Scan subdomains with wordlist

Hint: flag is not a frag: once you've got it, you can get one more...

There're several tools for subdomains bruteforce, but they have several problems (for example, in dealing with wildcard subdomains).

So, I had to write a small script, which should suit my purposes.

Features:

  • Python threading (5 threads by default)
  • HTTP response code matching
  • HTTP response content matching (by regular expression)
  • Running the script:

    unixoid# python subfind.py
    [Subdomains finder http://ahack.ru/releases/subdomains-brute-force.htm]
    USAGE: subfind.py --domain google.com [--wordlist names.txt] [--threads N] [--reject_codes 403,404,301] [--reject_regex "404"]
    BY DEFAULT:
       wordlist = wordlist2.txt
       threads = 5
       reject = None
    

    As for HTTP requests, the HEAD method is used by default (except regex matching mode).

    The tool is equipped with 2 wordlists. wordlist1.txt is a list of 3-letter combinations (from dnsenum), and wordlist2.txt is a list of common subdomain names (from knock.py).

    DOWNLOAD