Ready to automate your way to better recon?.

7/ Total: £25,400 in nameserver takeover bounties.ROI: 22 hours development = £127/hour 📈.

6/ The first time I ran tracr on a real target:. 4 minutes to process what would take Derek 6 hours.Clean output, clear vulnerabilities.Still had sanity left to explain to family why I was cackling. First vulnerable domain found: £3,200 💰.

5/ Enter tracr 🚀. What took 6 hours of manual digging now takes 4 minutes. assetfinder -subs-only | tracr -c 50. Concurrent DNS tracing + vulnerability detection = profit.

4/ My eureka moment came somewhere around subdomain #247. "This repetitive nonsense is exactly what computers were invented for!". *Opens IDE at 3 AM while family sleeps*. Gerald the coffee mug: *remains supportive but silent*.

3/ Meet Derek Traceman (not his real name). Derek finds nameserver takeovers the hard way:. - Copy subdomain to terminal.- Run dig +trace manually .- Squint at output for NS records.- Test each nameserver individually.- Repeat 2,846 more times.- Slowly lose will to live.

2/ Picture this: You're manually running `dig +trace` on 2,847 subdomains, one by one, looking for dangling nameservers. Your eyes are bleeding. Your sanity is gone. There has to be a better way. Spoiler: There was.

🧵 How I earned £25k in bug bounties by automating something I was doing manually at 2:47 AM. A thread about building tracr, dangling nameservers, and why my coffee mug Gerald is my most reliable debugging partner 👇.

🚀 Just released tracr - a fast DNS tracer for finding dangling nameserver vulnerabilities .✅ Concurrent DNS tracing .✅ Detects REFUSED/SERVFAIL responses .✅ Pipes perfectly with subfinder/amass .✅ Clean output for tool chaining .

New blog post where I have some fun building Obsidian templates to support armchair investigations.

ChatGPT hitting me with home truths.

This looks to be the flight path of the military Sikorsky H-60 helicopter (PAT25/AE313D) as it collides with the passenger jet CRJ-700 (JIA5432/A97753) on its approach to DCA. Praying for those involved and wishing rescuers the strength they need.

7/ Let me know if you've tried similar approaches or tools in your recon workflows! Always looking to improve these projects. Happy hunting! 🛠️✨.

6/ These tools are designed to help researchers and security teams scale their efforts in securing DNS records and domains. DNS hygiene isn't just a best practice - it's a necessity in today's threat landscape.

5/ 3. tldvariant:.Generate lists of domains with valid TLD's that could be typo'd variations of your own. 🛡️ Great for spotting typo'd DNS records or proactively registering these domains to protect your brand. GitHub:

4/ 2. assetFinder (fork):.Find subdomains of a target domain, with extra sources added to enhance @TomNomNom's original. 🔗 Use it to map attack surfaces and then inspect DNS records for misconfigurations with nsfckup. GitHub:

3/ 1. nsfckup:.Identifies NameServer takeover opportunities by analyzing NameServer domains that return NXDOMAIN responses. 🔍 Spot the issues before attackers do. GitHub:

2/ As a security researcher, I've seen how DNS misconfigurations like this can create massive attack surfaces. To help others identify and prevent similar issues, I've built 2 open-source tools and forked another which you can use today to level up your DNS hygiene. 🧵👇.