usage -c 20

Exception in thread Thread-10:
Traceback (most recent call last):
File "c:\python\32-bit\3.4\lib\threading.py", line 921, in _bootstrap_inner
File "subbrute.py", line 333, in run
File "subbrute.py", line 298, in check
File "subbrute.py", line 226, in check
File "C:\Python34\lib\site-packages\dns\resolver.py", line 774, in query
File "C:\Python34\lib\site-packages\dns\name.py", line 613, in from_text
dns.name.EmptyLabel

just picked my own site(that has only one subdomain) and this tool finds 10+ subdomains, none of them have an IP assigned, how did these subdomain exist in the first place, or is it a false warning from subbrute?

What it says on the tin, you can repro by running python subbrute.py stackexchange.com and comparing its output to commit caf3cb5.

Not sure what the cause is, but a clue might be that self.wildcards is empty here even though it's populated correctly in find_wildcards().

Each time i try to run the latest version, it gives an import error:
"subbrute.py", line 10, in
import dnslib
ImportError: No module named dnslib
I already tried several time installing dnspython and still receiving the same error. I tried using a previous version of subbrute.py (v1.2) and it works okay.

Traceback (most recent call last):
  File "subbrute.py", line 700, in run
    killproc(pid = verify_nameservers_proc.pid)
AttributeError: 'verify_nameservers' object has no attribute 'pid'

During handling of the above exception, another exception occurred

Traceback (most recent call last):
  File "subbrute.py", line 834, in <module>
    print_target(target, record_type, options.subs, options.resolv
output)
  File "subbrute.py", line 513, in print_target
    for result in run(target, query_type, subdomains, resolve_list
  File "subbrute.py", line 703, in run
    verify_nameservers_proc.end()
AttributeError: 'verify_nameservers' object has no attribute 'end'

I'm getting this on python 3.7.2 while running python subbrute.py -t x.txt > out on carnegiescience.edu or when it was transitioning to www.tesla.com. Script was ran on Win 7 Ultimate SP1 and it was his 1st or 2nd line.

A piece of junk.

If you want, I've written a small code that dumps many useful records from various open source collections.
I think it would be a great add to your fantastic program.

subutil.zip

Hello,

I can't get any result in windows and kali linux using TOR VPN

Example:

C:\Users\Users\Desktop\subbrute-master\windows>subbrute.exe google.com -v
_

root@kali:~/Desktop/subbrute-master# ./subbrute.py google.com
_

Freezing without final result

Hey Mike,

I noticed that the latest version of subbrute hangs after finishing the enumeration and it doesn't kill or ends the process.

It hangs at this step:

About to kill nameserver process... 
End

I hope you can fix this issue!
Thanks

Hi there,

first of all, thanks for this cool tool.

If I set the thread-count too high (-c 250), I sometimes get the following Exception and subbrute seems to hang.

Exception in thread Thread-199:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 552, in __bootstrap_inner
    self.run()
  File "./subbrute.py", line 97, in run
    addr = self.check(test)
  File "./subbrute.py", line 84, in check
    raise e
NoNameservers

Any ideas?

Thanks in advance,
gehaxelt

Hi Rook,
Take a look at, https://github.com/skepticfx/subquest

We have used the dictionary from subbrute. Hope thats okay with you. We have properly credited you.

While running some tests using a small number of internal resolvers, I ran into this exception.

(a slightly sanitized traceback)

Process lookup-4:
Traceback (most recent call last):
  File "/opt/xxx/python/2.7.8_2/Frameworks/Python.framework/Versions/2.7/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
    self.run()
  File "subbrute.py", line 278, in run
    addrs = self.check(test_domain)
  File "subbrute.py", line 247, in check
    raise e
TypeError: coercing to Unicode: need string or buffer, bool found

This patch seemed to make it go away, not sure it's the correct fix though.

diff --git a/subbrute.py b/subbrute.py
index 2faba8c..feee3bd 100644
--- a/subbrute.py
+++ b/subbrute.py
@@ -241,6 +241,10 @@ class lookup(multiprocessing.Process):
                     #Some old versions of dnspython throw this error,
                     #doesn't seem to affect the results,  and it was fixed in later versions.
                     pass
+                elif type(e) == TypeError:
+                    # We'll get here if the number procs > number of resolvers.
+                    self.in_q.put(host)
+                    return False
                 else:
                     trace("Problem processing host:", host)
                     #dnspython threw some strange exception...

is there a way to make it bypass the cloudflare protection?

First time using this tool however i can't seem to get it working both in windows 8 and kali 2.0. Gives me the same error nomatter what domain i try:

Unable to find authoritative resolvers for:cnn.com

I've tried the windows exe but it just freezes forever.

Hello,

Awesome tool! I'm working on getting this into the ports tree for OpenBSD and would really appreciate it if you could cut a 2.0 tag with the latest and greatest from source control so that I can integrate it into the system. OpenBSD's ports tree dynamically downloads the source from upstream for a specific version and I've found that this is the easiest way to do that.

Thanks!

I just started subbrute on ubuntu 12.04:
./subbrute.py -v -s names_small.txt sony.com

and get just tons of
---8<---
wildcard exception: ['216.52.65.1'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 216.52.65.1
wildcard exception: ['72.37.141.91'] <class 'dns.resolver.NoNameservers'>
Rejected nameserver - wildcard: 72.37.141.91
wildcard exception: ['216.52.97.33'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 216.52.97.33
wildcard exception: ['106.51.255.133'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 106.51.255.133
wildcard exception: ['164.2.255.241'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 164.2.255.241
wildcard exception: ['91.203.188.1'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 91.203.188.1
wildcard exception: ['203.253.64.1'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 203.253.64.1
wildcard exception: ['186.107.119.118'] <class 'dns.exception.Timeout'>
Rejected nameserver - wildcard: 186.107.119.118
wildcard exception: ['206.126.32.101'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 206.126.32.101
wildcard exception: ['217.149.155.180'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 217.149.155.180
wildcard exception: ['205.172.19.193'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 205.172.19.193
...
---8<---
Why is that?
It seams the DNS-Servers don't answer to these enumerations.

Thanks,
Chris

Hi,

recognised "ftps" as a sub-domain, which might not be quite as seldom. Therefore it could be added to names.txt.

Thanks,
Chris

Can I give this one TLD and get all hits?

chmod 644 LICENSE README.md *.txt

So, how does subbrute work, exactly?
Does it just check every value in the wordlist?
How does it deal with wildcards?
I seem to be getting a lot of false positives.

hello,guy

python subbrute.py -c 30 -p snda.com
mail1.mail.snda.com,NXDOMAIN,
mail2.mail.snda.com,NXDOMAIN,
mail3.mail.snda.com,NXDOMAIN,
mail4.mail.snda.com,NXDOMAIN,
mail5.mail.snda.com,NXDOMAIN,
mail6.mail.snda.com,NXDOMAIN,
mail7.mail.snda.com,NXDOMAIN,
dig snda.com
; <<>> DiG 9.8.3-P1 <<>> mail3.mail.snda.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47267
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mail3.mail.snda.com. IN A

;; AUTHORITY SECTION:
snda.com. 56 IN SOA snda.com. root.ns.snda.com. 20051118 72 36 72 36

;; Query time: 12 msec
;; SERVER: 180.76.76.76#53(180.76.76.76)
;; WHEN: Sat Sep 19 02:24:27 2015
;; MSG SIZE rcvd: 81

Hi there

Great tool; question. Is it possible/planned/how would i, filter out responses that I know are false positives? The domain I'm testing against has a * record set up, and all domains (fsdkfjsdfsd.domain.com) responds with "This domain is not associated with an application.". The response is a HTTP 400 (bad request) header, and not a 200 OK, so that would be a way to test it, and/or regex matching contents but that might take a bit longer to process.

Possible?

Hi guys!
Thanks to share this tool, is really useful.
I kept my own list where i was updating (from fierce and others).
So, when i saw the "names.txt" i just merged (cat names.txt MyOwn.txt | sort | uniq > subdomains.txt)
with my own list and now i have a new subdomain list with 32611 lines.
Just take it (subdomains.txt) from my GitHub page, here:

https://github.com/8vw/s0nar (And yes, feel free to use s0nar ;)

best regards

@8vw

Hi Guys,

First of all, great work. A really useful piece of code. I wanted to ask if you guys would mind if i create a burp extension out of this script? I understand its GNU license, and i plan to keep the extension open source aswell, just want to get your guys consent.

Let me know.

get ip range,title,cms is better

It looks like the following two IP address generate spam responses that evade your detection mechanism.

207.69.188.189
207.69.188.184

Some cursory testing showed me the following:
Using your method:

$ nslookup 0f3698d0d478470a9ccbc2960324a21a.com. 207.69.188.184
*** rns0.earthlink.net can't find 0f3698d0d478470a9ccbc2960324a21a.com: Non-existent domain
Server:  rns0.earthlink.net
Address:  207.69.188.184

Using just a long domain name:

$ nslookup superlongfakedomainthatexceedsthelengthoftheuuid.com. 207.69.188.184
Non-authoritative answer:
Server:  rns0.earthlink.net
Address:  207.69.188.184

Name:    superlongfakedomainthatexceedsthelengthoftheuuid.com
Address:  92.242.140.1

Fake subdomain:

$ nslookup fake.example.com. 207.69.188.184
Non-authoritative answer:
Server:  rns0.earthlink.net
Address:  207.69.188.184

Name:    fake.example.com
Address:  92.242.140.1

It appears that they are somehow detecting that the uuid method and not returning anything for that, but returning the spam result for anything else.

Typically, the most common way to install Python Packages is through the Python Package Index.

To make installation easier, I would like to see subbrute mirrored on the Python Package Index. This would allow easy installation through a single command.

pip install subbrite

Is -a still supported? I have used this to list IPs and domain names, -p works a bit differently and gives more info , but I am wondering what's up with the -a option or how to use it properly.

Looks like there may be a read me type in the following statement.

python subroute.py -f full.html > my_subs.txt

Also the -f functionality does not seem to be a valid argument. https://github.com/TheRook/subbrute/blob/master/subbrute.py#L805-L823
it also doesnt appear to be documented in the Usage menu.

uname -a: Linux kali 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 (2015-03-02) x86_64 GNU/Linux

python -V : 2.7.3

python subbrute.py google.com: Traceback (most recent call last):

File "subbrute.py", line 10, in
import dnslib
ImportError: No module named dnslib

Thanks

Hey, I noticed that when I was testing through a tunnel that would go in/out about hourly that subbrute would lock up and stop sending requests even when connection is regained. Is it possible to differentiate between a lost connection and just not receiving responses? I'm thinking maybe if there's transmission failures for the last X, delay for Y and repeat them to see if they succeed. Not sure if this'd trigger false positives for rate-limiting servers though.

This is more or less linked to #31, as it is just another idea to get
more hostnames during the recon process :)

Google and Bing:
Scrape Google and Bing using the site: modifier. Example: "site:foo.com"
Parse the result set for individual subdomains.

Also:

AXFR: maybe a Zone transfer is possible, which would result in a comprehensive list of returns and therefore you can back off from brute force and safe time at that point :)

DNSSEC aware zones could be prone to zone walking, which is another great way to get a list of hosts in a considerable amount of time.

A rather "active" approach (which involves direct connections) could be to access each found host on port 80, retrieve the standard vhost and the vhost you found and look if you get a HTTP 302 Redirection - it may include further hints to other subdomains.

