bf_active_sub
bf_active_sub copied to clipboard
Subdomain Bruteforce - Bounty Quick Code
Subdomain Brute-Force The Pure & Fast Programming Way
A Subdomain enumeration tool that supports active attack mode (not passive recon) written by Black Hat Ethical Hacking
What is Subdomain Enumeration/Brute-Force?
Brute force means guessing possible combinations of the target until the expected output is discovered. So, in the subdomain context, the brute-forcing is to try the possible combination of words, alphabets, and numbers before the main domain in order to get a subdomain that is resolved to IP address. Sometimes subdomains are not indexed on search engines and are not available on online DNS aggregators sites in that case brute forcing is the best way to find out the subdomains which may have been forgotten by the organization. It is like a treasure for an adversary.
Our tool has 0 false positives as it verifies it before bringing the result, and is focused on active scanning rather than passive.
It will resolve if the Host is Alive and Output the Results after bruteforcing using Pipe for Speed - Bounty Quick Technique
About this tool
Written in Bash, basically host is a command that resolves a host if its alive by providing an IP and more after bruteforcing it from a wordlist provided, that checks prefixes of 500/5000 top combinations, the way its written as we know stdin and stderr can be controlled, so we redirect it to &> /dev/null;
which in terminal world, its like black hole :), and then after resolving if it exist, output the result in your terminal, or save it to a new list.
This is an active recon scan, and not passive. Pure BF.
After doing this, you can check another tool we wrote that resolves CNAME if they exist, of the list that you will finish from here having a 'golden' list, and if they do not resolve, and they are hanging, it means they are possible available as to be taken AKA SubDomain Takeover - for Bug Bounty ;)
CName Check by BHEH Can be Found here: https://github.com/blackhatethicalhacking/CName-Checker-by-bheh
Installation
- Requirements:
apt-get install lolcat
apt-get install figlet
- Installation
git clone https://github.com/blackhatethicalhacking/bf_active_sub.git
cd bf_active_sub
chmod +x bheh_bf_sub.sh
Instructions & Usage Example
Take a list that we provide, add a domain, and it will bruteforce it
Basically, using the below examples, you can perform in various one-liners since it supports piping as follows:
- Usage Example With Output in your Terminal:
cat 500_Top_Prefix_subdomains.txt | ./bheh_bf_sub.sh example.com
cat 5000_Top_Prefix_subdomains.txt | ./bheh_bf_sub.sh example.com
- Usage Example With Output Saved in a new File:
cat 500_Top_Prefix_subdomains.txt | ./bheh_bf_sub.sh example.com > resolved_domains.txt
cat 5000_Top_Prefix_subdomains.txt | ./bheh_bf_sub.sh example.com > resolved_domains.txt
If you want to save the results, then simply add: > results.txt
after your one-liner.
i.e: cat 500_Top_Prefix_subdomains.txt | ./bheh_bf_sub.sh example.com > resolved_domains.txt > results.txt
Screenshots
Compatibility
Tested on Kali Linux, Parrot OS - Any Debian based that uses apt package manager.
Disclaimer
This tool is provided for educational and research purpose only. The author of this project are no way responsible for any misuse of this tool. We use it to test under NDA agreements with clients and their consents for pentesting purposes and we never encourage to misuse or take responsibility for any damage caused !
Support
If you would like to support us, you can always buy us coffee(s)! :blush: