Learn about running AlterX with details om variables and examples
alterx
different from any other subdomain permutation tools like goaltdns
is its scripting
feature . alterx takes patterns as input and generates subdomain permutation wordlist based on that pattern similar to what nuclei does with fuzzing-templates .
What makes Active Subdomain Enumeration
difficult is the probability of finding a domain that actually exists. If finding possible subdomains is represented on a scale it should look something like
alterx
it is possible to create patterns based on results from passive subdomain enumeration
results which increases probability of finding a subdomain and feasibility to bruteforce them.
alterx
uses variable-like syntax similar to nuclei-templates. One can write their own patterns using these variables . when domains are passed as input alterx
evaluates input and extracts variables from it .
Variable | api.scanme.sh | admin.dev.scanme.sh | cloud.scanme.co.uk |
---|---|---|---|
{{sub}} | api | admin | cloud |
{{suffix}} | scanme.sh | dev.scanme.sh | scanme.co.uk |
{{tld}} | sh | sh | uk |
{{etld}} | - | - | co.uk |
Variable | api.scanme.sh | admin.dev.scanme.sh | cloud.scanme.co.uk |
---|---|---|---|
{{root}} | scanme.sh | scanme.sh | scanme.co.uk |
{{sub1}} | - | dev | - |
{{sub2}} | - | - | - |
template
that describes what type of patterns should alterx generate.
env
with values like prod
and dev
, then use it in patterns like {{env}}-{{word}}.{{suffix}}
to generate subdomains like prod-app.example.com
and dev-api.example.com
. This flexibility allows tailored subdomain list for unique testing scenarios and target environments.
Default pattern config file used for generation is stored in $HOME/.config/alterx/
directory, and custom config file can be also used using -ac
option.
tesla.com
yield us 10 additional NEW and valid subdomains resolved using dnsx.
-enrich
option can be used to populate known subdomains as world input to generate target aware permutations.
-pattern
CLI option.
-payload
CLI options.