AlterX Subdomain Wordlist Generator Cheat Sheet

Overview

AlterX is a fast and customizable subdomain wordlist generator developed by Project Discovery. It uses patterns and domain-specific language (DSL) to generate permutations and alterations of subdomains, making it a powerful tool for active subdomain enumeration. AlterX fits into the active subdomain enumeration pipeline, complementing passive subdomain discovery tools like Subfinder.

What sets AlterX apart from other wordlist generators is its pattern-based approach and its ability to generate targeted, context-aware wordlists. Instead of using generic wordlists, AlterX can create permutations based on known subdomains, allowing for more effective discovery of related subdomains. This approach significantly increases the chances of finding valid subdomains during security assessments and bug bounty hunting.

AlterX is designed to be used in combination with tools like ShuffleDNS or other DNS brute-forcing tools to discover new subdomains that might not be found through passive enumeration methods. Its customizable patterns and efficient generation algorithm make it an essential tool for comprehensive subdomain enumeration.

Installation

Using Go

bash

# Install using Go (requires Go 1.20 or later)
go install -v github.com/projectdiscovery/alterx/cmd/alterx@latest

# Verify installation
alterx -version

Using Docker

bash

# Pull the latest Docker image
docker pull projectdiscovery/alterx:latest

# Run AlterX using Docker
docker run -it projectdiscovery/alterx:latest -h

Using Homebrew (macOS)

bash

# Install using Homebrew
brew install alterx

# Verify installation
alterx -version

Using PDTM (Project Discovery Tools Manager)

