SubBrute - A Subdomain Brute Forcer

SubBrute - A Subdomain Brute Forcer

SubBrute is an open source Python-based subdomain enumeration tool that uses open resolvers as a kind of proxy to circumvent DNS rate-limiting. This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

The tool has a feature to detect subdomains where their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for an internal network.


No install required for Windows, just cd into the 'windows' folder:
Under Ubuntu/Debian all you need is:
sudo apt-get install python-dnspython
On other operating systems you may have to install dnspython manually.


subbrute [options] target

  -h, --help            show this help message and exit
  -s SUBS, --subs=SUBS  (optional) list of subdomains,  default = 'names.txt'
  -r RESOLVERS, --resolvers=RESOLVERS
                        (optional) A list of DNS resolvers, if this list is
                        empty it will OS's internal resolver default =
  -f FILTER, --filter_subs=FILTER
                        (optional) A file containing unorganized domain names
                        which will be filtered into a list of subdomains
                        sorted by frequency.  This was used to build
  -t TARGETS, --targets_file=TARGETS
                        (optional) A file containing a newline delimited list
                        of domains to brute force.
  -o OUTPUT, --output=OUTPUT
                        (optional) Output to file
  -a, -A                (optional) Print all IPv4 addresses for sub domains
                        (default = off).
  --type=TYPE           (optional) Print all reponses for an arbitrary DNS
                        record type (CNAME, AAAA, TXT, SOA, MX...)
  -c PROCESS_COUNT, --process_count=PROCESS_COUNT
                        (optional) Number of lookup theads to run. default =
  -v, --verbose         (optional) Print debug information.
The subdomains enumerated from previous scans can be used as input to enumerate other DNS records. The following commands demonstrate this new functionality:
./ -o google.names
...162 subdomains found...

./ -s google.names --type TXT,"v=spf1 ip4: ip4: ~all","v=spf1"

./ -s google.names --type CNAME,,,


  • Tests multiple domains:
  • List of domains:
./ -t list.txt
  • Subdomains can have subdomains (example:
./ > gmail.out
./ -t gmail.out

No comments

Powered by Blogger.