AlterX
Features • Installation • Usage • Running AlterX • Join Discord
Fast and customizable subdomain wordlist generator using DSL.
Features
- Fast and Customizable
- Automatic word enrichment
- Pre-defined variables
- Configurable Patterns
- STDIN / List input
Installation
To install alterx, you need to have Golang 1.19 installed on your system. You can download Golang from here. After installing Golang, you can use the following command to install alterx:
go install github.com/projectdiscovery/alterx/cmd/alterx@latestHelp Menu
You can use the following command to see the available flags and options:
Fast and customizable subdomain wordlist generator using DSL.
Usage:
./alterx [flags]
Flags:
INPUT:
-l, -list string[] subdomains to use when creating permutations (stdin, comma-separated, file)
-p, -pattern string[] custom permutation patterns input to generate (comma-seperated, file)
-pp, -payload value custom payload pattern input to replace/use in key=value format (-pp 'word=words.txt')
OUTPUT:
-es, -estimate estimate permutation count without generating payloads
-o, -output string output file to write altered subdomain list
-ms, -max-size int Max export data size (kb, mb, gb, tb) (default mb)
-v, -verbose display verbose output
-silent display results only
-version display alterx version
CONFIG:
-config string alterx cli config file (default '$HOME/.config/alterx/config.yaml')
-en, -enrich enrich wordlist by extracting words from input
-ac string alterx permutation config file (default '$HOME/.config/alterx/permutation_v0.0.1.yaml')
-limit int limit the number of results to return (default 0)
UPDATE:
-up, -update update alterx to latest version
-duc, -disable-update-check disable automatic alterx update checkWhy alterx ??
what makes alterx different from any other subdomain permutation tools like goaltdns is its scripting feature . alterx takes patterns as input and generates subdomain permutation wordlist based on that pattern similar to what nuclei does with fuzzing-templates .
What makes Active Subdomain Enumeration difficult is the probability of finding a domain that actually exists. If finding possible subdomains is represented on a scale it should look something like
Using Wordlist < generate permutations with subdomains (goaltdns) < alterxAlmost all popular subdomain permutation tools have hardcoded patterns and when such tools are run they create wordlist which contain subdomains in Millions and this decreases the feasibility of bruteforcing them with tools like dnsx . There is no actual convention to name subdomains and usually depends on person registering the subdomain. with alterx it is possible to create patterns based on results from passive subdomain enumeration results which increases probability of finding a subdomain and feasibility to bruteforce them.
Variables
alterx uses variable-like syntax similar to nuclei-templates. One can write their own patterns using these variables . when domains are passed as input alterx evaluates input and extracts variables from it .
Basic / Common Variables
{{sub}} : subdomain prefix or left most part of a subdomain
{{suffix}} : everything except {{sub}} in subdomain name is suffix
{{tld}} : top level domain name (ex com,uk,in etc)
{{etld}} : also know as public suffix (ex co.uk , gov.in etc)| Variable | api.scanme.sh | admin.dev.scanme.sh | cloud.scanme.co.uk |
|---|---|---|---|
{{sub}} |
api |
admin |
cloud |
{{suffix}} |
scanme.sh |
dev.scanme.sh |
scanme.co.uk |
{{tld}} |
sh |
sh |
uk |
{{etld}} |
- |
- |
co.uk |
Advanced Variables
{{root}} : also known as eTLD+1 i.e only root domain (ex for api.scanme.sh => {{root}} is scanme.sh)
{{subN}} : here N is an integer (ex {{sub1}} , {{sub2}} etc) .
// {{subN}} is advanced variable which exists depending on input
// lets say there is a multi level domain cloud.nuclei.scanme.sh
// in this case {{sub}} = cloud and {{sub1}} = nuclei`| Variable | api.scanme.sh | admin.dev.scanme.sh | cloud.scanme.co.uk |
|---|---|---|---|
{{root}} |
scanme.sh |
scanme.sh |
scanme.co.uk |
{{sub1}} |
- |
dev |
- |
{{sub2}} |
- |
- |
- |
Patterns
pattern in simple terms can be considered as template that describes what type of patterns should alterx generate.