bash

# Install PDTM first if not already installed
go install -v github.com/projectdiscovery/pdtm/cmd/pdtm@latest

# Install AlterX using PDTM
pdtm -i alterx

# Verify installation
alterx -version

On Kali Linux

bash

# Install using apt
sudo apt install alterx

# Verify installation
alterx -version

Basic Usage

Generating Wordlists

bash

# Generate wordlist using default patterns
alterx -l subdomains.txt

# Generate wordlist with specific pattern
alterx -l subdomains.txt -p "{{word}}-dev"

# Generate wordlist from a single domain
alterx -d example.com -p "{{word}}-{{number}}"

# Generate wordlist from multiple domains
alterx -d example.com,hackerone.com -p "{{word}}-{{number}}"

Output Options

bash

# Save results to a file
alterx -l subdomains.txt -o wordlist.txt

# Output in JSON format
alterx -l subdomains.txt -json -o wordlist.json

# Silent mode (only wordlist entries)
alterx -l subdomains.txt -silent

Pattern Usage

Basic Patterns

bash

# Use word pattern (extracts words from input)
alterx -l subdomains.txt -p "{{word}}"

# Use number pattern (extracts numbers from input)
alterx -l subdomains.txt -p "{{number}}"

# Use character pattern (extracts characters from input)
alterx -l subdomains.txt -p "{{char}}"

# Combine multiple patterns
alterx -l subdomains.txt -p "{{word}}-{{number}}"

Advanced Patterns

bash

# Use prefix pattern
alterx -l subdomains.txt -p "dev-{{word}}"

# Use suffix pattern
alterx -l subdomains.txt -p "{{word}}-prod"

# Use multiple patterns
alterx -l subdomains.txt -p "{{word}}-dev,{{word}}-prod,{{word}}-stage"

# Use patterns from a file
alterx -l subdomains.txt -pf patterns.txt

Pattern Modifiers

bash

# Use uppercase modifier
alterx -l subdomains.txt -p "{{word:uppercase}}"

# Use lowercase modifier
alterx -l subdomains.txt -p "{{word:lowercase}}"

# Use capitalize modifier
alterx -l subdomains.txt -p "{{word:capitalize}}"

# Use multiple modifiers
alterx -l subdomains.txt -p "{{word:lowercase:capitalize}}"

Advanced Usage

Word Extraction

bash

# Extract words from input
alterx -l subdomains.txt -p "{{word}}" -extract-words

# Set minimum word length
alterx -l subdomains.txt -p "{{word}}" -min-word-length 3

# Set maximum word length
alterx -l subdomains.txt -p "{{word}}" -max-word-length 10

Number Extraction

bash

# Extract numbers from input
alterx -l subdomains.txt -p "{{number}}" -extract-numbers

# Set minimum number length
alterx -l subdomains.txt -p "{{number}}" -min-number-length 1

# Set maximum number length
alterx -l subdomains.txt -p "{{number}}" -max-number-length 5

Character Extraction

bash

# Extract characters from input
alterx -l subdomains.txt -p "{{char}}" -extract-chars

# Set minimum character length
alterx -l subdomains.txt -p "{{char}}" -min-char-length 1

# Set maximum character length
alterx -l subdomains.txt -p "{{char}}" -max-char-length 3

Pattern Examples

Common Subdomain Patterns

bash

# Development environments
alterx -l subdomains.txt -p "{{word}}-dev,dev-{{word}},{{word}}.dev"

# Staging environments
alterx -l subdomains.txt -p "{{word}}-stage,stage-{{word}},{{word}}.stage"

# Production environments
alterx -l subdomains.txt -p "{{word}}-prod,prod-{{word}},{{word}}.prod"

# API endpoints
alterx -l subdomains.txt -p "api-{{word}},{{word}}-api,api.{{word}}"

# Admin panels
alterx -l subdomains.txt -p "admin-{{word}},{{word}}-admin,admin.{{word}}"

Numeric Patterns

bash

# Append numbers
alterx -l subdomains.txt -p "{{word}}{{number}}"

# Prepend numbers
alterx -l subdomains.txt -p "{{number}}{{word}}"

# Separate with hyphen
alterx -l subdomains.txt -p "{{word}}-{{number}}"

# Separate with dot
alterx -l subdomains.txt -p "{{word}}.{{number}}"

Regional Patterns

bash

# Geographic regions
alterx -l subdomains.txt -p "{{word}}-us,{{word}}-eu,{{word}}-asia"

# Countries
alterx -l subdomains.txt -p "{{word}}-uk,{{word}}-ca,{{word}}-au"

# Cities
alterx -l subdomains.txt -p "{{word}}-nyc,{{word}}-lon,{{word}}-sfo"

Integration with Other Tools

Pipeline with ShuffleDNS

bash

# Generate wordlist and use it for DNS brute-forcing
alterx -l subdomains.txt -silent | shuffledns -d example.com -w /dev/stdin -r resolvers.txt

# Generate wordlist, filter, and use for DNS brute-forcing
alterx -l subdomains.txt -silent | grep -v "test" | shuffledns -d example.com -w /dev/stdin -r resolvers.txt

Pipeline with Subfinder

bash

# Find subdomains passively and use them to generate wordlist
subfinder -d example.com -silent | alterx -p "{{word}}-dev,{{word}}-stage" -silent

# Find subdomains, generate wordlist, and use for DNS brute-forcing
subfinder -d example.com -silent | alterx -p "{{word}}-dev" -silent | shuffledns -d example.com -w /dev/stdin -r resolvers.txt

Pipeline with HTTPX

bash

# Generate wordlist, resolve domains, and probe for HTTP services
alterx -l subdomains.txt -silent | dnsx -a -resp-only | httpx -silent

# Generate wordlist for specific domain and probe for HTTP services
alterx -l subdomains.txt -p "{{word}}-api" -silent | dnsx -a -resp-only -d example.com | httpx -silent

Output Customization

Custom Output Format

bash

# Output only wordlist entries
alterx -l subdomains.txt -silent

# Count generated entries
alterx -l subdomains.txt -silent | wc -l

# Sort output alphabetically
alterx -l subdomains.txt -silent | sort

# Remove duplicates
alterx -l subdomains.txt -silent | sort -u

Filtering Output

bash

# Filter by pattern
alterx -l subdomains.txt -silent | grep "dev"

# Filter out pattern
alterx -l subdomains.txt -silent | grep -v "test"

# Filter by length
alterx -l subdomains.txt -silent | awk 'length($0) < 20'

Advanced Filtering

bash

# Filter by word count
alterx -l subdomains.txt -silent | awk 'NF==1'  # Single word
alterx -l subdomains.txt -silent | awk 'NF==2'  # Two words

# Filter by character type
alterx -l subdomains.txt -silent | grep -E '^[a-z]+$'  # Only lowercase
alterx -l subdomains.txt -silent | grep -E '[0-9]'     # Contains numbers

# Filter by domain pattern
alterx -l subdomains.txt -silent | grep -E '^api-'     # Starts with "api-"
alterx -l subdomains.txt -silent | grep -E '-dev$'     # Ends with "-dev"

Performance Optimization

Concurrency and Rate Limiting

bash

# Set concurrency (default: 10)
alterx -l subdomains.txt -c 20

# Set rate limit
alterx -l subdomains.txt -rate-limit 100

Optimization for Large Inputs

bash

# Use stream mode for large inputs
alterx -l large-subdomains.txt -stream

# Limit maximum entries
alterx -l subdomains.txt -max-entries 1000

Troubleshooting

Common Issues

Memory Issues

bash

# Use stream mode for large inputs
alterx -l large-subdomains.txt -stream

# Limit maximum entries
alterx -l subdomains.txt -max-entries 1000

Pattern Issues

bash

# Check pattern syntax
alterx -l subdomains.txt -p "{{word}}-dev" -debug

# Use simple patterns first
alterx -l subdomains.txt -p "{{word}}"

No Output

bash

# Check input file
cat subdomains.txt

# Use verbose mode
alterx -l subdomains.txt -v

Duplicate Entries

bash

# Remove duplicates
alterx -l subdomains.txt -silent | sort -u

Debugging

bash

# Enable verbose mode
alterx -l subdomains.txt -v

# Show debug information
alterx -l subdomains.txt -debug

# Show statistics
alterx -l subdomains.txt -stats

Configuration

Configuration File

AlterX uses a configuration file located at $HOME/.config/alterx/config.yaml. You can customize various settings in this file:

yaml

# Example configuration file
concurrency: 10
rate-limit: 100
patterns:
  - "{{word}}-dev"
  - "{{word}}-stage"
  - "{{word}}-prod"

Environment Variables

bash

# Set AlterX configuration via environment variables
export ALTERX_CONCURRENCY=10
export ALTERX_RATE_LIMIT=100
export ALTERX_PATTERNS="{{word}}-dev,{{word}}-stage,{{word}}-prod"

Reference

Command Line Options

Flag	Description
`-d, -domain`	Target domain(s) to use for wordlist generation
`-l, -list`	File containing list of domains to use for wordlist generation
`-p, -pattern`	Pattern(s) to use for wordlist generation
`-pf, -pattern-file`	File containing patterns to use for wordlist generation
`-o, -output`	File to write output to
`-json`	Write output in JSON format
`-silent`	Show only wordlist entries in output
`-v, -verbose`	Show verbose output
`-extract-words`	Extract words from input
`-extract-numbers`	Extract numbers from input
`-extract-chars`	Extract characters from input
`-min-word-length`	Minimum word length
`-max-word-length`	Maximum word length
`-min-number-length`	Minimum number length
`-max-number-length`	Maximum number length
`-min-char-length`	Minimum character length
`-max-char-length`	Maximum character length
`-c, -concurrency`	Number of concurrent workers
`-rate-limit`	Maximum number of entries per second
`-stream`	Stream mode for large inputs
`-max-entries`	Maximum number of entries to generate
`-stats`	Show statistics
`-debug`	Show debug information
`-version`	Show AlterX version

Pattern Variables

Variable	Description
	Extracts words from input
	Extracts numbers from input
	Extracts characters from input

Pattern Modifiers

Modifier	Description
`:uppercase`	Converts to uppercase
`:lowercase`	Converts to lowercase
`:capitalize`	Capitalizes first letter

Resources

This cheat sheet provides a comprehensive reference for using AlterX, from basic wordlist generation to advanced pattern usage and integration with other tools. For the most up-to-date information, always refer to the official documentation.

AlterX Subdomain Wordlist Generator Cheat Sheet ​

Overview ​

Installation ​

Using Go ​

Using Docker ​

Using Homebrew (macOS) ​

Using PDTM (Project Discovery Tools Manager) ​

On Kali Linux ​

Basic Usage ​

Generating Wordlists ​

Output Options ​

Pattern Usage ​

Basic Patterns ​

Advanced Patterns ​

Pattern Modifiers ​

Advanced Usage ​

Word Extraction ​

Number Extraction ​

Character Extraction ​

Pattern Examples ​

Common Subdomain Patterns ​

Numeric Patterns ​

Regional Patterns ​

Integration with Other Tools ​

Pipeline with ShuffleDNS ​

Pipeline with Subfinder ​

Pipeline with HTTPX ​

Output Customization ​

Custom Output Format ​

Filtering Output ​

Advanced Filtering ​

Performance Optimization ​

Concurrency and Rate Limiting ​

Optimization for Large Inputs ​

Troubleshooting ​

Common Issues ​

Debugging ​

Configuration ​

Configuration File ​

Environment Variables ​

Reference ​

Command Line Options ​

Pattern Variables ​

Pattern Modifiers ​

Resources ​

AlterX Subdomain Wordlist Generator Cheat Sheet

Overview

Installation

Using Go

Using Docker

Using Homebrew (macOS)

Using PDTM (Project Discovery Tools Manager)

On Kali Linux

Basic Usage

Generating Wordlists

Output Options

Pattern Usage

Basic Patterns

Advanced Patterns

Pattern Modifiers

Advanced Usage

Word Extraction

Number Extraction

Character Extraction

Pattern Examples

Common Subdomain Patterns

Numeric Patterns

Regional Patterns

Integration with Other Tools

Pipeline with ShuffleDNS

Pipeline with Subfinder

Pipeline with HTTPX

Output Customization

Custom Output Format

Filtering Output

Advanced Filtering

Performance Optimization

Concurrency and Rate Limiting

Optimization for Large Inputs

Troubleshooting

Common Issues

Debugging

Configuration

Configuration File

Environment Variables

Reference

Command Line Options

Pattern Variables

Pattern Modifiers

Resources