Blog
-

6 min read

Introducing Alterx: Efficient Active Subdomain Enumeration with Patterns

Vulnerability Management
Introducing Alterx: Efficient Active Subdomain Enumeration with Patterns

Share

What is Alterx ?

Alterx is a Fast and Customizable subdomain wordlist generator using patterns. alterx fits in the active subdomain enumeration pipeline, which involves creating a wordlist using permutations of passive subdomain enumeration results. Instead of hardcoding patterns in the tool itself, alterx uses a set of patterns that users can customize. This makes alterx more efficient and effective than other existing tools. To understand alterx better, we need to know what active subdomain enumeration is and is it worth it ??

Active Subdomain Enumeration

Active Subdomain Enumeration is usually a second step in subdomain enumeration, where we find subdomains of a particular target/domain by actively interacting with target. Which usually involves brute-forcing a domain (ex: scanme.sh) with a wordlist containing subdomain prefixes (ex: blog, admin, dashboard, etc.). Tools like dnsx, puredns, etc., can be used for this purpose.

Is Active Subdomain Enumeration Worth it?

Many people (Including me in the past) are conflicted about including active subdomain enumeration in their recon pipeline. This is primarily due to the following reasons

  • It is too noisy
  • We hardly get results
  • It takes so much time to brute force, etc

While they are not entirely wrong, they miss out on some juicy/important subdomains which are less likely to be reflected in passive subdomain enumeration. And most prominent reason for this is wildcard SSL certificates. It is not widely known, but SSL Certificates (CT Logs) are one of the most important source used by passive subdomain enumeration sources. And this is the reason why active subdomain enumeration becomes essential. Let's understand this with an example.

Why Alterx ?

Since Active Subdomain Enumeration is essential, There are two ways to do it.

  1. Bruteforce Subdomains with a default Wordlist (ex: dns-Jhaddix.txt)
  2. Generate a wordlist specific to that target/organization by generating permutations of passive subdomain enum results.

And we can quickly tell that 2nd method has a higher probability than 1st one, but that doesn't mean 1st method is not needed. On the contrary, it is good practice to use both methods.

There are a lot of tools to generate subdomain permutations ex: gotator, altdns, goaltdns, regulator, and others, but what makes alterx different is its unique features.

Write Custom Patterns

Most of the existing tools have hardcoded patterns. i.e., the pattern/strategy of how permutations are generated is hard coded. If a target/Organization follows a specific convention, it is not possible to customize those tools unless one writes his script/logic.

cli

1
// Consider a target returns following results from passive sub enum
2
auth.scanme.sh
3
auth-private.scanme.sh
4
auth-secure.scanme.sh
5
auth-staging.scanme.sh

One can tell by looking at the above domains that it follows a specific pattern, and this can be represented in alterx DSL as {{sub}}-{{word}}.{{suffix}}.
Users can generate permutations following the above pattern using below bash one-liner for all passive subdomain enum results.

While this is a simple pattern that almost all tools utilize, users can find such patterns out there. Since there is no fixed method to name subdomains, It usually depends on the person registering/ hosting subdomains, but they, too, knowingly/unknowingly follow a pattern. This makes alterx powerful because now users can generate complex patterns with a simple syntax and obtain a finite wordlist that is more likely to return results effectively and efficiently.

alterx also provides a default but customizable set of patterns along with payloads based on widely known/used patterns that are updated regularly

yaml

1
patterns:
2
  # Dash based patterns ex: api-dev.scanme.sh
3
  - "{{word}}-{{sub}}.{{suffix}}" # dev-api
4
  - "{{sub}}-{{word}}.{{suffix}}" # api-dev
5
  # Dot based patterns ex: dev.api.scanme.sh
6
  - "{{word}}.{{sub}}.{{suffix}}"
7
  - "{{sub}}.{{word}}.{{suffix}}"
8
  # Iteration based
9
  - "{{sub}}{{number}}.{{suffix}}"
10
  # replace current subdomain name
11
  - "{{word}}.{{suffix}}"
12
  # No Seperator (ex: devtest.scanme.sh)
13
  - "{{sub}}{{word}}.{{suffix}}"
14
  # add region perfix
15
  - "{{region}}.{{sub}}.{{suffix}}"
16
  # clusterbomb words and numbers
17
  # - "{{word}}{{number}}.{{suffix}}"

Target aware permutations

Alterx has a flag -en , -enrich, which enriches payloads by extracting alphanumeric & numeric words and adding them to specific payloads. Ex: If the below subdomains are given as input to alterx, it extracts words like staging,qa, managed and adds them to {{word}} values
By doing this, alterx returns more contextual results which are likely to exist.

cli

1
qa.scanme.sh
2
managed.scanme.sh
3
qa-staging.scanme.sh

Active Filtering of duplicated payloads

When generating permutations it is likely that the user comes across a situation where the value of {{word}} is already present in the input.
Ex: If input is api.scanme.sh and wordlist mywords.txt contains word api. It may generate results like

cli

1
api-api.scanme.sh
2
api.api.scanme.sh
3
apiapi.scanme.sh

alterx detects such highly unlikely subdomains and avoids creating them by default.

Other Features of Alterx

  • Automatic Deduplication
  • Estimate results of a pattern without generating results
  • Limit output payloads with -limit flag
  • Support for Custom permutation config file with -ac
  • Override payloads of specific variable (ex: {{word}}) -pp "word=mywords.txt"
  • Update Check & Self Update flag

Installing Alterx

Primarily there are 4 ways to install alterx

  • Install from source using go

bash

1
$ go install -v github.com/projectdiscovery/alterx/cmd/alterx@latest

bash

1
$ pdtm -i alterx
  • Install using Docker

bash

1
$ docker pull projectdiscovery/alterx:latest

Navigating through Alterx

  • Getting Help

alterx -h command display alterx help page which contains all flags and description of each flag

Alterx Input

Alterx accepts any valid urls , hostnames , FQDN as input

Run Alterx with stdin input

  • Run Alterx with Input from File
  • Realtime Estimations with -es flag

How to write custom patterns?

Alterx DSL is almost similar to nuclei-template variables, where each part of a specific domain (input) is represented using a variable, and Users can use these variables to write their own patterns

Q: Suppose User wants to add suffix -2023 for each input given to alterx.
Ex: Input is api.scanme.sh and the user expects api-2023.scanme.sh

A: By referring to the above default variables table, we can represent the required output in the following DSL format (aka pattern) {{sub}}-{{year}}.{{suffix}}
And we can run it by passing pattern as input to -p flag as shown in below figure

Adding Alterx to pipeline

Since alterx supports stdin input like all other pd tools it can be chained with subfinder & dnsx as shown in below image

While testing above command we found 44 unique subdomains which were not present in passive subdomain enumeration results

Spoiler Alert:

While alterx is primarily developed for generating permutations due to DSL and variables, it can be used for other purposes Ex:

Horizontal Enumeration Using Crt.sh

PS: we are also working on adding some cool features to alterx check it out here

Conclusion

In conclusion, Alterx is a powerful tool for active subdomain enumeration that offers significant benefits over traditional brute-force methods due to customizable patterns and other features. alterx pattern-based approach returns minimal results without missing out on any potential subdomains, which makes it more efficient and effective than traditional blind permutations which return results in Millions and may not be that efficient to bruteforce them.

For More Information and queries checkout alterx github repository