Turbolist3r: Subdomain enumeration tool
Turbolist3r is a fork of the sublist3r subdomain discovery tool. In addition to all original OSINT capabilities of sublist3r, turbolist3r automates some of the results analysis, with a focus on subdomain takeover.
Turbolist3r queries public DNS servers for each discovered subdomain. If the subdomain exists (i.e. the resolver replied with an address), the answer is categorized as CNAME or A record. By examining A records, it is possible to discover potential penetration testing targets for a given domain. Likewise, the process of looking for subdomain takeovers is simple; view the discovered CNAME records and investigate any that point to applicable cloud services.
This is an early release and may contain bugs or other irregularities.
Install
git clone https://github.com/fleetcaptain/Turbolist3r.git
cd Turbolist3r
pip install -r requirements.txt
Use
| Short Form | Long Form | Description |
|---|---|---|
| -d | –domain | Domain name to enumerate subdomains of |
| -b | –bruteforce | Enable the subbrute bruteforce module |
| -p | –ports | Scan the found subdomains against specific tcp ports |
| -v | –verbose | Enable the verbose mode and display results in real-time |
| -t | –threads | Number of threads to use for subbrute bruteforce |
| -e | –engines | Specify a comma-separated list of search engines |
| -o | –output | Save discovered domain names to specified text file |
| -h | –help | show the help message and exit |
| -a | –analysis | Do analysis of the results and save to specified text file |
| (none) | –debug | Print debug information during the analysis module (-a). Prints mostly raw DNS data, familiarity with the DIG Linux DNS utility and it’s output is helpful to interpret the debug output |
Examples
- To enumerate subdomains of a specific domain, perform turbolist3r analysis, and save the analysis to a file:
python turbolist3r.py -d example.com -a analysis_file.txt
- To list all the basic options and switches use -h switch:
python turbolist3r.py -h
- To enumerate subdomains of a specific domain:
python turbolist3r.py -d example.com
- To enumerate subdomains of a specific domain and save discovered subdomains to a file:
python turbolist3r.py -d example.com -o example_hosts.txt
- To enumerate subdomains of a specific domain and show the results in real-time:
python turbolist3r.py -v -d example.com
- To enumerate subdomains and enable the bruteforce module:
python turbolist3r.py -b -d example.com
- To enumerate subdomains and use specific engines such as Google, Yahoo and Virustotal engines
python turbolist3r.py -e google,yahoo,virustotal -d example.com
Source: https://github.com/fleetcaptain/
