Learn about running AlterX with details on variables and examples
alterx
from other subdomain permutation tools like goaltdns
is its scripting feature. AlterX accepts patterns as input and generates subdomain permutation wordlists based on these patterns—similar to how Nuclei works with fuzzing-templates.
Active Subdomain Enumeration is challenging due to the probability of finding actual existing domains. On a scale, this process can be visualized as:
dnsx
infeasible. With alterx
, you can create patterns based on results from passive subdomain enumeration, significantly increasing the chances of finding valid subdomains and making brute-forcing more efficient.
alterx
uses variable-like syntax similar to nuclei-templates. You can create custom patterns using these variables . when domains are passed as input alterx
evaluates input and extracts variables from it .
Variable | api.scanme.sh | admin.dev.scanme.sh | cloud.scanme.co.uk |
---|---|---|---|
{{sub}} | api | admin | cloud |
{{suffix}} | scanme.sh | dev.scanme.sh | scanme.co.uk |
{{tld}} | sh | sh | uk |
{{etld}} | - | - | co.uk |
Variable | api.scanme.sh | admin.dev.scanme.sh | cloud.scanme.co.uk |
---|---|---|---|
{{root}} | scanme.sh | scanme.sh | scanme.co.uk |
{{sub1}} | - | dev | - |
{{sub2}} | - | - | - |
template
that describes what type of permutations AlterX should generate.
env
with values like prod
and dev
, then use it in patterns like {{env}}-{{word}}.{{suffix}}
to generate subdomains like prod-app.example.com
and dev-api.example.com
. This flexibility allows tailored subdomain list for unique testing scenarios and target environments.
Default pattern config file used for generation is stored in $HOME/.config/alterx/
directory, and custom config file can be also used using -ac
option.
tesla.com
yield us 10 additional NEW and valid subdomains resolved using dnsx.
-enrich
option can be used to populate known subdomains as world input to generate target aware permutations.
-pattern
CLI option.
-payload
CLI options.