• Stars
    star
    665
  • Rank 67,810 (Top 2 %)
  • Language
    Python
  • License
    GNU General Publi...
  • Created about 6 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Perform subdomain enumeration through various techniques and retrieve detailed output to aid in further testing.

SubScraper

Β  Β  Β 
Overview Β Β πŸ”ΉΒ Β  Usage Β Β πŸ”ΉΒ Β  Contribute

πŸ’₯ v3.0 now available! πŸ’₯

SubScraper is a fast subdomain enumeration tool that uses a variety of techniques to find subdomains of a given target. Subdomain enumeration is especially helpful during penetration testing and bug bounty hunting to uncover an organization's attack surface.

Depending on the CMD arguments applied, SubScraper can resolve DNS names, request HTTP(S) information, and perform CNAME lookups for takeover opportunities during the enumeration process. This can help identify next steps and discover patterns for exploitation.

Key Features

  • Modular design makes it easy to add new techniques/sources.
  • Various levels of enumeration for additional data gathering.
  • Allows for multiple target inputs or read targets from .txt file.
  • Windows CLI compatibility.
  • Generate output files in .txt or .csv format.

demo

Install

The following can be used to install SubScraper on Windows, Linux, & MacOs:

git clone https://github.com/m8sec/subscraper
cd subscraper
python3 setup.py install

Docker

You can build a docker image and run subscraper from Docker:

git clone https://github.com/m8sec/subscraper.git
cd subscraper
docker build -t m8sec/subscraper .
# display help
docker run --rm m8sec/subscraper
# example scanning a site
docker run --rm m8sec/subscraper example.com

Usage

Command Line Args

SubScraper Options:
  -T MAX_THREADS        Max threads for enumeration (Default: 55).
  -t TIMEOUT            Timeout [seconds] for search threads (Default: 25).
  -r REPORT             Output to specific file {txt*, csv}.
  target                Target domain.

Module Options:
  -L                    List SubScraper enumeration modules.
  -M MODULES            Execute module(s) by name or group (Default: all).
  -w WORDLIST           Custom wordlist for DNS brute force.
  --censys-id CENSYS_ID             Censys.io API ID.
  --censys-secret CENSYS_SECRET     Censys.io API Secret.

Enumeration Options:
  --dns                 Resolve DNS address for each subdomain identified.
  --http                Probe for active HTTP:80 & HTTPS:443 services.
  --takeover            Perform CNAME lookup & probe for HTTP(s) response.
  --all                 Perform all checks on enumerated subdomains.

Modules

Modules can be executed by name or by module groups:

  Module Name       Description

  archiveorg           - Use archive.org to find subdomains.
  certsh               - Subdomains enumeration using cert.sh.
  dnsbrute             - DNS bruteforce.
  threatcrowd          - Threadcrowd.org subdomain enumeration.
  dnsdumpster          - Use DNS dumpster to enumerate subdomains.
  bufferoverrun        - Bufferover.run passive enumeration.
  search               - Subdomain enumeration via search engine scraping.
  censys               - Gather subdomains through censys.io SSL cert Lookups.
    |_API_ID                   Censys.io API ID               (Required:True)
    |_API_SECRET               Censys.io API Secret           (Required:True)
  bevigil              - Gather subdomains through bevigil.com mobile app scan data
    |_API_Key                  BeVigil API Key                (Required:True)

Module Groups

  • all - Execute all modules (Default).
  • brute - Only execute DNS brute force techniques.
  • scrape - Only execute web scraping techniques.

Example Usage

subscraper example.com
subscraper targets.txt
cat targets.txt | subscraper pipe
subscraper -all -r enumeration.csv example.com
subscraper -M brute -w mywords.txt example.com
subscraper -M censys --censys-id abc123 --censys-secret xyz456 example.com

Execution Notes

  • SubScraper only uses PASSIVE enumeration techniques unless all, http, takeover arguments are applied.
  • API keys are required for the censys module, register for free at censys.io/register.
  • .txt reports will only include subdomains.
  • .csv reports, when paired with cmd args all, http, takeover, will provide additional HTTP data such as page size, title, and Server headers.

Contribute

Contribute to the project by:

  • Like and share the tool!
  • Create an issue to report new enumeration techniques or, better yet, develop a module and initiate a PR.

More Repositories

1

CrossLinked

LinkedIn enumeration tool to extract valid employee names from an organization through search engine scraping
Python
806
star
2

nullinux

Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
Python
515
star
3

pymeta

Pymeta will search the web for files on a domain to download and extract metadata. This technique can be used to identify: domains, usernames, software/version numbers and naming conventions.
Python
382
star
4

ActiveReign

A Network Enumeration and Attack Toolset for Windows Active Directory Environments.
Python
239
star
5

enumdb

Relational database brute force and post exploitation tool for MySQL and MSSQL
Python
211
star
6

ldap_search

Python3 script to perform LDAP queries and enumerate users, groups, and computers from Windows Domains. Ldap_Search can also perform brute force/password spraying to identify valid accounts via LDAP.
Python
91
star
7

taser

Python resource library for creating security related tooling
Python
79
star
8

CVE-2021-34527

PrintNightmare (CVE-2021-34527) PoC Exploit
Python
74
star
9

SubWalker

Simultaneously execute various subdomain enumeration tools and aggregate results.
Shell
33
star
10

OffsecDev

Working repo used to experiment with various languages as it relates to offensive security & evasion.
Python
23
star
11

transportc2

PoC Command and Control Server. Interact with clients through a private web interface, add new users for team sharing and more.
Python
22
star
12

EAPrimer

C# project that Reflectively loads .Net assemblies in memory.
PowerShell
13
star
13

ipparser

Python module to parse IPv4 addresses / target information and return a single list for iteration. Useful when creating security or network related tools.
Python
9
star
14

m8sec.github.io

https://m8sec.dev
HTML
2
star