// Below are some of example patterns which can be used to generate permutations
// assuming api.scanme.sh was given as input and variable {{word}} was given as input with only one value prod
// alterx generates subdomains for below patterns
"{{sub}}-{{word}}.{{suffix}}" // ex: api-prod.scanme.sh
"{{word}}-{{sub}}.{{suffix}}" // ex: prod-api.scanme.sh
"{{word}}.{{sub}}.{{suffix}}" // ex: prod.api.scanme.sh
"{{sub}}.{{word}}.{{suffix}}" // ex: api.prod.scanme.shHere is an example pattern config file - https://github.com/projectdiscovery/alterx/blob/main/permutations.yaml that can be easily customizable as per need.
This configuration file generates subdomain permutations for security assessments or penetration tests using customizable patterns and dynamic payloads. Patterns include dash-based, dot-based, and others. Users can create custom payload sections, such as words, region identifiers, or numbers, to suit their specific needs.
For example, a user could define a new payload section env with values like prod and dev, then use it in patterns like {{env}}-{{word}}.{{suffix}} to generate subdomains like prod-app.example.com and dev-api.example.com. This flexibility allows tailored subdomain list for unique testing scenarios and target environments.
Default pattern config file used for generation is stored in $HOME/.config/alterx/ directory, and custom config file can be also used using -ac option.
Examples
An example of running alterx on existing list of passive subdomains of tesla.com yield us 10 additional NEW and valid subdomains resolved using dnsx.
$ chaos -d tesla.com | alterx | dnsx
___ ____ _ __
/ _ | / / /____ ____| |/_/
/ __ |/ / __/ -_) __/> <
/_/ |_/_/\__/\__/_/ /_/|_|
projectdiscovery.io
[INF] Generated 8312 permutations in 0.0740s
auth-global-stage.tesla.com
auth-stage.tesla.com
digitalassets-stage.tesla.com
errlog-stage.tesla.com
kronos-dev.tesla.com
mfa-stage.tesla.com
paymentrecon-stage.tesla.com
sso-dev.tesla.com
shop-stage.tesla.com
www-uat-dev.tesla.comSimilarly -enrich option can be used to populate known subdomains as world input to generate target aware permutations.
$ chaos -d tesla.com | alterx -enrich
___ ____ _ __
/ _ | / / /____ ____| |/_/
/ __ |/ / __/ -_) __/> <
/_/ |_/_/\__/\__/_/ /_/|_|
projectdiscovery.io
[INF] Generated 662010 permutations in 3.9989sYou can alter the default patterns at run time using -pattern CLI option.
$ chaos -d tesla.com | alterx -enrich -p '{{word}}-{{suffix}}'
___ ____ _ __
/ _ | / / /____ ____| |/_/
/ __ |/ / __/ -_) __/> <
/_/ |_/_/\__/\__/_/ /_/|_|
projectdiscovery.io
[INF] Generated 21523 permutations in 0.7984sIt is also possible to overwrite existing variables value using -payload CLI options.
$ alterx -list tesla.txt -enrich -p '{{word}}-{{year}}.{{suffix}}' -pp word=keywords.txt -pp year=2023
___ ____ _ __
/ _ | / / /____ ____| |/_/
/ __ |/ / __/ -_) __/> <
/_/ |_/_/\__/\__/_/ /_/|_|
projectdiscovery.io
[INF] Generated 21419 permutations in 1.1699sFor more information, please checkout the release blog - https://blog.projectdiscovery.io/introducing-alterx-simplifying-active-subdomain-enumeration-with-patterns/
Do also check out the below similar open-source projects that may fit in your workflow:
altdns, goaltdns, gotator, ripgen, dnsgen, dmut, permdns, str-replace, dnscewl, regulator
alterx is made with ❤️ by the projectdiscovery team and distributed under MIT License.
