top of page

Recon Village Blog

Search


The Recon Aacharya Contest at ReconVillage - DefCon 31: A Deep Dive into the Ultimate Subdomain Hunting Challenge


So, you want to be a master of subdomain enumeration? Then let's talk about a contest that was a highlight at ReconVillage during DefCon 31. Stick around as we delve into the Recon Aacharya Contest, a 36-hour challenge where participants had the Herculean task of uncovering subdomains from a pool of 14,917 seed domains. Whether you're a cybersecurity buff or just getting started, this is the tale of how the participating teams pushed the boundaries of what's possible in subdomain hunting.


Why You Should Read This:

You'll get a behind-the-scenes look into this contest, gaining insights that can shape your future hacking endeavors. By the end, you'll know how DomainTools emerged victorious among 67 skilled teams and what it takes to succeed in such high-stakes competitions.


Participation:

The Recon Aacharya Contest was a 36-hour marathon running from August 11th, 10 AM PDT to August 12th, 11:59 PM PDT. A colossal pool of 25 million + subdomains was submitted, all enumerated from the given seed domains. The contest garnered attention far and wide, with 67 teams registering to flex their recon muscles.


The Challenge:

Participants had their hands full with a list of 14,917 seed domains, provided in a file named "domains.txt." The rules were stringent but straightforward. Only valid subdomains could be submitted, and the guidelines were disseminated via email and the ReconVillage GitHub repo.


The Rules:

  • Each valid subdomain will score +1 and each invalid subdomain will score -1.

  • Domain resolution should be done using the DNS Server 8.8.8.8 to maintain consistency in results and scoring.


Results:

Many teams participated and played with a lot of determination and hard work. Here is the final scoreboard.


Notable Insights:

  • DomainTools Team won the challenge. We all would love to learn from their journey. Write up coming in shortly.

  • Voidstar submitted the highest number of valid subdomains. This team messed up in the invalid count and hence lost the competition. We are also interested to learn from their mistakes. Write up coming in shortly.

  • Quite a few file submissions did have a lot of binary bits in them and gave us a very hard time :D.

  • The DNS resolution at such a large scale was a challenge. We had all the systems stress tested, but the submissions were overwhelming for our systems too :D (We learnt from this year and next year we will be more prepared too).

Winner:

The winning crown went to DomainTools. With an unparalleled knack for identifying subdomains, this team showed us how it's done.

As winners, they received the following as prizes:

Takeaways:

  1. Volume vs. Precision: The contest was not just about who could submit the most subdomains but who could provide accurate, valid entries. Quality always trumps quantity.

  2. Time Management: In a 36-hour window, strategic planning and effective use of time were just as critical as technical skills.

  3. Teamwork: Cybersecurity is often romanticized as a lone wolf's playground, but the Recon Aacharya Contest emphasized the importance of collaborative problem-solving.

  4. Scaling Abilities: Collecting and validating subdomains at such a large scale is not only about finding subdomains strategically but also about scaling the enumeration operations.

Datasets Release

As promised, we are releasing all the datasets to the community so that we all can learn and enhance our recon and subdomain enumeration process.

Here is the leaderboard/dashboard:


All the data is available on the GitHub Repository.


Subdomain Lists

Keyword-Based Datasets

Top Keywords

Feel free to explore these datasets for your research or operational needs.


Conclusion:

Reconnaissance is an ever-evolving field that rewards the curious and the relentless. The Recon Aacharya Contest was a showcase of what’s achievable when brilliant minds come together to solve complex problems. If you're feeling inspired to try your hand at the next one, stay tuned. Because who knows? The next winner could very well be you.

bottom of page