When targeting an orgianization you want to know where their resources live. Apart from getting to know where their assets are most of the times these days there is a proxy infront of web applications that require the correct vhost (DNS hostname) to access them.
Seclists has great wordlists for DNS bruteforce.
Try to find commonalities between domains and iterating names. Think about web01.domain.tld and web02.domain.tld, try web03,04,05 etc.
Looking at SPF/MX records can give you additional hostnames/ip addresses. Try to preform reverse lookups on these IPs.
| Service | info |
|---|---|
| dnsdumpster | dns recon & research, find & lookup dns records |
| threatcrowd | ThreatCrowd is a system for finding and researching artefacts relating to cyber threats. |
| RIPE & ARIN whois | search the registration database of RIPE and ARIN |
| Name | Description |
|---|---|
| PSDNSDumpsterAPI | (Unofficial) PowerShell API for htttps://www.dnsdumpster.com. |
| sublist3r | sublist3r description. |