shift from “passive” discovery to “active” pattern recognition. Many of the most vulnerable assets in an organization are those that were never intended to be public, such as a forgotten dev-backup.example.com. By using Altdns, you can uncover these “low-hanging fruit” vulnerabilities that automated scanners often overlook.
Quick Start Guide
To use Altdns effectively, you typically follow this workflow:
- Input: Provide a list of known subdomains (i) and a wordlist of common terms (-w).
- Execute: Run the tool to generate and resolve permutations.
- Analyze: Review the output file (-s) for new, valid subdomains that were previously unknown.
Further Reading & Citations
- Official Repository: infosec-au. (2017). Altdns: Subdomain discovery through alterations and permutations. GitHub. https://github.com/infosec-au/altdns
- Documentation: Kali Linux Tools. (2024). altdns Usage and Documentation. https://www.kali.org/tools/altdns/
- Methodology: GeeksforGeeks. (2023). Altdns – Subdomain discovery through alterations and permutations. https://www.geeksforgeeks.org/linux-unix/altdns-subdomain-discovery-through-alterations-and-permutations/
- Industry Insight: Shell, S. (2021). Recon Rundown: Find More Subdomains using Permutations. https://www.sshell.co/finding-subdomain-permutations/