SubBrute – Subdomain Brute-forcing Tool

SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain brute-forcing tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting. This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target’s name servers.

There are various other options with similar capabilities, such as:

– InstaRecon – Automated Subdomain Discovery Tool
– dnsmap 0.22 Released – Subdomain Bruteforcing Tool
– DNSenum – Domain Information Gathering Tool
– Complemento v0.6 – ReverseRaider Subdomain Scanner
– DNSRecon – DNS Enumeration Script
– Recon-ng – Web Reconnaissance Framework

Features

• Fast, multi-threaded and comes with more than 2000 high quality nameservers in resolver.txt
• Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.
• SubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted *.google.com from 123 to 162 subdomains.
• –type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX…)
• -s can now read subdomains from result files.
• The subdomains enumerated from previous scans can now be used as input to enumerate other DNS records.

Usage

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

Usage: subbrute.exe [options] target   Options:   -h, --help            show this help message and exit   -s SUBS, --subs=SUBS  (optional) list of subdomains,  default = 'names.txt'   -r RESOLVERS, --resolvers=RESOLVERS                         (optional) A list of DNS resolvers, if this list is                         empty it will OS's internal resolver default =                         'resolvers.txt'   -f FILTER, --filter_subs=FILTER                         (optional) A file containing unorganized domain names                         which will be filtered into a list of subdomains                         sorted by frequency.  This was used to build                         names.txt.   -t TARGETS, --targets_file=TARGETS                         (optional) A file containing a newline delimited list                         of domains to brute force.   -o OUTPUT, --output=OUTPUT                         (optional) Output to file   -a, -A                (optional) Print all IPv4 addresses for sub domains                         (default = off).   --type=TYPE           (optional) Print all reponses for an arbitrary DNS                         record type (CNAME, AAAA, TXT, SOA, MX...)   -c PROCESS_COUNT, --process_count=PROCESS_COUNT                         (optional) Number of lookup theads to run. default =                         16   -v, --verbose         (optional) Print debug information.

You can download SubBrute here: