Using the Bing Web hostname enumerator module, we will try to find additional subdomains on the https://www.facebook.com/ website:
- First you need to load the module using the load recon/domains-hosts/bing_domain_web command. Next, enter the show info command that will display the information describing the module.
- The next step is to set the target domain in the SOURCE option. We will set it to facebook.com, as shown in the screenshot:
- When you are ready, use the run command to kick-off the module. The tool first queries a few domains, then it uses the (-) directive to remove already queried domains. Then it searches for additional domains once again. The biggest advantage here is speed. In addition to speed, the output is also stored in a database in plaintext. This can be used as an input to other tools such as Nmap, Metasploit, and Nessus. The output is shown in the following screenshot:
The DNS public suffix brute force module can be used to identify Top-level Domains (TLDs) and Second-level Domains (SLDs). Many product-based and service-based businesses have separate websites for each geographical region; you can use this brute force module to identify them. It uses the wordlist file from /usr/share/recon-ng/data/suffixes.txt to enumerate additional domains.