SubFuz is a fuzzing tool used for enumerating subdomains through multiple methods. This tool has various buildt in enumeration methods, at the same time as plugin support to enrich your result from different 3rd party sources. SubFuz accepts internationalized domain name (IDN) allowing you to scan domains like пример.example, 例.example, мысал.example - as well as use UTF-8 based words in your fuzzing dictionary.
When SubFuz identifies a valid subdomain, it will perform mutation techniques on the subdomain to find similar, adjacent or deeper subdomains. As an example, if web.exampe.com was discovered, SubFuz will then check DNS to see if there's a web01.example.com, web02.example.com and so on. SubFuz will also append any words listed in the config option "deep_domains", testing for things such as admin.web.example.com, api.web.example.com and so on.
Currently tested on Linux with python 3.10
sudo apt-get install python3 python3-pip
git clone https://github.com/netsecurity-as/subfuz/
cd subfuz
python3 -m pip install -r requirements.txt
$ python3 subfuz.py -h
usage: subfuz.py [-h] [-d TARGET] [-l TARGET_LIST] [-w DICTIONARY]
[-o LOG_FILENAME] [-csv CSV_FILENAME] [-deep DEEP] [-dns DNS]
[-protocol PROTOCOL] [-record RECORD] [-p P] [-z Z] [-r R]
[-t T] [-zone] [-ptr] [-quiet] [-all]
required arguments:
-d TARGET Specify domain to fuzz, or..
-l TARGET_LIST Specify list of domains to fuzz
optional arguments:
-w DICTIONARY Specify fuzzing dictionary to use
-o LOG_FILENAME Write output to a file
-csv CSV_FILENAME Write output to a csv file. Use - for stdout
-deep DEEP Specify fuzzing dictionary for deep subdomain testing
-dns DNS Override DNS server to query [ None ]
-protocol PROTOCOL Override DNS protocol [ None ]
-record RECORD Override DNS query record [ None ]
-p P DNS timeout [ 3 ] sec
-z Z DNS request throttle [ 0 ] ms
-r R DNS retries if failed [ 3 ]
-t T Threads active [ 5 ]
-zone Disable Zone Transfer testing
-ptr Disable PTR check on related domains on the current /24 network
-quiet Suppress terminal output
plugins:
-all Enable all plugins
-<plugin name> <plugin info text>
See configuration config.json to customizing default options, enabling / disabling plugins.
| Parameter | Default | Description |
|---|---|---|
| threads | 5 | Number of paralell threads to run scans with |
| dns_fallback | 8.8.8.8 | Fallback DNS server to resolve queries |
| dns_fallback_protocol | UDP | Fallback protocol to resolv with |
| dns_fallback_record | ANY | Fallback record type to resolv with |
| dns_override | null | Permanently override DNS server |
| dns_override_protocol | null | Permanently override DNS protocol |
| dns_override_record | null | Permanently override DNS record |
| throttle | 0 | Ratelimit each thread by x milliseconds |
| timeout | 3 | DNS query timeout |
| retry | 3 | Amount of retries on failed queries |
| deep_domains | N/A | Additional Tests performed on located subdomains.e.g. admin.subdomain.domain.com |
| txt_record_search | N/A | Display and log matching TXT records |
For plugin developement or contributions, see /plugins/README.md for how to get started. SubFuz is currently extended with the following plugins:
| Plugin | README | Author |
|---|---|---|
| virustotal | /plugins/virustotal/README.md | Eplox |
| crtsh | /plugins/crtsh/README.md | Eplox |
| censys | /plugins/censys/README.md | Eplox |
| hackertarget | hackertarget.com | Vegar |
| microsoft | /plugins/microsoft/README.md | Eplox |
| citrix | /plugins/citrix/README.md | hahnium |
| aws | /plugins/aws/README.md | hahnium |
| circl | /plugins/circl/README.md | hahnium |
| dnsdumpster | /plugins/dnsdumpster/README.md | hahnium |
Grab the domain fuzzing lists from Daniel Miessler repository: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
Included DNS wordlist is based on this source.
This project is licensed under the GPL license.
