SubBrute - A Subdomain Brute Forcer
SubBrute is an open source Python-based subdomain enumeration tool that uses open resolvers as a kind of proxy to circumvent DNS rate-limiting. This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.
The tool has a feature to detect subdomains where their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for an internal network.
Requirements:
No install required for Windows, just cd into the 'windows' folder:
subbrute.exe google.comUnder Ubuntu/Debian all you need is:
sudo apt-get install python-dnspythonOn other operating systems you may have to install dnspython manually.
Usage:
subbrute [options] targetThe subdomains enumerated from previous scans can be used as input to enumerate other DNS records. The following commands demonstrate this new functionality:
Options:
-h, --help show this help message and exit
-s SUBS, --subs=SUBS (optional) list of subdomains, default = 'names.txt'
-r RESOLVERS, --resolvers=RESOLVERS
(optional) A list of DNS resolvers, if this list is
empty it will OS's internal resolver default =
'resolvers.txt'
-f FILTER, --filter_subs=FILTER
(optional) A file containing unorganized domain names
which will be filtered into a list of subdomains
sorted by frequency. This was used to build
names.txt.
-t TARGETS, --targets_file=TARGETS
(optional) A file containing a newline delimited list
of domains to brute force.
-o OUTPUT, --output=OUTPUT
(optional) Output to file
-a, -A (optional) Print all IPv4 addresses for sub domains
(default = off).
--type=TYPE (optional) Print all reponses for an arbitrary DNS
record type (CNAME, AAAA, TXT, SOA, MX...)
-c PROCESS_COUNT, --process_count=PROCESS_COUNT
(optional) Number of lookup theads to run. default =
16
-v, --verbose (optional) Print debug information.
./subbrute.py google.com -o google.names
...162 subdomains found...
./subbrute.py -s google.names google.com --type TXT
google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
adwords.google.com,"v=spf1 redirect=google.com"
...
./subbrute.py -s google.names google.com --type CNAME
blog.google.com,http://ift.tt/1OJdlCu
groups.google.com,groups.l.google.com
...
Examples:
- Tests multiple domains:
./subbrute.py google.com gmail.com blogger.com
- List of domains:
./subbrute.py -t list.txt
- Subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):
./subbrute.py gmail.com > gmail.out
./subbrute.py -t gmail.out
You might also like:
from Effect Hacking full article here