Using Certificate Transparency for DNS Enumeration

During the pentesting class I recently took as I’m working towards my master’s degree, we were tasked with running DNS enumeration on website domains and reporting the results. I used a few of the popular brute-force tools which took a little while to run. Since I work primarily on websites for work, I’ve used certificate transparency to audit certificates being issued for our domains.

Combining both of these, I wrote a small tool which uses the python dns library and attempts to enumerate all dns records for domains in a wordlist and domains pulled directly from certificate transparency logs. I figured that domains from CT logs would have a much higher rate of being accurate and yield results much quicker.

It works in a fairly standard manner. You give it a domain (and optionally a wordlist), and it enumerates all record types that it can. For example, running it altoromutual (a site vulnerable that’s by design for use with testing security tools). This tool doesn’t connect to the target site in any way.

python3 dn-recon.py -d altoromutual.com --discover

 ______  __   _      ______ _______ _______  _____  __   _
 |     \ | \  | ___ |_____/ |______ |       |     | | \  |
 |_____/ |  \_|     |    \_ |______ |_____  |_____| |  \_|

initial target: altoromutual.com
loaded 2 from certificate transparency
got 1 domains to explore
altoromutual.com A: 65.61.137.117
altoromutual.com NS: eur5.akam.net.
altoromutual.com NS: ns1-206.akam.net.
altoromutual.com NS: eur2.akam.net.
altoromutual.com NS: usc3.akam.net.
altoromutual.com NS: usw2.akam.net.
altoromutual.com NS: ns1-99.akam.net.
altoromutual.com NS: asia3.akam.net.
altoromutual.com NS: usc2.akam.net.
altoromutual.com SOA: asia3.akam.net. hostmaster.akamai.com. 1368446078 43200 7200 604800 86400
altoromutual.com TXT: "v=spf1 mx/24 -all"
111

Visit the project on Github

Change Log

  • 2022-10-25 - Initial Revision

Found a typo or technical problem? file an issue!