Giter Club home page Giter Club logo

subbrute's Introduction

subdomain-bruteforcer (SubBrute)

SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

Whats new in v2.1?

Better stablity. Better support for testing cloudflare domains.

Thank you for the bug posts!

Whats new in v1.2.1?

The big news in this version is that SubBrute is now a recursive DNS-spider, and also a library, more on this later. SubBrute should be easy to use, so the interface should be intuitive (like nmap!), if you would like the interface to change, let us know. In this version we are opening up SubBrute's fast DNS resolution pipeline for any DNS record type. Additionally, SubBrute now has a feature to detect subdomains were their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for for use on an internal network.

  • SubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted *.google.com from 123 to 162 subdomains. (Always enabled)
  • --type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX...)
  • -s can now read subdomains from result files.
  • New useage - The subdomains enumerated from previous scans can now be used as input to enumerate other DNS records. The following commands demonstrate this new functionality:
	./subbrute.py google.com -o google.names
		...162 subdomains found...

	./subbrute.py -s google.names google.com --type TXT
		google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
		adwords.google.com,"v=spf1 redirect=google.com"
		...

	./subbrute.py -s google.names google.com --type CNAME
		blog.google.com,www.blogger.com,blogger.l.google.com
		groups.google.com,groups.l.google.com
		...
  • SubBrute is now a subdomain enumeration library with a python interface: subbrute.run() Do you want to use SubBrute in your python projects? Consider the following:
	import subbrute

	for d in subbrute.run("google.com"):
		print d 

Feedback welcome.

Whats new in v1.1?

This version merges pull requests from the community; changes from JordanMilne, KxCode and rc0r is in this release. In SubBrute 1.1 we fixed bugs, improved accuracy, and efficiency. As requested, this project is now GPLv3.

Accuracy and better wildcard detection:

  • A new filter that can pickup geolocation aware wildcards.
  • Filter misbehaving nameservers

Faster:

  • More than 2,000 high quality nameservers were added to resolvers.txt, these servers will resolve multiple queries in under 1 sec.
  • Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.

New output:

  • -a will list all addresses associated with a subdomain.
  • -v debug output, to help developers/hackers debug subbrute.
  • -o output results to file.

More Information

names.txt contains 101,010 subdomains. subs_small.txt was stolen from fierce2 which contains 1896 subdomains. If you find more subdomains to add, open a bug report or pull request and I'll be happy to add them.

No install required for Windows, just cd into the 'windows' folder:

  • subbrute.exe google.com

Easy to install: You just need http://www.dnspython.org/ and python2.7 or python3. This tool should work under any operating system: bsd, osx, windows, linux...

(On a side note giving a makefile root always bothers me, it would be a great way to install a backdoor...)

Under Ubuntu/Debian all you need is:

  • sudo apt-get install python-dnspython

On other operating systems you may have to install dnspython manually:

http://www.dnspython.org/

Easy to use:

  • ./subbrute.py google.com

Tests multiple domains:

  • ./subbrute.py google.com gmail.com blogger.com

or a newline delimited list of domains:

  • ./subbrute.py -t list.txt

Also keep in mind that subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):

  • ./subbrute.py gmail.com > gmail.out

  • ./subbrute.py -t gmail.out

Cheers!

subbrute's People

Contributors

brooksbf avatar infosec-au avatar jordanmilne avatar kxcode avatar ppaulojr avatar rc0r avatar therook avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

subbrute's Issues

Exception in thread

usage -c 20

Exception in thread Thread-10:
Traceback (most recent call last):
File "c:\python\32-bit\3.4\lib\threading.py", line 921, in _bootstrap_inner
File "subbrute.py", line 333, in run
File "subbrute.py", line 298, in check
File "subbrute.py", line 226, in check
File "C:\Python34\lib\site-packages\dns\resolver.py", line 774, in query
File "C:\Python34\lib\site-packages\dns\name.py", line 613, in from_text
dns.name.EmptyLabel

lots of non-exist subdomain found?

just picked my own site(that has only one subdomain) and this tool finds 10+ subdomains, none of them have an IP assigned, how did these subdomain exist in the first place, or is it a false warning from subbrute?

Error importing dnslib

Each time i try to run the latest version, it gives an import error:
"subbrute.py", line 10, in
import dnslib
ImportError: No module named dnslib
I already tried several time installing dnspython and still receiving the same error. I tried using a previous version of subbrute.py (v1.2) and it works okay.

'verify_nameservers' object has no attribute 'pid'

Traceback (most recent call last):
  File "subbrute.py", line 700, in run
    killproc(pid = verify_nameservers_proc.pid)
AttributeError: 'verify_nameservers' object has no attribute 'pid'

During handling of the above exception, another exception occurred

Traceback (most recent call last):
  File "subbrute.py", line 834, in <module>
    print_target(target, record_type, options.subs, options.resolv
output)
  File "subbrute.py", line 513, in print_target
    for result in run(target, query_type, subdomains, resolve_list
  File "subbrute.py", line 703, in run
    verify_nameservers_proc.end()
AttributeError: 'verify_nameservers' object has no attribute 'end'

I'm getting this on python 3.7.2 while running python subbrute.py -t x.txt > out on carnegiescience.edu or when it was transitioning to www.tesla.com. Script was ran on Win 7 Ultimate SP1 and it was his 1st or 2nd line.

Open Source DNS Recon

If you want, I've written a small code that dumps many useful records from various open source collections.
I think it would be a great add to your fantastic program.

subutil.zip

Subbrute doesn't work in windows and kali using TOR VPN

Hello,

I can't get any result in windows and kali linux using TOR VPN

Example:

C:\Users\Users\Desktop\subbrute-master\windows>subbrute.exe google.com -v
_

root@kali:~/Desktop/subbrute-master# ./subbrute.py google.com
_

Freezing without final result

Exception: NoNameServers

Hi there,

first of all, thanks for this cool tool.

If I set the thread-count too high (-c 250), I sometimes get the following Exception and subbrute seems to hang.

Exception in thread Thread-199:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 552, in __bootstrap_inner
    self.run()
  File "./subbrute.py", line 97, in run
    addr = self.check(test)
  File "./subbrute.py", line 84, in check
    raise e
NoNameservers

Any ideas?

Thanks in advance,
gehaxelt

TypeError when number of processes exceeds resolvers.

While running some tests using a small number of internal resolvers, I ran into this exception.

(a slightly sanitized traceback)

Process lookup-4:
Traceback (most recent call last):
  File "/opt/xxx/python/2.7.8_2/Frameworks/Python.framework/Versions/2.7/lib/python2.7/multiprocessing/process.py", line 258, in _bootstrap
    self.run()
  File "subbrute.py", line 278, in run
    addrs = self.check(test_domain)
  File "subbrute.py", line 247, in check
    raise e
TypeError: coercing to Unicode: need string or buffer, bool found

This patch seemed to make it go away, not sure it's the correct fix though.

diff --git a/subbrute.py b/subbrute.py
index 2faba8c..feee3bd 100644
--- a/subbrute.py
+++ b/subbrute.py
@@ -241,6 +241,10 @@ class lookup(multiprocessing.Process):
                     #Some old versions of dnspython throw this error,
                     #doesn't seem to affect the results,  and it was fixed in later versions.
                     pass
+                elif type(e) == TypeError:
+                    # We'll get here if the number procs > number of resolvers.
+                    self.in_q.put(host)
+                    return False
                 else:
                     trace("Problem processing host:", host)
                     #dnspython threw some strange exception...

Unable to find authoritative resolvers for:google.com

First time using this tool however i can't seem to get it working both in windows 8 and kali 2.0. Gives me the same error nomatter what domain i try:

Unable to find authoritative resolvers for:cnn.com

I've tried the windows exe but it just freezes forever.

Could you cut a 2.0 tag please?

Hello,

Awesome tool! I'm working on getting this into the ports tree for OpenBSD and would really appreciate it if you could cut a 2.0 tag with the latest and greatest from source control so that I can integrate it into the system. OpenBSD's ports tree dynamically downloads the source from upstream for a specific version and I've found that this is the easiest way to do that.

Thanks!

Rejected nameserver - wildcard

I just started subbrute on ubuntu 12.04:
./subbrute.py -v -s names_small.txt sony.com

and get just tons of
---8<---
wildcard exception: ['216.52.65.1'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 216.52.65.1
wildcard exception: ['72.37.141.91'] <class 'dns.resolver.NoNameservers'>
Rejected nameserver - wildcard: 72.37.141.91
wildcard exception: ['216.52.97.33'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 216.52.97.33
wildcard exception: ['106.51.255.133'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 106.51.255.133
wildcard exception: ['164.2.255.241'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 164.2.255.241
wildcard exception: ['91.203.188.1'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 91.203.188.1
wildcard exception: ['203.253.64.1'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 203.253.64.1
wildcard exception: ['186.107.119.118'] <class 'dns.exception.Timeout'>
Rejected nameserver - wildcard: 186.107.119.118
wildcard exception: ['206.126.32.101'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 206.126.32.101
wildcard exception: ['217.149.155.180'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 217.149.155.180
wildcard exception: ['205.172.19.193'] <class 'dns.resolver.NoAnswer'>
Rejected nameserver - wildcard: 205.172.19.193
...
---8<---
Why is that?
It seams the DNS-Servers don't answer to these enumerations.

Thanks,
Chris

Please add subdomain ftps

Hi,

recognised "ftps" as a sub-domain, which might not be quite as seldom. Therefore it could be added to names.txt.

Thanks,
Chris

TLD

Can I give this one TLD and get all hits?

Dealing with wildcards

So, how does subbrute work, exactly?
Does it just check every value in the wordlist?
How does it deal with wildcards?
I seem to be getting a lot of false positives.

haven't remove of not existing domain name

hello,guy

python subbrute.py -c 30 -p snda.com
mail1.mail.snda.com,NXDOMAIN,
mail2.mail.snda.com,NXDOMAIN,
mail3.mail.snda.com,NXDOMAIN,
mail4.mail.snda.com,NXDOMAIN,
mail5.mail.snda.com,NXDOMAIN,
mail6.mail.snda.com,NXDOMAIN,
mail7.mail.snda.com,NXDOMAIN,
dig snda.com
; <<>> DiG 9.8.3-P1 <<>> mail3.mail.snda.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47267
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;mail3.mail.snda.com. IN A

;; AUTHORITY SECTION:
snda.com. 56 IN SOA snda.com. root.ns.snda.com. 20051118 72 36 72 36

;; Query time: 12 msec
;; SERVER: 180.76.76.76#53(180.76.76.76)
;; WHEN: Sat Sep 19 02:24:27 2015
;; MSG SIZE rcvd: 81

Filtering known false positives

Hi there

Great tool; question. Is it possible/planned/how would i, filter out responses that I know are false positives? The domain I'm testing against has a * record set up, and all domains (fsdkfjsdfsd.domain.com) responds with "This domain is not associated with an application.". The response is a HTTP 400 (bad request) header, and not a 200 OK, so that would be a way to test it, and/or regex matching contents but that might take a bit longer to process.

Possible?

#NoIssue - 1.313 new subdomain names

Hi guys!
Thanks to share this tool, is really useful.
I kept my own list where i was updating (from fierce and others).
So, when i saw the "names.txt" i just merged (cat names.txt MyOwn.txt | sort | uniq > subdomains.txt)
with my own list and now i have a new subdomain list with 32611 lines.
Just take it (subdomains.txt) from my GitHub page, here:

https://github.com/8vw/s0nar (And yes, feel free to use s0nar ;)

best regards

@8vw

No Issue - Just a question

Hi Guys,

First of all, great work. A really useful piece of code. I wanted to ask if you guys would mind if i create a burp extension out of this script? I understand its GNU license, and i plan to keep the extension open source aswell, just want to get your guys consent.

