dns parallel prober: find subdomains

What is DNS Parallel Prober?

This is a parallelized domain name prober to find as many subdomains of a given domain as fast as possible.

PLEASE NOTE this script probes DNS servers actively, so please use at your own risk. You are likely to get blacklisted and/or saturate your bandwidth. Whatever you do, it’s your responsibility to make sure you have approval for it.

Hat tip to: Kyle F. for the original idea and to ZephrFish for all improvements and testing.

Quickstart

1. Install the requirements:

   pip install -r requirements.txt
   # if you don't want to install stuff as root, do:
   # virtualenv venv
   # source venv/bin/activate
   # pip install -r requirements.txt
   

2. Scan all subdomains of example.com using the wordlist subdomains.txt, using 100 threads. Save the results in out.txt:

   ./dns-queue.py example.com 100 out.txt -i subdomains.txt --simulate
   

   Remove the --simulate part to really scan it.

3. Example run:

   $ python3 dns-queue.py example.com 100 out.txt -i subdomains-short.txt --simulate -f -e err.txt
   
    [*] SIMULATION IN PROGRESS
   
    [+] Output destination: 'out.txt'
   
    [+] Output destination will be overwritten.
   
    [+] Press CTRL-C to gracefully stop...
   
    [+] Finding authoritative name servers for domain...
   
    [+] Using name servers: ['199.43.135.53', '199.43.133.53']
   
    [+] Checking wildcard DNS...
   
    [+] Will search for subdomains contained in
   
    'subdomains-short.txt'
   
    [+] Saving results to out.txt...
   
    [+] DNS probing starting...
   
    100% (200 of 200)
   
    |##################################################| Elapsed
   
    Time: 0:00:01 Time: 0:00:01
   
   
   
    [+] DNS probing done.
   
    [+] Waiting for all threads to finish...
   
    [+] Done.

    

   Please note: the --simulate flag will return random results. This is by design.

Other features

If you want to bruteforce all subdomains (default length: 3), use:

./dns-queue.py example.com 100 out.txt

If you have a very fast upstream and don’t mind flooding DNS servers, use 2000 threads:

./dns-queue.py example.com 2000 out.txt

By default, the script uses the authoritative NS servers for the given domain. To use different DNS servers:

./dns-queue.py example.com 100 out.txt -i subdomains.txt -n ns1.example.com, -n ns2.example.com

For help and other options (e.g. subdomain length, DNS timeouts, etc.):

./dns-queue.py -h

To stop: press ctrl-c – it will wait for the last threads to finish before exiting.

Demo

Copyright (C) 2017 lorenzog

Source: https://github.com/lorenzog/