ShuffleDNS : Wrapper Around Massdns Written In Go To Enumerate Valid Subdomains Using Active Bruteforce

ShuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support. 

Features

  • Simple and modular code base making it easy to contribute.
  • Fast And Simple active subdomain scanning.
  • Handles wildcard subdomains in a smart manner.
  • Optimized for ease of use
  • Stdin and stdout support for integrating in workflows

Also Read – Dirble : Fast Directory Scanning And Scraping Tool

Usage

shuffledns -h

This will display help for the tool. Here are all the switches it supports.

FlagDescriptionExample
-dDomain to find or resolve subdomains forshuffledns -d hackerone.com
-directoryTemporary directory for enumerationshuffledns -directory /hdd
-rFile containing resolvers for enumerationshuffledns -r resolvers.txt
-nCDon’t Use colors in outputshuffledns -nC
-oFile to save output result (optional)shuffledns -o hackerone.txt
-listList of subdomains to process forshuffledns -list bugcrowd.txt
-massdnsMassdns binary pathshuffledns -massdns /usr/bin/massdns
-retriesNumber of retries for dns enumeration (default 5)shuffledns -retries 1
-silentShow only subdomains in outputshuffledns -silent
-tNumber of concurrent massdns resolves (default 10000)shuffledns -t 100
-vShow Verbose outputshuffledns -v
-versionShow version of shufflednsshuffledns -version
-wFile containing words to bruteforce for domainshuffledns -w words.txt
-wtNumber of concurrent wildcard checks (default 25)shuffledns -wg 100
-raw-inputFile containing existing massdns outputshuffledns -massdns-file output.txt

Installation Instructions

Prerequisite

It requires massdns to be installed in order to perform its operations. You can see the install instructions at https://github.com/blechschmidt/massdns#compilation.

If you place the binary in /usr/bin/massdns or /usr/local/bin/massdns, the tool will auto-detect the presence of the binary and use it. On windows, you need to supply the path to the binary for the tool to work.

The tool also needs a list of valid resolvers. The dnsvalidator project can be used to generate these lists. Either you can use a custom wordlist or use the commonspeak2 wordlists at commonspeak2-wordlist.

Direct Installation

From Binary

The installation is easy. You can download the pre-built binaries for your platform from the Releases page. Extract them using tar, move it to your $PATH and you’re ready to go.

> tar -xzvf shuffledns-linux-amd64.tar
> mv shuffledns-linux-amd64 /usr/bin/shuffledns
> shuffledns -h

From Source

It requires go1.13+ to install successfully. Run the following command to get the repo –

> GO111MODULE=on go get -u -v github.com/projectdiscovery/shuffledns/cmd/shuffledns

In order to update the tool, you can use -u flag with go get command.

Running The Tool

It supports two types of operations.

1. Resolving Subdomains

To resolve a list of subdomains, you can pass the list of subdomains via the list option.

> shuffledns -d example.com -list example.com-subdomains.txt -r resolvers.txt

This will run the tool against subdomains in example.com-subdomains.txt and returns the results. The tool uses the resolvers specified with -r option to do the resolving.

You can also pass the list of subdomains at standard input (STDIN). This allows for easy integration in automation pipelines.

> subfinder -d example.com | shuffledns -d example.com -r resolvers.txt

This uses the subdomains found passively by subfinder and resolves them with it returning only the unique and valid subdomains.

2. Bruteforcing Subdomains

It also supports bruteforce of a target with a given wordlist. You can use the w flag to pass a wordlist which will be used to generate permutations that will be resolved using massdns.

> shuffledns -d hackerone.com -w wordlist.txt -r resolvers.txt

This will run the tool against hackerone.com with the wordlist wordlist.txt. The domain bruteforce can also be done with standard input as in previous example for resolving the subdomains.

> echo hackerone.com | shuffledns -w wordlist.txt -r resolvers.txt

The -o command can be used to specify an output file.

> shuffledns -d hackerone.com -w wordlist.txt -o output.txt

The subdomains discovered can be piped to other tools too. For example, you can pipe the host discovered by it to the httprobe tool by @tomnomnom which will then find running http servers on the host.

> echo hackerone.com | shuffledns -w wordlist.txt -r resolvers.txt -silent | httprobe

http://docs.hackerone.com
http://www.hackerone.com
http://info.hackerone.com

Or

> echo hackerone.com | subfinder | shuffledns -d hackerone.com -r resolvers.txt -silent | httprobe

http://docs.hackerone.com
http://www.hackerone.com
http://info.hackerone.com

A Note On Wildcards

A special feature of the tool is its ability to handle multi-level DNS based wildcards and do it so with very less number of DNS requests.

Sometimes all the subdomains will resolve which will lead to lots of garbage in the results.

The way it handles this is it will keep track of how many subdomains point to an IP and if the count of the Subdomains increase beyond a certain small threshold, it will check for wildcard on all the levels of the hosts for that IP iteratively.

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

2 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

2 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

4 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

7 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago