bruteforce subdomain finder

The first step in a cyber attacker's kill chain or penetration testing is reconnaissance.  Preferably, this step includes as much passive analysis as possible to avoid detection.  If you know nothing about a target, you typically start with web-based reconnaissance, including mapping out their web-accessible network and infrastructure.  Obtaining a list of active subdomains is really handy (think vpn, ftp, smtp, etc.) but not always easy.  There are a few dictionary-based and search-engine-based tools that can help spot the most commonly used subdomains (pentest-tools, dnsmap, gxfr, subdomain-bruteforcer, fierce2), but what if you have lots of time on your hands and want to run a true bruteforce rainbow table-style analysis?  I couldn't find anything so I put together a quick script called brutesub based on Matteo Redaelli's script.  This takes a ridiculously long time to run for anything beyond 4 or 5 character subdomains but fortunately netops and end users are lazy and like short domains (and short aliases to longer domains) to remember.  The script is also handy for large organizations (such as higher education or government) that haven't documented how many subdomains they have.

USAGE: perl options

options are:
-c number: max consecutive letters (how many consecutive 'a' do you want?)
-d string: root domain
-f : optimized fast scan, but less results than medium or full scan
-h : help
-i : optimized medium scan, but less results than full scan
-l number: min length of the subdomain
-o number: max number of occurrencies of a letter
-m string: custom nameserver
-n number: max number of n-ple  (AA, BBB, CCC, DDDD)
-r number: max number of repeatitions (ABCABABBCDBCD has 5 repeatitions: 3 reps of AB and 2 of BCD)
-s string: filename to save results
-t : trace on
-u number: max length of the subdomain


# usage
perl -h

# optimized fast scan, but less results than medium or full scan  -->  ~1.2 minutes, 157 domains found
perl -f -d -s /tmp/brute_facebook_f.txt -u 3

# optimized medium scan, but less results than full scan  -->  ~34 minutes, 681 domains found
perl -i -d -s /tmp/brute_facebook_i.txt -u 3

# full scan (slowest, but rainbow-table precise)  -->  ~34 minutes, 805 domains found
perl -d -s /tmp/brute_facebook_full.txt -u 3

note: scan time difference between medium and full becomes more apparent at u > 4

Download script


Post a Comment

Keep it clean and professional...