shuffledns v1.0.9 releases: enumerate valid subdomains
shuffledns
shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support.
Based on the work on massdns project by @blechschmidt.
Features
- Simple and modular codebase making it easy to contribute.
- Fast And Simple active subdomain scanning.
- Handles wildcard subdomains in a smart manner.
- Optimized for ease of use
- Stdin and stdout support for integrating in workflows
Changelog v1.0.9
- Added self update option by @RamanaReddy0M in #206
- Fixed stdin logic (use Stdin if SubdomainsList is blank) by @mohammadanaraki in #140
- Updated the commonspeak2-wordlist link in README.md by @h4r5h1t in #182
- Updated utils helper libraries by @edoardottt in #161
Download
Use
shuffledns supports two types of operations.
1. Resolving Subdomains
To resolve a list of subdomains, you can pass the list of subdomains via the list option.
> shuffledns -d example.com -list example.com-subdomains.txt -r resolvers.txt
This will run the tool against subdomains in example.com-subdomains.txt and returns the results. The tool uses the resolvers specified with -r option to do the resolving.
You can also pass the list of subdomains at standard input (STDIN). This allows for easy integration in automation pipelines.
> subfinder -d example.com | shuffledns -d example.com -r resolvers.txt
This uses the subdomains found passively by subfinder and resolves them with shuffledns returning only the unique and valid subdomains.
2. Bruteforcing Subdomains
shuffledns also supports bruteforce of a target with a given wordlist. You can use the w flag to pass a wordlist which will be used to generate permutations that will be resolved using massdns.
> shuffledns -d hackerone.com -w wordlist.txt -r resolvers.txt
This will run the tool against hackerone.com with the wordlist wordlist.txt. The domain bruteforce can also be done with standard input as in the previous example for resolving the subdomains.
> echo hackerone.com | shuffledns -w wordlist.txt -r resolvers.txt
The -o command can be used to specify an output file.
> shuffledns -d hackerone.com -w wordlist.txt -o output.txt
The subdomains discovered can be piped to other tools too. For example, you can pipe the host discovered by shuffledns to the httprobe tool by @tomnomnom which will then find running http servers on the host.
or
A note on wildcards
A special feature of shuffleDNS is its ability to handle multi-level DNS based wildcards and do it so with very less number of DNS requests. Sometimes all the subdomains will resolve which will lead to lots of garbage in the results. The way shuffleDNS handles this is it will keep track of how many subdomains point to an IP and if the count of the Subdomains increases beyond a certain small threshold, it will check for wildcard on all the levels of the hosts for that IP iteratively.
Copyright (C) 2020 projectdiscovery