Let me know.

Spam DNS responses

It looks like the following two IP address generate spam responses that evade your detection mechanism.

207.69.188.189
207.69.188.184

Some cursory testing showed me the following:
Using your method:

$ nslookup 0f3698d0d478470a9ccbc2960324a21a.com. 207.69.188.184
*** rns0.earthlink.net can't find 0f3698d0d478470a9ccbc2960324a21a.com: Non-existent domain
Server:  rns0.earthlink.net
Address:  207.69.188.184

Using just a long domain name:

$ nslookup superlongfakedomainthatexceedsthelengthoftheuuid.com. 207.69.188.184
Non-authoritative answer:
Server:  rns0.earthlink.net
Address:  207.69.188.184

Name:    superlongfakedomainthatexceedsthelengthoftheuuid.com
Address:  92.242.140.1

Fake subdomain:

$ nslookup fake.example.com. 207.69.188.184
Non-authoritative answer:
Server:  rns0.earthlink.net
Address:  207.69.188.184

Name:    fake.example.com
Address:  92.242.140.1

It appears that they are somehow detecting that the uuid method and not returning anything for that, but returning the spam result for anything else.

Mirror subbrute on the Python Package Index

Typically, the most common way to install Python Packages is through the Python Package Index.

To make installation easier, I would like to see subbrute mirrored on the Python Package Index. This would allow easy installation through a single command.

pip install subbrite

-a issue

Is -a still supported? I have used this to list IPs and domain names, -p works a bit differently and gives more info , but I am wondering what's up with the -a option or how to use it properly.

Not able to import dnslib from Kali

uname -a: Linux kali 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 (2015-03-02) x86_64 GNU/Linux

python -V : 2.7.3

python subbrute.py google.com: Traceback (most recent call last):

File "subbrute.py", line 10, in
import dnslib
ImportError: No module named dnslib

Thanks

BlowMeMarried

![image](https://user-images.githubusercontent.com/63479632/80269724-33ba3a80-8680-11ea-9eb6-9adeef5ccd59.jpeg)

Lockup on network connectivity lost

Hey, I noticed that when I was testing through a tunnel that would go in/out about hourly that subbrute would lock up and stop sending requests even when connection is regained. Is it possible to differentiate between a lost connection and just not receiving responses? I'm thinking maybe if there's transmission failures for the last X, delay for Y and repeat them to see if they succeed. Not sure if this'd trigger false positives for rate-limiting servers though.

Get subdomains via additional recon (Search Engine, Alternative Sources)

This is more or less linked to #31, as it is just another idea to get
more hostnames during the recon process :)

Google and Bing:
Scrape Google and Bing using the site: modifier. Example: "site:foo.com"
Parse the result set for individual subdomains.

Also:

AXFR: maybe a Zone transfer is possible, which would result in a comprehensive list of returns and therefore you can back off from brute force and safe time at that point :)

DNSSEC aware zones could be prone to zone walking, which is another great way to get a list of hosts in a considerable amount of time.

A rather "active" approach (which involves direct connections) could be to access each found host on port 80, retrieve the standard vhost and the vhost you found and look if you get a HTTP 302 Redirection - it may include further hints to other subdomains.

wildcard domains not handled well -- should be removed from output list with some option

wildcard domains not handled well -- should be removed from output list with some option

Example:
"""
$ dig +short bsB03SHuaeLPpYejea1uHExZSvEPbc.blogspot.com
blogspot.l.googleusercontent.com.
172.217.5.65
"""

There should exist some option to text long random subdomain and exclude additional results if a hit is found on a highly probable wildcard configuration. Fierce DNS brute script does this by default and would recommend this as default option in subbrute too.

ncp subdomain

can this be added to the list? just found a website that uses it.

Additional Domains

Here are me more domains regarding Lync-Architecture and Mobile device Management:
mailsync
lyncdiscover
webex
webext
webcon
webconf
directaccess
mdm-core
mdm-entry
mdm-sentry

Resolve to IP

I added:

import socket
and
print(d , socket.gethostbyname(d)) #replacing print(d)

So that it'd display the discovered host and the IP, saves me having to throw the discovered hosts into something like nmap afterwards to determine the IP's. Hopefully that helps someone else in future :)

Out of range errors

Not really doing anything fancy. linode.txt has ns1.linode.com - ns3.linode.com
Domain doesn't have anything fancy with DNS (a few A records and a few CNAME records.)

Unsure if the speed is related to the out of range errors or not, but obviously have issues with speed to (and blocking on ^C)

user1@host:/tmp/subbrute$ time python subbrute.py -r linode.txt -s subs_small.txt kyleosborn.org
Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

files.kyleosborn.org
ftp.kyleosborn.org
Exception in thread Thread-4:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

localhost.kyleosborn.org
Exception in thread Thread-2:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

mail.kyleosborn.org
Exception in thread Thread-5:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.6/threading.py", line 532, in __bootstrap_inner
    self.run()
  File "subbrute.py", line 56, in run
    if self.check(test):
  File "subbrute.py", line 45, in check
    raise e
IndexError: list index out of range

^C^C^C^C^C^C






^C^C^C
^Z
[1]+  Stopped                 python subbrute.py -r linode.txt -s subs_small.txt kyleosborn.org

real    11m38.379s
user    0m0.000s
sys 0m0.001s

invalid output when using basic parameters

Hello all,

i used the latest version (cloned yesterday) and run into the following issue:
command used:
./subbrute.py testdomain.de -o test.names
this gives me the following results:

testdomain.de
www.testdomain.de
bellard.testdomain.de
evrobiz.testdomain.de
sneguroschka.testdomain.de
themagnetsystem.testdomain.de
nakrut.testdomain.de
benavent.testdomain.de
mto.testdomain.de
austria-art.testdomain.de
everythinginbudget.testdomain.de
jessieandrews.testdomain.de
googledesktop.testdomain.de
asiansisters.testdomain.de
bo-daily.testdomain.de
linkedinsiders.testdomain.de
graficworld.testdomain.de
dabarkadstv.testdomain.de
geoleon.testdomain.de
fashioonmonger.testdomain.de
khabarooz.testdomain.de
digitalfilms.testdomain.de
grosgrainfabulous.testdomain.de
test-blog-1111.testdomain.de
tvgoo.testdomain.de
bimbelsafira.testdomain.de
ryanpotterswag.testdomain.de
islamicmedia.testdomain.de
discreetdating.testdomain.de
deepthinking.testdomain.de
the17thman.testdomain.de
as1an-webparadise.testdomain.de
reportmysignal.testdomain.de
ecosdelsur2010.testdomain.de
vasiliki-besttheme.testdomain.de
wikistrike.testdomain.de
justamp.testdomain.de
goto-hongkong.testdomain.de
kranosgr.testdomain.de
desiretowill.testdomain.de
financeandconsultants.testdomain.de
shwinandshwin.testdomain.de
tragenioefollia.testdomain.de
mydreamworld.testdomain.de
latest-news-speakasia.testdomain.de
centrifugalpump.testdomain.de
cmaankur.testdomain.de
nokariplus.testdomain.de
par30song.testdomain.de
onepiecethai.testdomain.de
expertester.testdomain.de
thepeakofchic.testdomain.de
rahsialakibini.testdomain.de
accarticles.testdomain.de
glamorouswithouttheguilt.testdomain.de
cooooool-me.testdomain.de
lanylabooks.testdomain.de
lepas.testdomain.de
fundamentalanalys.testdomain.de
thenxtstep.testdomain.de
xem-tuvi.testdomain.de
dontbesofashion.testdomain.de
inspirationalquote.testdomain.de
dorothysurrenders.testdomain.de
needsoffinance.testdomain.de
indogirls3gp.testdomain.de
virtapay10paypalconverter.testdomain.de
pihiya.testdomain.de
tia-jean9.testdomain.de
absolutelymadness.testdomain.de
tomilotk.testdomain.de
nasabbashi.testdomain.de
money586.testdomain.de
wrighty7.testdomain.de
debbiedesigns.testdomain.de
wowfunniestposts.testdomain.de
nalanda-international-university-news.testdomain.de
staryus.testdomain.de
bestwallpapersfordesktop.testdomain.de
kumpulantipsngeblog.testdomain.de
tntsnookerteam.testdomain.de
s361357951.testdomain.de
codulluioreste.testdomain.de
luluaddict.testdomain.de
samirenaccion.testdomain.de
rovicky.testdomain.de
lantaw.testdomain.de
ilikecheesecomic.testdomain.de
crookedhouse.testdomain.de
escolhascertasrealizamsonhos.testdomain.de
rockcreeksocial.testdomain.de
simonlover83.testdomain.de
coreyjschmidt.testdomain.de
nil1950.testdomain.de
myaltlife.testdomain.de
governancacorporativa.testdomain.de
kairosgareggys.testdomain.de
penningdownthemind.testdomain.de
ferfal.testdomain.de
computerhowtoguide.testdomain.de
rinkosamani.testdomain.de
bivafa-tanha.testdomain.de
b10411.testdomain.de
ultimatedatazone.testdomain.de
asarikaisin.testdomain.de
mycrochetstuff.testdomain.de
jobbochfirma.testdomain.de
siriwansa.testdomain.de
gladwell.testdomain.de
africaunchained.testdomain.de
arab-beauty-girls.testdomain.de
dottydotdotdesign1.testdomain.de
usaerklaert.testdomain.de
entertainmentking.testdomain.de
alexbatard.testdomain.de
generic1.testdomain.de
bayikita.testdomain.de
onlinegeldverdienen11.testdomain.de
afrinerds.testdomain.de
v7u78.testdomain.de
tubevidyou.testdomain.de
yatou-16.testdomain.de
alandofrohan.testdomain.de
bacakomik68.testdomain.de
dbox.testdomain.de
alidemh.testdomain.de
cookwithsara.testdomain.de
fashionsnag.testdomain.de
pindakaasmetnootjes.testdomain.de
hypnoticblend.testdomain.de
freerangekids.testdomain.de
lotus1220.testdomain.de
e-rodios.testdomain.de
crpgaddict.testdomain.de
desigoogle.testdomain.de
cours-gratuits.testdomain.de
dung-tre.testdomain.de
kettlebell-weimar.testdomain.de
free-coloring-pages-kids.testdomain.de
gossipnscandal.testdomain.de
artworkxofmann.testdomain.de
leninreloaded.testdomain.de
currentposts.testdomain.de
tharunayacartoons.testdomain.de
shabbyblogsblog.testdomain.de
coopedup.testdomain.de
radiogempak.testdomain.de
johncandey496.testdomain.de
lottoesuperenalottoestrazioni.testdomain.de
lebasish.testdomain.de
sunscholars.testdomain.de
livestreamlat.testdomain.de
onecoolsite.testdomain.de
deepak-doddamani.testdomain.de
my-randomblogs.testdomain.de
rulesofmusica.testdomain.de
install-climber.testdomain.de
makingtheworldcuter.testdomain.de
photoshop-masterwmz.testdomain.de
fanglimin2011.testdomain.de
gadiscantik-seksi.testdomain.de
t7marketing.testdomain.de
dalelazarov.testdomain.de
quasituttogratis-guadagna.testdomain.de
secret-vdo.testdomain.de
badfiction.testdomain.de
chiccaisjumping.testdomain.de
chloeofthemountain.testdomain.de
document-management-server.testdomain.de
buenanavidad.testdomain.de
ttamazing.testdomain.de
entertainmentonlinelive.testdomain.de
boys80s.testdomain.de
ann-crabs.testdomain.de
dailynewposts.testdomain.de
bollywoodactressstill.testdomain.de
mar1e.testdomain.de
ecoleft.testdomain.de
funmixz.testdomain.de
simpsonsmusic500.testdomain.de
nimblebodhi.testdomain.de
ezaiza.testdomain.de
midiariosexy.testdomain.de
designdisneyraoul.testdomain.de
thiva-hellas.testdomain.de
cool-kora.testdomain.de
a2ztelugumusic.testdomain.de
bloggenist.testdomain.de
niyitabiti.testdomain.de
link2-me.testdomain.de
athletictrainersalary.testdomain.de
propertymarketupdate.testdomain.de
motikontho.testdomain.de
kumpulanfiksi.testdomain.de
nutrasur-mirinconcito.testdomain.de
livestreaming-premier-league.testdomain.de
rbeaudoin333.testdomain.de
happyhippieheart.testdomain.de
allseriestrekvar.testdomain.de
fuckyeahthebetterlife.testdomain.de
transit-gkouv.testdomain.de
luluandyourmom.testdomain.de
iansnaturism.testdomain.de
anrinko.testdomain.de
octive.testdomain.de
aamesacrl.testdomain.de
echale2s.testdomain.de
agrupacioncombativosmercantiles.testdomain.de
goldentimepictures.testdomain.de
wrenhandmade.testdomain.de
peruflorotv.testdomain.de
nickelupdates.testdomain.de
egy3u.testdomain.de
beautygirlsandy.testdomain.de
reed077.testdomain.de
onlyfreedownload.testdomain.de
facebook-comments-box.testdomain.de

