Hello Subhackers. Today I'm going to share a little bit of code with you all.
I'd assume most people are familiar with the concept of subdomain bruteforcing, but before I continue I feel I should overview it here quickly. Essentially, subdomain bruteforcing is a simple way to enumerate an organization's network. What you are doing is taking a domain name such as 'subhacker.net,' and prepending DNS prefixes from a list to the front of the domain name. If it resolves, then you've most likely discovered a valid FQDN. In the end you should have a list of servers belonging to the organization and their FQDN's which give you a better idea of the structure and purpose of the organization. For example:
If those are the hosts's you've found then you know that subhacker.net is running a webserver, a VPN, and some other particularly interesting server worth checking out. So that's the idea behind subdomain bruteforcing.
I used to bounce around between recon-ng, small, limited bash scripts, and various other methods to carry out my DNS enumeration tasks, but I am sick of the alternatives. So, I decided to code my own and be done with it.
Submap is a multithreaded subdomain bruteforcer which checks for the existence of DNS wildcards. Yes, I did go overboard with the banner. But hey, what's life if you can't have fun? By default it spawns 36 threads and uses OpenDNS's servers for name resolution. It's basic usage is simple:
submap -d example.com
This will test 5000 DNS prefixes against example.com. I've found most scans complete in around thirty seconds or so. For more advanced usage:
submap -v -d example.com -l fierce.txt -s 220.127.116.11, 18.104.22.168 -t 16 -o results.txt
This will run a bruteforce against example.com verbosely, using a custom wordlist, Google's DNS servers, bringing the thread count down to 16 (I wouldn't recommend going much higher then the default), and outputting the results to 'results.txt'. Here's what the output can look like:
In this example, the target only has a webserver running, but you get the idea. Feel free to check out or fork the code.