Sudomy - Subdomain Enumeration & Analysis
Sudomy is a subdomain enumeration tool, created using a bash script, to analyze domains too collect subdomains inwards fast too comprehensive way.
Features
For recent time, Sudomy has these nine features:
- Easy, light, fast too powerful. Bash script is available yesteryear default inwards nigh all Linux distributions. By using bash script multiprocessing feature, all processors volition hold out utilized optimally.
- Subdomain enumeration procedure tin hold out achieved yesteryear using active method or passive method
- Active Method
- Sudomy utilize Gobuster tools because of its highspeed performance inwards carrying out DNS Subdomain Bruteforce laid on (wildcard support). The wordlist that is used comes from combined SecList (Discover/DNS) lists which contains or hence iii i one m thousand entries
- Passive Method
- By selecting the third-party sites, the enumeration procedure tin hold out optimized. More results volition hold out obtained amongst less fourth dimension required. Sudomy tin collect information from these well-curated sixteen third-party sites:
https://dnsdumpster.com https://web.archive.org https://shodan.io https://virustotal.com https://crt.sh https://www.binaryedge.io https://securitytrails.com https://sslmate.com/certspotter https://censys.io https://threatminer.org http://dns.bufferover.run https://hackertarget.com https://www.entrust.com/ct-search/ https://www.threatcrowd.org https://riddler.io https://findsubdomains.com
- By selecting the third-party sites, the enumeration procedure tin hold out optimized. More results volition hold out obtained amongst less fourth dimension required. Sudomy tin collect information from these well-curated sixteen third-party sites:
- Active Method
- Test the listing of collected subdomains too probe for working http or https servers. This characteristic uses a third-party tool, httprobe.
- Subdomain availability attempt based on Ping Sweep and/or yesteryear getting HTTP condition code.
- The might to uncovering virtualhost (several subdomains which resolve to unmarried IP Address). Sudomy volition resolve the collected subdomains to IP addresses, hence form out them if several subdomains resolve to unmarried IP address. This characteristic volition hold out real useful for the side yesteryear side penetration testing/bug bounty process. For instance, inwards port scanning, unmarried IP address won’t hold out scanned repeatedly
- Performed port scanning from collected subdomains/virtualhosts IP Addresses
- Testing Subdomain TakeOver attack
- Taking Screenshotsof subdomains
- Report output inwards HTML or CSV format
How Sudomy Works
Sudomy is using cURL library inwards lodge to teach the HTTP Response Body from third-party sites to hence execute the regular facial expression to teach subdomains. This procedure fully leverages multi processors, to a greater extent than subdomains volition hold out collected amongst less fourth dimension consumption.
Comparison
The next are the results of passive enumeration DNS testing of Sublist3r, Subfinder, too Sudomy. The domain that is used inwards this comparing is bugcrowd.com.
| Sudomy | Subfinder | Sublister |
|---|---|---|
 |  |  |
Asciinema :
Installation
Sudomy is currently extended amongst the next tools. Instructions on how to install & role the application are linked below.
| Tools | License | Info |
|---|---|---|
| Gobuster | Apache License 2.0 | not mandatory |
| httprobe | Tom Hudson - | mandatory |
| nmap | GNU General Public License v2.0 | not mandatory |
Dependencies
$ pip install -r requirements.txt# Linux ======= apt-get install jq nmap phantomjs # Mac brew cask install phantomjs brew install jq nmapexport GOPATH=$HOME/go export PATH=$PATH:$GOROOT/bin:$GOPATH/bin teach begin -u github.com/tomnomnom/httprobe teach begin -u github.com/OJ/gobuster# Clone this repository git clone --recursive https://github.com/screetsec/Sudomy.git # Go into the repository sudomy --helpRunning inwards a Docker Container
# Pull an ikon from DockerHub docker describe screetsec/sudomy:v1.1.0 # Run an image, yous tin run the ikon on custom directory only yous must copy/download config sudomy.api on electrical flow directory docker run -v "${PWD}/output:/usr/lib/sudomy/output" -v "${PWD}/sudomy.api:/usr/lib/sudomy/sudomy.api" -it --rm screetsec/sudomy:v1.1.0 [argument]Post Installation
API Key is needed earlier querying on third-party sites, such equally
Shodan, Censys, SecurityTrails, Virustotal, too BinaryEdge.- The API telephone commutation setting tin hold out done inwards sudomy.api file.
