Turbolist3r : Subdomain Enumeration Tool With Analysis Features For Discovered Domains

Turbolist3r is a fork of the sublist3r subdomain discovery tool. In addition to the original OSINT capabilties of sublist3r, turbolist3r automates some analysis of the results, with a focus on subdomain takeover.

Turbolist3r queries public DNS servers for each discovered subdomain. If the subdomain exists (i.e. the resolver replied with an address), the answer is categorized as CNAME or A record. By examining A records, it is possible to discover potential penetration testing targets for a given domain. Likewise, the process of looking for subdomain takeovers is simple; view the discovered CNAME records and investigate any that point to applicable cloud services.

Please do not use for illegal purposes.

Also Read – AttackSurfaceMapper : Tool That Aims To Automate The Reconnaissance Process

Usage

Short FormLong FormDescription
-d–domainDomain name to enumerate subdomains of
-b–bruteforceEnable the subbrute bruteforce module
-p–portsScan the found subdomains against specific tcp ports
-v–verboseEnable the verbose mode and display results in realtime
-t–threadsNumber of threads to use for subbrute bruteforce
-e–enginesSpecify a comma-separated list of search engines
-o–outputSave discovered domain names to specified text file
-h–helpshow the help message and exit
-a–analyzeDo reverse DNS analysis and output results
(none)–saverdnsSave reverse DNS analysis to specified file
(none)–inputfileRead domains from specified file, and use them for analysis
(none)–debugPrint debug information during the analysis module (-a). Prints mostly raw DNS data, familarity with the DIG Linux DNS utility and it’s output is helpful to interpret the debug output
-r–resolversFile with DNS servers to populate as resolvers. File must have only one server IP address per line and only IP addresses are accepted
-q–quietOnly print found domains and/or CNAME mappings. Note errors may be printed as well

Examples

  • To list all the basic options and switches use -h switch:

python turbolist3r.py -h

  • To enumerate subdomains of a specific domain, perform advanced analysis, and save the analysis to a file:

python turbolist3r.py -d example.com -a –saverdns analysis_file.txt

  • Read subdomains from a file and perform advanced analysis on them:

python turbolist3r.py -d example.com -a –inputfile subdomains.txt

  • Using -r to populate DNS resolvers from a file (resolvers used with -a analysis module):

python turbolist3r.py -d example.com -a –inputfile subdomains.txt -r dns_servers.txt

  • To enumerate subdomains of specific domain:

python turbolist3r.py -d example.com

  • To enumerate subdomains of specific domain and save discovered subdomains to a file:

python turbolist3r.py -d example.com -o example_hosts.txt

  • To enumerate subdomains of specific domain and show the results in realtime:

python turbolist3r.py -v -d example.com

  • To enumerate subdomains and enable the bruteforce module:

python turbolist3r.py -b -d example.com

  • To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines

python turbolist3r.py -e google,yahoo,virustotal -d example.com

Dependencies

Turbolist3r depends on the dnslib, requests, and argparse python modules. The subbrute module is required for bruteforce capability, but Turbolist3r should run without it as long as you don’t invoke bruteforce. Submit a PR or contact me if you have issues.

dnslib Module

The dnslib module can be downloaded from https://bitbucket.org/paulc/dnslib/ or installed on many systems using:

pip install dnslib

Requests Module

  • Install for Ubuntu/Debian:

sudo apt-get install python-requests

  • Install for Centos/Redhat:

sudo yum install python-requests

  • Install using pip on Linux:

sudo pip install requests

Argparse Module

  • Install for Ubuntu/Debian:

sudo apt-get install python-argparse

  • Install for Centos/Redhat:

sudo yum install python-argparse

  • Install using pip:

sudo pip
install argparse

Screenshots

R K

Recent Posts

Understanding the Model Context Protocol (MCP) and How It Works

Introduction to the Model Context Protocol (MCP) The Model Context Protocol (MCP) is an open…

1 day ago

The file Command – Quickly Identify File Contents in Linux

While file extensions in Linux are optional and often misleading, the file command helps decode what a…

2 days ago

How to Use the touch Command in Linux

The touch command is one of the quickest ways to create new empty files or update timestamps…

2 days ago

How to Search Files and Folders in Linux Using the find Command

Handling large numbers of files is routine for Linux users, and that’s where the find command shines.…

2 days ago

How to Move and Rename Files in Linux with the mv Command

Managing files and directories is foundational for Linux workflows, and the mv (“move”) command makes it easy…

2 days ago

How to Create Directories in Linux with the mkdir Command

Creating directories is one of the earliest skills you'll use on a Linux system. The mkdir (make…

2 days ago