bruteforce subdomain finder

The first step in a cyber attacker's kill chain or penetration testing is reconnaissance.  Preferably, this step includes as much passive analysis as possible to avoid detection.  If you know nothing about a target, you typically start with web-based reconnaissance, including mapping out their web-accessible network and infrastructure.  Obtaining a list of active subdomains is really handy (think vpn, ftp, smtp, etc.) but not always easy.  There are a few dictionary-based and search-engine-based tools that can help spot the most commonly used subdomains (pentest-tools, dnsmap, gxfr, subdomain-bruteforcer, fierce2), but what if you have lots of time on your hands and want to run a true bruteforce rainbow table-style analysis?  I couldn't find anything so I put together a quick script called brutesub based on Matteo Redaelli's wg.pl script.  This takes a ridiculously long time to run for anything beyond 4 or 5 character subdomains but fortunately netops and end users are lazy and like short domains (and short aliases to longer domains) to remember.  The script is also handy for large organizations (such as higher education or government) that haven't documented how many subdomains they have.

USAGE: perl brutesub.pl options

options are:
-c number: max consecutive letters (how many consecutive 'a' do you want?)
-d string: root domain
-f : optimized fast scan, but less results than medium or full scan
-h : help
-i : optimized medium scan, but less results than full scan
-l number: min length of the subdomain
-o number: max number of occurrencies of a letter
-m string: custom nameserver
-n number: max number of n-ple  (AA, BBB, CCC, DDDD)
-r number: max number of repeatitions (ABCABABBCDBCD has 5 repeatitions: 3 reps of AB and 2 of BCD)
-s string: filename to save results
-t : trace on
-u number: max length of the subdomain

Examples:
# usage
perl brutesub.pl -h

# optimized fast scan, but less results than medium or full scan  -->  ~1.2 minutes, 157 domains found
perl brutesub.pl -f -d facebook.com -s /tmp/brute_facebook_f.txt -u 3

# optimized medium scan, but less results than full scan  -->  ~34 minutes, 681 domains found
perl brutesub.pl -i -d facebook.com -s /tmp/brute_facebook_i.txt -u 3

# full scan (slowest, but rainbow-table precise)  -->  ~34 minutes, 805 domains found
perl brutesub.pl -d facebook.com -s /tmp/brute_facebook_full.txt -u 3


note: scan time difference between medium and full becomes more apparent at u > 4


Download script

Comments

Popular Posts