Running AlterX
Learn about running AlterX with details on variables and examples
Basic Usage
For a detailed overview of AlterX options, visit the Usage page.
Why AlterX?
What differentiates alterx
from other subdomain permutation tools like goaltdns
is its scripting feature. AlterX accepts patterns as input and generates subdomain permutation wordlists based on these patterns—similar to how Nuclei works with fuzzing-templates.
Active Subdomain Enumeration is challenging due to the probability of finding actual existing domains. On a scale, this process can be visualized as:
Most subdomain permutation tools rely on hardcoded patterns, generating massive wordlists that may contain millions of subdomains—making bruteforcing with tools like dnsx
infeasible. With alterx
, you can create patterns based on results from passive subdomain enumeration, significantly increasing the chances of finding valid subdomains and making brute-forcing more efficient.
Variables
alterx
uses variable-like syntax similar to nuclei-templates. You can create custom patterns using these variables . when domains are passed as input alterx
evaluates input and extracts variables from it .
Basic Variables
Variable | api.scanme.sh | admin.dev.scanme.sh | cloud.scanme.co.uk |
---|---|---|---|
{{sub}} | api | admin | cloud |
{{suffix}} | scanme.sh | dev.scanme.sh | scanme.co.uk |
{{tld}} | sh | sh | uk |
{{etld}} | - | - | co.uk |
Advanced Variables
Variable | api.scanme.sh | admin.dev.scanme.sh | cloud.scanme.co.uk |
---|---|---|---|
{{root}} | scanme.sh | scanme.sh | scanme.co.uk |
{{sub1}} | - | dev | - |
{{sub2}} | - | - | - |
Patterns
In simple terms, a pattern is a template
that describes what type of permutations AlterX should generate.
You can find an example of a pattern configuration file here. This file is customizable based on your security assessments or penetration test requirements.
This configuration file generates subdomain permutations for security assessments or penetration tests using customizable patterns and dynamic payloads. Patterns include dash-based, dot-based, and others. Users can create custom payload sections, such as words, region identifiers, or numbers, to suit their specific needs.
For example, a user could define a new payload section env
with values like prod
and dev
, then use it in patterns like {{env}}-{{word}}.{{suffix}}
to generate subdomains like prod-app.example.com
and dev-api.example.com
. This flexibility allows tailored subdomain list for unique testing scenarios and target environments.
Default pattern config file used for generation is stored in $HOME/.config/alterx/
directory, and custom config file can be also used using -ac
option.
Examples
An example of running alterx on existing list of passive subdomains of tesla.com
yield us 10 additional NEW and valid subdomains resolved using dnsx.
Similarly -enrich
option can be used to populate known subdomains as world input to generate target aware permutations.
You can alter the default patterns at run time using -pattern
CLI option.
You can also overwrite existing variable values using the -payload
CLI options.
Explore other subdomain permutation tools that might integrate well with your workflow: