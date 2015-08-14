SubBrute is an open source Python-based subdomain enumeration tool that uses open resolvers as a kind of proxy to circumvent DNS rate-limiting. This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.The tool has a feature to detect subdomains where their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for an internal network.

subbrute.exe google.com

sudo apt-get install python-dnspython

Usage:

subbrute [options] target Options: -h, --help show this help message and exit -s SUBS, --subs=SUBS (optional) list of subdomains, default = 'names.txt' -r RESOLVERS, --resolvers=RESOLVERS (optional) A list of DNS resolvers, if this list is empty it will OS's internal resolver default = 'resolvers.txt' -f FILTER, --filter_subs=FILTER (optional) A file containing unorganized domain names which will be filtered into a list of subdomains sorted by frequency. This was used to build names.txt. -t TARGETS, --targets_file=TARGETS (optional) A file containing a newline delimited list of domains to brute force. -o OUTPUT, --output=OUTPUT (optional) Output to file -a, -A (optional) Print all IPv4 addresses for sub domains (default = off). --type=TYPE (optional) Print all reponses for an arbitrary DNS record type (CNAME, AAAA, TXT, SOA, MX...) -c PROCESS_COUNT, --process_count=PROCESS_COUNT (optional) Number of lookup theads to run. default = 16 -v, --verbose (optional) Print debug information.

./subbrute.py google.com -o google.names ...162 subdomains found... ./subbrute.py -s google.names google.com --type TXT google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all" adwords.google.com,"v=spf1 redirect=google.com" ... ./subbrute.py -s google.names google.com --type CNAME blog.google.com,www.blogger.com,blogger.l.google.com groups.google.com,groups.l.google.com ...

Examples:

Tests multiple domains:

./subbrute.py google.com gmail.com blogger.com

List of domains:

./subbrute.py -t list.txt

Subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):

./subbrute.py gmail.com > gmail.out

./subbrute.py -t gmail.out

On other operating systems you may have to install dnspython manually.The subdomains enumerated from previous scans can be used as input to enumerate other DNS records. The following commands demonstrate this new functionality: