SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain brute-forcing tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting. This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target’s name servers.
There are various other options with similar capabilities, such as:
– InstaRecon – Automated Subdomain Discovery Tool
– dnsmap 0.22 Released – Subdomain Bruteforcing Tool
– DNSenum – Domain Information Gathering Tool
– Complemento v0.6 – ReverseRaider Subdomain Scanner
– DNSRecon – DNS Enumeration Script
– Recon-ng – Web Reconnaissance Framework
- Fast, multi-threaded and comes with more than 2000 high quality nameservers in resolver.txt
- Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.
- SubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted *.google.com from 123 to 162 subdomains.
- –type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX…)
- -s can now read subdomains from result files.
- The subdomains enumerated from previous scans can now be used as input to enumerate other DNS records.
Usage: subbrute.exe [options] target
-h, --help show this help message and exit
-s SUBS, --subs=SUBS (optional) list of subdomains, default = 'names.txt'
-r RESOLVERS, --resolvers=RESOLVERS
(optional) A list of DNS resolvers, if this list is
empty it will OS's internal resolver default =
-f FILTER, --filter_subs=FILTER
(optional) A file containing unorganized domain names
which will be filtered into a list of subdomains
sorted by frequency. This was used to build
-t TARGETS, --targets_file=TARGETS
(optional) A file containing a newline delimited list
of domains to brute force.
-o OUTPUT, --output=OUTPUT
(optional) Output to file
-a, -A (optional) Print all IPv4 addresses for sub domains
(default = off).
--type=TYPE (optional) Print all reponses for an arbitrary DNS
record type (CNAME, AAAA, TXT, SOA, MX...)
-c PROCESS_COUNT, --process_count=PROCESS_COUNT
(optional) Number of lookup theads to run. default =
-v, --verbose (optional) Print debug information.
You can download SubBrute here:
Or read more here.