Hello,

please take a look to the project SDBF here:
https://github.com/jfrancois/SDBF

this could be an alternative.

wildcard domains not handled well -- should be removed from output list with some option

Example:
"""
$ dig +short bsB03SHuaeLPpYejea1uHExZSvEPbc.blogspot.com
blogspot.l.googleusercontent.com.
172.217.5.65
"""

There should exist some option to text long random subdomain and exclude additional results if a hit is found on a highly probable wildcard configuration. Fierce DNS brute script does this by default and would recommend this as default option in subbrute too.

can this be added to the list? just found a website that uses it.

Here are me more domains regarding Lync-Architecture and Mobile device Management:
mailsync
lyncdiscover
webex
webext
webcon
webconf
directaccess
mdm-core
mdm-entry
mdm-sentry

I added:

import socket
and
print(d , socket.gethostbyname(d)) #replacing print(d)

So that it'd display the discovered host and the IP, saves me having to throw the discovered hosts into something like nmap afterwards to determine the IP's. Hopefully that helps someone else in future :)

I can't find threads in help command. How i can use threads?

Not really doing anything fancy. linode.txt has ns1.linode.com - ns3.linode.com
Domain doesn't have anything fancy with DNS (a few A records and a few CNAME records.)

Unsure if the speed is related to the out of range errors or not, but obviously have issues with speed to (and blocking on ^C)

user1@host:/tmp/subbrute$ time python subbrute.py -r linode.txt -s subs_small.txt kyleosborn.org
Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

files.kyleosborn.org
ftp.kyleosborn.org
Exception in thread Thread-4:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

localhost.kyleosborn.org
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

mail.kyleosborn.org
Exception in thread Thread-5:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

^C^C^C^C^C^C






^C^C^C
^Z
[1]+  Stopped                 python subbrute.py -r linode.txt -s subs_small.txt kyleosborn.org

real    11m38.379s
user    0m0.000s
sys 0m0.001s

Hello all,

i used the latest version (cloned yesterday) and run into the following issue:
command used:
./subbrute.py testdomain.de -o test.names
this gives me the following results:

testdomain.de
www.testdomain.de
bellard.testdomain.de
evrobiz.testdomain.de
sneguroschka.testdomain.de
themagnetsystem.testdomain.de
nakrut.testdomain.de
benavent.testdomain.de
mto.testdomain.de
austria-art.testdomain.de
everythinginbudget.testdomain.de
jessieandrews.testdomain.de
googledesktop.testdomain.de
asiansisters.testdomain.de
bo-daily.testdomain.de
linkedinsiders.testdomain.de
graficworld.testdomain.de
dabarkadstv.testdomain.de
geoleon.testdomain.de
fashioonmonger.testdomain.de
khabarooz.testdomain.de
digitalfilms.testdomain.de
grosgrainfabulous.testdomain.de
test-blog-1111.testdomain.de
tvgoo.testdomain.de
bimbelsafira.testdomain.de
ryanpotterswag.testdomain.de
islamicmedia.testdomain.de
discreetdating.testdomain.de
deepthinking.testdomain.de
the17thman.testdomain.de
as1an-webparadise.testdomain.de
reportmysignal.testdomain.de
ecosdelsur2010.testdomain.de
vasiliki-besttheme.testdomain.de
wikistrike.testdomain.de
justamp.testdomain.de
goto-hongkong.testdomain.de
kranosgr.testdomain.de
desiretowill.testdomain.de
financeandconsultants.testdomain.de
shwinandshwin.testdomain.de
tragenioefollia.testdomain.de
mydreamworld.testdomain.de
latest-news-speakasia.testdomain.de
centrifugalpump.testdomain.de
cmaankur.testdomain.de
nokariplus.testdomain.de
par30song.testdomain.de
onepiecethai.testdomain.de
expertester.testdomain.de
thepeakofchic.testdomain.de
rahsialakibini.testdomain.de
accarticles.testdomain.de
glamorouswithouttheguilt.testdomain.de
cooooool-me.testdomain.de
lanylabooks.testdomain.de
lepas.testdomain.de
fundamentalanalys.testdomain.de
thenxtstep.testdomain.de
xem-tuvi.testdomain.de
dontbesofashion.testdomain.de
inspirationalquote.testdomain.de
dorothysurrenders.testdomain.de
needsoffinance.testdomain.de
indogirls3gp.testdomain.de
virtapay10paypalconverter.testdomain.de
pihiya.testdomain.de
tia-jean9.testdomain.de
absolutelymadness.testdomain.de
tomilotk.testdomain.de
nasabbashi.testdomain.de
money586.testdomain.de
wrighty7.testdomain.de
debbiedesigns.testdomain.de
wowfunniestposts.testdomain.de
nalanda-international-university-news.testdomain.de
staryus.testdomain.de
bestwallpapersfordesktop.testdomain.de
kumpulantipsngeblog.testdomain.de
tntsnookerteam.testdomain.de
s361357951.testdomain.de
codulluioreste.testdomain.de
luluaddict.testdomain.de
samirenaccion.testdomain.de
rovicky.testdomain.de
lantaw.testdomain.de
ilikecheesecomic.testdomain.de
crookedhouse.testdomain.de
escolhascertasrealizamsonhos.testdomain.de
rockcreeksocial.testdomain.de
simonlover83.testdomain.de
coreyjschmidt.testdomain.de
nil1950.testdomain.de
myaltlife.testdomain.de
governancacorporativa.testdomain.de
kairosgareggys.testdomain.de
penningdownthemind.testdomain.de
ferfal.testdomain.de
computerhowtoguide.testdomain.de
rinkosamani.testdomain.de
bivafa-tanha.testdomain.de
b10411.testdomain.de
ultimatedatazone.testdomain.de
asarikaisin.testdomain.de
mycrochetstuff.testdomain.de
jobbochfirma.testdomain.de
siriwansa.testdomain.de
gladwell.testdomain.de
africaunchained.testdomain.de
arab-beauty-girls.testdomain.de
dottydotdotdesign1.testdomain.de
usaerklaert.testdomain.de
entertainmentking.testdomain.de
alexbatard.testdomain.de
generic1.testdomain.de
bayikita.testdomain.de
onlinegeldverdienen11.testdomain.de
afrinerds.testdomain.de
v7u78.testdomain.de
tubevidyou.testdomain.de
yatou-16.testdomain.de
alandofrohan.testdomain.de
bacakomik68.testdomain.de
dbox.testdomain.de
alidemh.testdomain.de
cookwithsara.testdomain.de
fashionsnag.testdomain.de
pindakaasmetnootjes.testdomain.de
hypnoticblend.testdomain.de
freerangekids.testdomain.de
lotus1220.testdomain.de
e-rodios.testdomain.de
crpgaddict.testdomain.de
desigoogle.testdomain.de
cours-gratuits.testdomain.de
dung-tre.testdomain.de
kettlebell-weimar.testdomain.de
free-coloring-pages-kids.testdomain.de
gossipnscandal.testdomain.de
artworkxofmann.testdomain.de
leninreloaded.testdomain.de
currentposts.testdomain.de
tharunayacartoons.testdomain.de
shabbyblogsblog.testdomain.de
coopedup.testdomain.de
radiogempak.testdomain.de
johncandey496.testdomain.de
lottoesuperenalottoestrazioni.testdomain.de
lebasish.testdomain.de
sunscholars.testdomain.de
livestreamlat.testdomain.de
onecoolsite.testdomain.de
deepak-doddamani.testdomain.de
my-randomblogs.testdomain.de
rulesofmusica.testdomain.de
install-climber.testdomain.de
makingtheworldcuter.testdomain.de
photoshop-masterwmz.testdomain.de
fanglimin2011.testdomain.de
gadiscantik-seksi.testdomain.de
t7marketing.testdomain.de
dalelazarov.testdomain.de
quasituttogratis-guadagna.testdomain.de
secret-vdo.testdomain.de
badfiction.testdomain.de
chiccaisjumping.testdomain.de
chloeofthemountain.testdomain.de
document-management-server.testdomain.de
buenanavidad.testdomain.de
ttamazing.testdomain.de
entertainmentonlinelive.testdomain.de
boys80s.testdomain.de
ann-crabs.testdomain.de
dailynewposts.testdomain.de
bollywoodactressstill.testdomain.de
mar1e.testdomain.de
ecoleft.testdomain.de
funmixz.testdomain.de
simpsonsmusic500.testdomain.de
nimblebodhi.testdomain.de
ezaiza.testdomain.de
midiariosexy.testdomain.de
designdisneyraoul.testdomain.de
thiva-hellas.testdomain.de
cool-kora.testdomain.de
a2ztelugumusic.testdomain.de
bloggenist.testdomain.de
niyitabiti.testdomain.de
link2-me.testdomain.de
athletictrainersalary.testdomain.de
propertymarketupdate.testdomain.de
motikontho.testdomain.de
kumpulanfiksi.testdomain.de
nutrasur-mirinconcito.testdomain.de
livestreaming-premier-league.testdomain.de
rbeaudoin333.testdomain.de
happyhippieheart.testdomain.de
allseriestrekvar.testdomain.de
fuckyeahthebetterlife.testdomain.de
transit-gkouv.testdomain.de
luluandyourmom.testdomain.de
iansnaturism.testdomain.de
anrinko.testdomain.de
octive.testdomain.de
aamesacrl.testdomain.de
echale2s.testdomain.de
agrupacioncombativosmercantiles.testdomain.de
goldentimepictures.testdomain.de
wrenhandmade.testdomain.de
peruflorotv.testdomain.de
nickelupdates.testdomain.de
egy3u.testdomain.de
beautygirlsandy.testdomain.de
reed077.testdomain.de
onlyfreedownload.testdomain.de
facebook-comments-box.testdomain.de

they are ALL invalid exept:

testdomain.de
www.testdomain.de

something is going really wrong here. results are not usable.

best
hheile

Hey. subbrute worked just fine with a small subs list. But since i'm bruting with the full standard subs list i'm getting this exception after a while: subbrute.py --subs=subs.txt -t all_domains.txt > outfile4.txt
Exception in thread Thread-19:
Traceback (most recent call last):
File "C:\Python27\lib\threading.py", line 808, in __bootstrap_inner
self.run()
File ".\subbrute.py",
line 97, in run
addr = self.check(test)
File ".\subbrute.py",
line 84, in check
raise e
NoNameservers

Each time i try to run the latest version, it gives an import error:
"subbrute.py", line 10, in
import dnslib
ImportError: No module named dnslib
I already tried several time installing dnspython and still receiving the same error. I tried using a previous version (v1.2) of subbrute.py and it works okay.

Hello,

I shortened the wordlist to 1k subdomains and run the script again at 100 threads and still 15 minutes and keeps going...

that means that if i try the main wordlist of 130k subdomains it would take +5,40 hours

Is there any way to speed up this? what about the resolvers.txt? can i update it somehow? what type of resolvers and where should i look for them?

Exception in thread Thread-9:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 808, in __bootstrap_inner
self.run()
File "subbrute.py", line 97, in run
addr = self.check(test)
File "subbrute.py", line 84, in check
raise e
NameError: global name 'retry_servfail' is not defined

I guess its the following line in dns/resolver.py's query function:

if rcode != dns.rcode.SERVFAIL or not retry_servfail:

Which gets triggered from subbrute.py:48

answer = self.resolver.query(host)

When this crash happens the domain does exist, I patched it by printing the host before the error gets raised but thats not really neat.
The specific scenario where this happened was when the match is a CNAME record of the target to be scanned.

It'd be great if subbrute was in PyPI so that would could simple $ pip install subbrute!

memory free of 500MB , then i load a 70MB sub domain dic ,the program been kill because of out of memory

When using fierce to enumerate subdomains, we are presented with the corresponding IP addresses as the results roll in, and at the end, the subnets where hostnames were found.

