SubBrute - A Subdomain Brute Forcer

December 25, 2017 , , ,
SubBrute - A Subdomain Brute Forcer

SubBrute is an open source Python-based subdomain enumeration tool that uses open resolvers as a kind of proxy to circumvent DNS rate-limiting. This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

The tool has a feature to detect subdomains where their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for an internal network.

Requirements:


No install required for Windows, just cd into the 'windows' folder:
subbrute.exe google.com
Under Ubuntu/Debian all you need is:
sudo apt-get install python-dnspython
On other operating systems you may have to install dnspython manually.

Usage:

subbrute [options] target

Options:
  -h, --help            show this help message and exit
  -s SUBS, --subs=SUBS  (optional) list of subdomains,  default = 'names.txt'
  -r RESOLVERS, --resolvers=RESOLVERS
                        (optional) A list of DNS resolvers, if this list is
                        empty it will OS's internal resolver default =
                        'resolvers.txt'
  -f FILTER, --filter_subs=FILTER
                        (optional) A file containing unorganized domain names
                        which will be filtered into a list of subdomains
                        sorted by frequency.  This was used to build
                        names.txt.
  -t TARGETS, --targets_file=TARGETS
                        (optional) A file containing a newline delimited list
                        of domains to brute force.
  -o OUTPUT, --output=OUTPUT
                        (optional) Output to file
  -a, -A                (optional) Print all IPv4 addresses for sub domains
                        (default = off).
  --type=TYPE           (optional) Print all reponses for an arbitrary DNS
                        record type (CNAME, AAAA, TXT, SOA, MX...)
  -c PROCESS_COUNT, --process_count=PROCESS_COUNT
                        (optional) Number of lookup theads to run. default =
                        16
  -v, --verbose         (optional) Print debug information.
The subdomains enumerated from previous scans can be used as input to enumerate other DNS records. The following commands demonstrate this new functionality:
./subbrute.py google.com -o google.names
...162 subdomains found...

./subbrute.py -s google.names google.com --type TXT
google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
adwords.google.com,"v=spf1 redirect=google.com"
...

./subbrute.py -s google.names google.com --type CNAME
blog.google.com,www.blogger.com,blogger.l.google.com
groups.google.com,groups.l.google.com
...

Examples:

  • Tests multiple domains:
./subbrute.py google.com gmail.com blogger.com
  • List of domains:
./subbrute.py -t list.txt
  • Subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):
./subbrute.py gmail.com > gmail.out
./subbrute.py -t gmail.out


Download SubBrute

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.