Nmap can brute-force DNS subdomains using its scripting engine, and the real magic is how it leverages the DNS protocol’s inherent discoverability to map out your attack surface without needing special access or elevated privileges.
Let’s see it in action. Imagine you have a target domain, example.com, and you want to find its subdomains. You’d typically use tools like dnsrecon or subfinder. Nmap, however, can do this directly. We’ll use the dns-brute script.
nmap --script dns-brute --script-args dns-brute.domain=example.com -p 53
Here’s what’s happening:
--script dns-brute: This tells Nmap to load and run thedns-brutescript.--script-args dns-brute.domain=example.com: This passes an argument to the script, specifying the target domain. Thedns-brutescript is designed to perform brute-force subdomain enumeration.-p 53: We explicitly target port 53, the standard DNS port, on the name servers associated withexample.com. Nmap, by default, will try to discover the authoritative name servers for the domain and then attempt to query them.
Nmap’s dns-brute script works by using a dictionary of common subdomain names (like www, mail, ftp, dev, staging, api, etc.) and attempting to resolve each one against the authoritative DNS servers for the target domain. If a subdomain resolves to an IP address, the script reports it as found.
The power here comes from Nmap’s ability to first discover the authoritative name servers for a domain. It does this by querying the root DNS servers for the NS (Name Server) records of your target domain. Once it has the list of authoritative servers, it then proceeds with the brute-force dictionary attack against those specific servers, making the process more targeted and efficient than simply querying a public DNS resolver with a massive list of potential subdomains.
The dns-brute script isn’t just a simple dictionary lookup; it intelligently queries the authoritative servers. If a server responds with an NXDOMAIN (Non-Existent Domain) error, the script knows that subdomain isn’t there. If it gets an IP address, it knows it’s found something. This interaction with the DNS protocol itself is key.
The dictionary used by dns-brute is typically found within the Nmap installation directory, often in a scripts/script_data subdirectory, and it contains thousands of common subdomain names. You can even provide your own custom wordlist to the script for more targeted enumeration if you have specific suspicions or a more specialized dictionary.
nmap --script dns-brute --script-args dns-brute.domain=example.com,dns-brute.newwordlist=/path/to/my/custom/wordlist.txt -p 53
This command would use the default dictionary and your custom list. If you wanted to only use your custom list, you’d typically have to modify the script itself or find a way to override the default list loading, which isn’t directly supported by a simple script argument for dns-brute.newwordlist. However, for most practical purposes, combining is sufficient.
The script also has options to control the number of concurrent requests and the delay between them, helping to avoid overwhelming the DNS servers or triggering rate-limiting.
nmap --script dns-brute --script-args dns-brute.domain=example.com,dns-brute.threads=20 -p 53
Here, dns-brute.threads=20 increases the parallelism. Be cautious with this; too many threads can lead to detection or instability.
It’s important to remember that this script relies on the DNS servers being configured to respond to queries for non-existent subdomains in a predictable way. Some DNS servers might be configured to return a generic response or even refuse queries from unknown sources, which could impact the effectiveness of the brute-force. Also, this method only finds subdomains that have an A, AAAA, or CNAME record. Other record types (like MX for mail servers) would require different Nmap scripts.
The most surprising thing about using Nmap for DNS enumeration is how it integrates this capability as just another script in its vast arsenal, treating it with the same procedural rigor as a port scan or vulnerability check, rather than being a standalone, dedicated DNS enumeration tool. It leverages the underlying DNS protocol’s query mechanisms and response patterns to infer the existence of subdomains, essentially treating DNS lookups as a form of network service interaction.
The dns-brute script’s efficiency is further enhanced by its ability to cache results. If it queries a name server and receives a specific response, it stores that information. This means that if it later encounters the same subdomain query (which can happen if multiple authoritative servers are queried or if the script retries), it can immediately provide the cached result without re-querying the DNS server. This caching mechanism is crucial for performance, especially when dealing with domains that have a large number of authoritative name servers or when the script needs to retry queries due to network latency.
The next logical step after discovering subdomains is to probe them for open ports and running services.