SubDomainizer v2.0 releases: find subdomains hidden in inline and external Javascript files of page
SubDomainizer
SubDomainizer is a tool designed to find hidden subdomains and secrets present is either webpage, Github, and external javascript present in the given URL. This tool also finds S3 buckets, cloudfront URL’s and more from those JS files which could be interesting like S3 bucket is open to read/write, or subdomain takeover and a similar case for cloudfront. It also scans inside the given folder which contains your files.
Cloud Storage Services Supported:
SubDomainizer can find URL for following cloud storage services:
1. Amazon AWS services (cloudfront and S3 buckets)
2. Digitalocean spaces
3. Microsoft Azure
4. Google Cloud Services
5. Dreamhost
6. RackCDN.
Secret Key’s Searching: (beta)
SubDomainizer will also find secrets present in the content of the page and javascript files. That secret finding depends on some specific keywords and the Shannon Entropy formula. It might be possible that some secrets which searched by the tool are false positive. This secret key searching is in beta and later version might have increased accuracy for search results.
Changelog v2.0
SANs Feature:
Added a feature to find Subject Alternative Names for already found subdomains from different sources.
Two options can be used with -san argument i.e. all or same.
samewill find only subdomains for TLD of the URL.allwill find all (sub)domains having the same SAN for a given subdomain.
Secret Location Feature:
Added a feature to display the location of secrets.
Inlinein case if secret(s) found within the page (used in -u argument)URL of filein case if secret(s) found onExternal JS fileorGithub URLorFile path (in case of the folder).
Installation
git clone https://github.com/nsonaniya2010/SubDomainizer.git
pip3 install -r requirements.txt
Usage
| Short Form | Long Form | Description |
|---|---|---|
| -u | –url | URL in which you want to find (sub)domains. |
| -l | –listfile | File which contain list of URL’s needs to be scanned. |
| -o | –output | Output file name in which you need to save the results. |
| -c | –cookie | Cookies which needs to be sent with request. |
| -h | –help | show the help message and exit. |
| -cop | –cloudop | Give file name in which you need to store cloud services results. |
| -d | –domain | Give TLD (eg. for www.example.com you have to give example.com) to find subdomain for given TLD. |
| -g | –gitscan | Needed if you want to get things via Github too. |
| -gt | –gittoken | Github API token is needed, if want to scan (also needed -g also). |
| -k | –nossl | Use this to bypass the verification of SSL certificate. |
| -f | –folder | Root folder which contains files/folder. |
Examples
- To list help about the tool:
python3 SubDomainizer.py -h
- To find subdomains, s3 buckets, and cloudfront URL’s forgiven single URL:
python3 SubDomainizer.py -u http://www.example.com
- To find subdomains from a given list of URL (file is given):
python3 SubDomainizer.py -l list.txt
- To save the results in (output.txt) file:
python3 SubDomainizer.py -u https://www.example.com -o output.txt
- To give cookies:
python3 SubDomainizer.py -u https://www.example.com -c "test=1; test=2"
- To scan via github:
python3 SubDomainizer.py -u https://www.example.com -o output.txt -gt <github_token> -g
- No SSL Certificate Verification:
python3 SubDomainizer.py -u https://www.example.com -o output.txt -gt <github_token> -g -k
- Folder Scanning:
python3 SubDomainizer.py -f /path/to/root/folder/having/files/and/folders/ -d example.com -gt <github_token> -g -k
Copyright (c) 2018 Neeraj Sonaniya