Like this:

[...]
192.30.253.125 live.github.com
192.30.253.124 live.github.com
192.0.2.1 ns1.github.com
192.0.2.2 ns2.github.com

Subnets found (may want to probe here using nmap or unicornscan):
192.0.2.0-255 : 2 hostnames found.
192.30.253.0-255 : 23 hostnames found.

This would be extremely useful in subbrute as well!

Whilst trying the tool on some domains that use Cloudflare for their authoritative nameserver (along with another factor which seems to vary by domain) I found that using type ANY for the queries would return HINFO(13) with nothing in the answer regardless of whether the subdomain exists or not. Thanks to @decidedlygray, I discovered that this is a change Cloudflare introduced explained here:
https://blog.cloudflare.com/what-happened-next-the-deprecation-of-any/.

I found that the query type ALL seems to be a suitable alternative to ANY when playing around with dig. However, when I set the --type=ALL option, then all resolvers fail the wildcard test. The issue seems to be that an exception is raised by dnslib here:

The exception that is raised is (ignore line numbers since my file has many debug output lines added):

Traceback (most recent call last):
  File "./subbrute.py", line 227, in find_wildcards
    blanktest = self.resolver.query(self.target, self.query_type)
  File "./subbrute.py", line 64, in query
    query = dnslib.DNSRecord.question(hostname, query_type.upper().strip())
  File "/home/neo/Projects/Haxr/subbrute-master/dnslib/dns.py", line 137, in question
    return DNSRecord(q=DNSQuestion(qname,getattr(QTYPE,qtype),
  File "/home/neo/Projects/Haxr/subbrute-master/dnslib/bimap.py", line 74, in __getattr__
    raise self.error("%s: Invalid reverse lookup: [%s]" % (self.name,k))
DNSError: QTYPE: Invalid reverse lookup: [ALL]

I have no idea what this actually means as yet but suspect its a shortcoming of the version of dnslib included in the repo. I'm looking further into this so I'll update and maybe PR if I come across a solution.

I'm unsure if this would be in the scope of the tool, but using a website's SSL cert(s) can be a good way to find subdomains. For example, the SSL certificate for the German parliament (https://bundestag.de) has this list of domains in its Subject Alternative Name:

adler.bundestag.de
adleradmin.bundestag.de
awstats.bundestag.de
bundestag.de
cms.bundestag.de
cms.dev.bundestag.de
cms.prod.bundestag.de
cms.schulung.bundestag.de
cms.staging.bundestag.de
cmslogin.bundestag.de
das-parlament.de
datenaustausch.bundestag.de
editor.bundestag.de
editor.dev.bundestag.de
editor.prod.bundestag.de
editor.schulung.bundestag.de
editor.staging.bundestag.de
forum.bundestag.de
kontakt.bundestag.de
kontakt.dev.bundestag.de
kontakt.prod.bundestag.de
kontakt.schulung.bundestag.de
kontakt.staging.bundestag.de
newsletteradmin.bundestag.de
newsletteradmin.mitmischen.de
opac.bibliothek.bundestag.de
opac.bundestag.de
sdc.bundestag.de
sdc.mitmischen.de
statistik.bundestag.de
statistik.dev.bundestag.de
statistik.schulung.bundestag.de
statistik.staging.bundestag.de
studio.bundestag.de
studio.dev.bundestag.de
studio.prod.bundestag.de
studio.schulung.bundestag.de
studio.staging.bundestag.de
suche.bundestag.de
suche.dev.bundestag.de
suche.prod.bundestag.de
suche.schulung.bundestag.de
suche.staging.bundestag.de
visite.bundestag.de
werkstatt.bundestag.de
www.bundestag.de
www.das-parlament.de
www.dev.bundestag.de
www.dev.das-parlament.de
www.kuppelkucker.de
www.mitmischen.de
www.parlamentsprofi.de
www.prod.bundestag.de
www.schulung.bundestag.de
www.staging.bundestag.de
www.staging.das-parlament.de

You can see the list in your browser or via CLI:

openssl s_client -showcerts -connect bundestag.de:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternative Name"