SubDomainsBrute is a subdomain name blasting tool that uses dictionary brute force to try various possible subdomain names and determines whether a valid subdomain name exists through DNS resolution. It also supports wildcard testing and HTTPS certificate acquisition functions, which can provide more comprehensive and accurate results.
Article directory
This article explains the installation and use of SubDomainsBrute.
Install
SubDomainsBrute can run in Kali and Windosw.
Kali
Just run the following commands in sequence with root privileges:
git clone https://github.com/lijiejie/subDomainsBrute.git
cd subDomainsBrute
pip install dnspython gevent
Windows
download link:
https://github.com/lijiejie/subDomainsBrute
After downloading, extract it to the Python root directory:
Then open cmd in the directory and execute the following statement:
pip install dnspython gevent
If the following response is displayed, the network is unstable:
Just switch to the mirror source:
pip install dnspython gevent -i https://mirrors.aliyun.com/pypi/simple/
Enter the following statement. If the following image is displayed, the installation is successful:
SubDomainsBrute -version
If the following echo appears, it means that a module is not installed. You can use pip to install it:
pip install -i https://pypi.tuna.tsinghua.edu.cn/simple async-timeout
Tutorial
1. Command line parameters
D:\Security\Python3\subDomainsBrute>python subDomainsBrute.py -h
Options:
–version displays the version number of the program and exits
-h, –help displays help information and exits
–f FILE specifies a file containing a newline-separated list of subdomain names, the default is subnames.txt.
–full full scan mode, subnames_full.txt will be used for blasting.
-i, --ignore-intranet Ignore domain names pointing to private IPs.
-w, --wildcard Force a scan after a failed wildcard test.
-t THREADS, --threads=THREADS specifies the number of scanning threads, the default is 500.
-p PROCESS, --process=PROCESS specifies the number of scanning processes, the default is 6.–no-https disables getting domain names from HTTPS certificates, which can save some time.
-o OUTPUT, --output=OUTPUT specifies the output file name, the default is {target}.txt.
Basic POC:
python subDomainsBrute.py 目标IP
2. Actual combat
1) Create 50 threads to access Baidu, save the results to baidu.txt, and place them in the current directory:
python subDomainsBrute.py -t 50 baidu.com -o baidu.txt
The scan results are as follows:
2) Create 45 threads to access www.runoob.com and save the scanning results to runoob.txt on the desktop:
python subDomainsBrute.py -t 45 www.runoob.com -o C:\Users\86177\Desktop\runoob.txt
The scan results are as follows, showing no output:
This is because the blasting principle of the tool is subdomain splicing. For example, active is spliced before the URL we input, so www.runoob.com can only get active.www.runoob.com, so the correct input should be runoob.com.
3) Following 2, create 60 threads and 5 processes to access runoob.com, specify the dictionary ice.txt, and save the scanning results to test.txt on the desktop.
The default placement path for dictionaries is as follows:
python subDomainsBrute.py -t 45 -p 5 runoob.com -f ice.txt -o C:\Users\86177\Desktop\test.txt
The result is as follows:
4) Create 70 threads and 4 processes to access runoob.com, specify the dictionary ice.txt with a special path, and save the scanning results to ABC.txt on the desktop.
python subDomainsBrute.py -t 45 -p 5 runoob.com -f C:\Users\86177\Desktop\ice.txt -o C:\Users\86177\Desktop\ABC.txt
The result is as follows:
5) Full scan mode:
python subDomainsBrute.py -t 45 -p 5 runoob.com --full -o C:\Users\86177\Desktop\D.txt
Since the most complete dictionary subnames_full.txt is used for blasting, it takes more time to wait:
Ctrl+C can exit the scan, and only two subdomain names are obtained:
6) Disable the ability to obtain domain names from HTTPS certificates:
python subDomainsBrute.py -t 360 -p 3 runoob.com --no-https -o C:\Users\86177\Desktop\A.txt
The result is as follows: