Scan subdomains with wordlist
Hint: flag is not a frag: once you've got it, you can get one more...
There're several tools for subdomains bruteforce, but they have several problems (for example, in dealing with wildcard subdomains).
So, I had to write a small script, which should suit my purposes.
Running the script:
unixoid# python subfind.py [Subdomains finder http://ahack.ru/releases/subdomains-brute-force.htm] USAGE: subfind.py --domain google.com [--wordlist names.txt] [--threads N] [--reject_codes 403,404,301] [--reject_regex "404"] BY DEFAULT: wordlist = wordlist2.txt threads = 5 reject = None
As for HTTP requests, the HEAD method is used by default (except regex matching mode).
The tool is equipped with 2 wordlists. wordlist1.txt is a list of 3-letter combinations (from dnsenum), and wordlist2.txt is a list of common subdomain names (from knock.py).