# Shodan # URL : http://developer.shodan.io # Example : # - SHODAN_API="VGhpc1M0bXBsZWwKVGhmcGxlbAo" SHODAN_API="" # Censys # URL : https://censys.io/register CENSYS_API="" CENSYS_SECRET="" # Virustotal # URL : https://www.virustotal.com/gui/ VIRUSTOTAL="" # Binaryedge # URL : https://app.binaryedge.io/login BINARYEDGE="" # SecurityTrails # URL : https://securitytrails.com/ SECURITY_TRAILS=""Usage
___ _ _ _ / __|_ _ __| (_)(_)_ __ _ _ \__ \ || / _ / __ \ ' \ || | |___/\_,_\__,_\____/_|_|_\_, | |__/ v{1.1.0#dev} yesteryear @screetsec Sudomy - Fast Subdmain Enumeration too Analyzer http://github.com/screetsec/sudomy Usage: sudomy.sh [-h [--help]] [-s[--source]][-d[--domain=]] Example: sudomy.sh -d example.com sudomy.sh -s Shodan,VirusTotal -d example.com sudomy.sh -pS -rS -sC -nT -sS -d example.com Optional Arguments: -a, --all Running all Enumeration, no nmap & gobuster -b, --bruteforce Bruteforce Subdomain Using Gobuster (Wordlist: ALL Top SecList DNS) -d, --domain domain of the website to scan -h, --help demo this tending message -o, --html Make written report output into HTML -s, --source Use source for Enumerate Subdomain -tO, --takeover Subdomain TakeOver Vulnerabilty Scanner -pS, --ping-sweep Check alive host using methode Ping Sweep -rS, --resolver Convert domain lists to resolved IP lists without duplicates -sC, --status-code Get condition codes, reply from domain listing -nT, --nmap-top Port scanning amongst top-ports using nmap from domain listing -sS, --screenshot Screenshots a listing of website -nP, --no-passive Do non perform passive subdomain enumeration --no-probe Do non perform httprobe ___ _ _ _ / __|_ _ __| (_)(_)_ __ _ _ \__ \ || / _ / __ \ ' \ || | |___/\_,_\__,_\____/_|_|_\_, | |__/ v{1.1.0#dev} yesteryear @screetsec Sudomy - Fast Subdmain Enumeration too Analyzer http://github.com/screetsec/sudomy Usage: sudomy.sh [-h [--help]] [-s[--source]][-d[--domain=]] Example: sudomy.sh -d example.com sudomy.sh -s Shodan,VirusTotal -d example.com sudomy.sh -pS -rS -sC -nT -sS -d example.com Optional Arguments: -a, --all Running all Enumeration, no nmap & gobuster -b, --bruteforce Bruteforce Subdomain Using Gobuster (Wordlist: ALL Top SecList DNS) -d, --domain domain of the website to scan -h, --help demo this tending message -o, --html Make written report output into HTML -s, --source Use source for Enumerate Subdomain -tO, --takeover Subdomain TakeOver Vulnerabilty Sca nner -pS, --ping-sweep Check alive host using methode Ping Sweep -rS, --resolver Convert domain lists to resolved IP lists without duplicates -sC, --status-code Get condition codes, reply from domain listing -nT, --nmap-top Port scanning amongst top-ports using nmap from domain listing -sS, --screenshot Screenshots a listing of website -nP, --no-passive Do non perform passive subdomain enumeration --no-probe Do non perform httprobe $ sudomy -d hackerone.com$ sudomy -s shodan,dnsdumpster,webarchive -d hackerone.com$ sudomy -pS -sC -sS -d hackerone.com$ sudomy --all -d hackerone.com| Dashboard | Reports |
|---|---|
 |  |
Tools Overview
- Youtube Videos : Click here
Translations
Changelog
All notable changes to this projection volition hold out documented inwards this file.
Credits & Thanks
- Tom Hudson - Tomonomnom
- OJ Reeves - Gobuster
- Thomas D Maaaaz - Webscreenshot
- Daniel Miessler - SecList
- EdOverflow - can-i-take-over-xyz
- jerukitumanis - Docker Maintainer
- NgeSEC Community
- Gauli(dot)Net
- Bugcrowd & Hackerone
