dnsrecon -t brt -d [microsoft.com](<http://microsoft.com/>) -D /usr/share/dnsrecon/namelist.txt

• "-t brt" specifies the type of scan to perform. "brt" stands for "brute force," which means the tool will attempt to enumerate all possible subdomains of the target domain.
• "-d microsoft.com" specifies the target domain to scan. In this case, it is Microsoft's domain.
• "-D /usr/share/dnsrecon/namelist.txt" specifies the path to a file containing a list of subdomains to use during the scan. This option is used to supplement the brute force scan with a list of known subdomains.

now we trying to bruteforce subdomains

Doing the samething with Recon-ng

firstly run the tool then,

• load modules /recon/domain-hosts/brute_host
• options set source microsoft.com
• run

now go to show hosts in recon-ng and see the results

and there’s more and more

كل اللي كنا شغالين عليه الفترة اللي فاتت دي في الكورس لحد دلوقتي كان عشان نجمع subdomians دلوقتي عايزين نحول ال subdomains دول ل IP’s

عشان نعمل كدة عندنا module في recon-ng بتعمل كدة وهي

/recon/hosts-hosts/resolve

like before load module and hit run [ not required to set source because it’s default is hosts file ]