Mastering DNS Brute Force Attacks with DNSmap

Exploit and shellcode Course

Brute Force on a domain name for the subdomain

Brute force attacks on DNS name to find out subdomains or domain suggestions, and it checks domain status and DNS records. Before start learning about dnsmap you should know what is domain name server and subdomain? Domain name system is a server which resolves dns name query into Ip Address and vice versa IP address to domain name. Most DNS servers have two-part primary DNS and secondary DNS. A subdomain is a domain related to a domain like is a subdomain of

dnsmap Overview

dnsmap was originally released back in 2006 and was inspired by the fictional story “The Thief No One Saw” by Paul Craig, which can be found in the book “Stealing the Network – How to 0wn the Box”.

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).


Key features of DNSMAP Tool

  • Obtain all A records (i.e. IP addresses) associated with each successfully brute-forced subdomain, rather than just one IP address per subdomain.
  • Abort the brute-forcing process in case the target domain uses wildcards.
  • Ability to be able to run the tool without providing a word list by using a built-in list of keywords.
  • Brute forcing by using a user-supplied word list (as opposed to the built-in word list).
  • Saving the results in human-readable and CSV format for easy processing.
  • Improved built-in subdomains wordlist.
  • New bash script ( included which allows running Dnsmap against a list of domains from a user-supplied file. i.e.: brute-forcing several domains in a bulk fashion.
  • Bypassing of signature-based Dnsmap detection by generating a proper pseudo-random sub domain when checking for wildcards (Unique Feature).

What finds after using dnsmap?

 1. Finding interesting remote access servers. 2. Finding badly configured and/or unpatched servers. 3. Finding new domain names which will allow you to map non-obvious/hard-to-find net blocks. 4. Sometimes you find that some brute forced sub domains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that it *is* possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving (as opposed to zone transfers for instance). 5. Discover embedded devices configured using Dynamic DNS services.

Dnsmap Usage Example

See included packages in dnsmap by run following command


scan domain name ( for sub domain and see the result by executing following command

Scan using a wordlist (-w /usr/share/wordlists/dnsmap.txt)

#dnsmap -w /usr/share/wordlists/dnsmap.txt

MODULE 4:- Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

If you like our content, please consider buying us a coffee.
Thank you for your support!

Leave a Reply

Your email address will not be published. Required fields are marked *