they are ALL invalid exept:

testdomain.de
www.testdomain.de

something is going really wrong here. results are not usable.

best
hheile

NoNameservers exception

Hey. subbrute worked just fine with a small subs list. But since i'm bruting with the full standard subs list i'm getting this exception after a while: subbrute.py --subs=subs.txt -t all_domains.txt > outfile4.txt
Exception in thread Thread-19:
Traceback (most recent call last):
File "C:\Python27\lib\threading.py", line 808, in __bootstrap_inner
self.run()
File ".\subbrute.py",
line 97, in run
addr = self.check(test)
File ".\subbrute.py",
line 84, in check
raise e
NoNameservers

Error importing dnslib

Each time i try to run the latest version, it gives an import error:
"subbrute.py", line 10, in
import dnslib
ImportError: No module named dnslib
I already tried several time installing dnspython and still receiving the same error. I tried using a previous version (v1.2) of subbrute.py and it works okay.

brute force is too slow!

Hello,

I shortened the wordlist to 1k subdomains and run the script again at 100 threads and still 15 minutes and keeps going...

that means that if i try the main wordlist of 130k subdomains it would take +5,40 hours

Is there any way to speed up this? what about the resolvers.txt? can i update it somehow? what type of resolvers and where should i look for them?

error in subbrute.py:84

Exception in thread Thread-9:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 808, in __bootstrap_inner
self.run()
File "subbrute.py", line 97, in run
addr = self.check(test)
File "subbrute.py", line 84, in check
raise e
NameError: global name 'retry_servfail' is not defined

I guess its the following line in dns/resolver.py's query function:

if rcode != dns.rcode.SERVFAIL or not retry_servfail:

Which gets triggered from subbrute.py:48

answer = self.resolver.query(host)

When this crash happens the domain does exist, I patched it by printing the host before the error gets raised but thats not really neat.
The specific scenario where this happened was when the match is a CNAME record of the target to be scanned.

Publish to PyPI

It'd be great if subbrute was in PyPI so that would could simple $ pip install subbrute!

Feature request: show IP addresses/ranges in results

When using fierce to enumerate subdomains, we are presented with the corresponding IP addresses as the results roll in, and at the end, the subnets where hostnames were found.

Like this:

[...]
192.30.253.125 live.github.com
192.30.253.124 live.github.com
192.0.2.1 ns1.github.com
192.0.2.2 ns2.github.com

Subnets found (may want to probe here using nmap or unicornscan):
192.0.2.0-255 : 2 hostnames found.
192.30.253.0-255 : 23 hostnames found.

This would be extremely useful in subbrute as well!

No resolvers pass the wildcard test with `--type=ALL`

Whilst trying the tool on some domains that use Cloudflare for their authoritative nameserver (along with another factor which seems to vary by domain) I found that using type ANY for the queries would return HINFO(13) with nothing in the answer regardless of whether the subdomain exists or not. Thanks to @decidedlygray, I discovered that this is a change Cloudflare introduced explained here:
https://blog.cloudflare.com/what-happened-next-the-deprecation-of-any/.

I found that the query type ALL seems to be a suitable alternative to ANY when playing around with dig. However, when I set the --type=ALL option, then all resolvers fail the wildcard test. The issue seems to be that an exception is raised by dnslib here:

blanktest = self.resolver.query(self.target, self.query_type)
.

The exception that is raised is (ignore line numbers since my file has many debug output lines added):

Traceback (most recent call last):
  File "./subbrute.py", line 227, in find_wildcards
    blanktest = self.resolver.query(self.target, self.query_type)
  File "./subbrute.py", line 64, in query
    query = dnslib.DNSRecord.question(hostname, query_type.upper().strip())
  File "/home/neo/Projects/Haxr/subbrute-master/dnslib/dns.py", line 137, in question
    return DNSRecord(q=DNSQuestion(qname,getattr(QTYPE,qtype),
  File "/home/neo/Projects/Haxr/subbrute-master/dnslib/bimap.py", line 74, in __getattr__
    raise self.error("%s: Invalid reverse lookup: [%s]" % (self.name,k))
DNSError: QTYPE: Invalid reverse lookup: [ALL]

I have no idea what this actually means as yet but suspect its a shortcoming of the version of dnslib included in the repo. I'm looking further into this so I'll update and maybe PR if I come across a solution.

Get subdomains from SSL cert

I'm unsure if this would be in the scope of the tool, but using a website's SSL cert(s) can be a good way to find subdomains. For example, the SSL certificate for the German parliament (https://bundestag.de) has this list of domains in its Subject Alternative Name:

adler.bundestag.de
adleradmin.bundestag.de
awstats.bundestag.de
bundestag.de
cms.bundestag.de
cms.dev.bundestag.de
cms.prod.bundestag.de
cms.schulung.bundestag.de
cms.staging.bundestag.de
cmslogin.bundestag.de
das-parlament.de
datenaustausch.bundestag.de
editor.bundestag.de
editor.dev.bundestag.de
editor.prod.bundestag.de
editor.schulung.bundestag.de
editor.staging.bundestag.de
forum.bundestag.de
kontakt.bundestag.de
kontakt.dev.bundestag.de
kontakt.prod.bundestag.de
kontakt.schulung.bundestag.de
kontakt.staging.bundestag.de
newsletteradmin.bundestag.de
newsletteradmin.mitmischen.de
opac.bibliothek.bundestag.de
opac.bundestag.de
sdc.bundestag.de
sdc.mitmischen.de
statistik.bundestag.de
statistik.dev.bundestag.de
statistik.schulung.bundestag.de
statistik.staging.bundestag.de
studio.bundestag.de
studio.dev.bundestag.de
studio.prod.bundestag.de
studio.schulung.bundestag.de
studio.staging.bundestag.de
suche.bundestag.de
suche.dev.bundestag.de
suche.prod.bundestag.de
suche.schulung.bundestag.de
suche.staging.bundestag.de
visite.bundestag.de
werkstatt.bundestag.de
www.bundestag.de
www.das-parlament.de
www.dev.bundestag.de
www.dev.das-parlament.de
www.kuppelkucker.de
www.mitmischen.de
www.parlamentsprofi.de
www.prod.bundestag.de
www.schulung.bundestag.de
www.staging.bundestag.de
www.staging.das-parlament.de

You can see the list in your browser or via CLI:

openssl s_client -showcerts -connect bundestag.de:443 < /dev/null | openssl x509 -text | grep -A 1 "Subject Alternative Name"

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.