New improved subdomain discovery with 3x wordlist
Alexander MatssonProduct Manager
Description:
We have improved how we run active subdomain discovery, including brute-forcing. We are now running it recursively on existing subdomains to find nested domains (such as subdomains below subdomains below subdomains), and we have extended the wordlist with more than three times the number of words. To easily cope with this new, increased number of words, we run these in an explorative manner over time. This means we can find more uncommon subdomains over days, weeks, and months, allowing more obscure assets to be found the longer Surface Monitoring runs.
To run correctly, active subdomain discovery now also requires enabling passive subdomain discovery, which includes sources such as search engines, certificate transparency logs, DNS databases, etc.
Key improvements:
- 3x the amount of words in the brute-forcing wordlist to find even more uncommon subdomains. These are explored over time to ensure low impact, allowing us to find more obscure assets the longer Surface Monitoring runs
- Recursive brute-forcing allows us to identify subdomains under subdomains more effectively.
- Active subdomain discovery (incl. brute-forcing) now requires passive subdomain discovery (incl. scraping) to run.
