gxfr.py - A Sub-Domain Discovering Script Using Google Queries

Printer-friendly versionPDF version
Linux gxfr.py

If you are trying to find all available sub-domains for a domain, you have a few options available:

  1. axfr - Most likely won't work, as the DNS server probably isn't configured to transfer zones to any host.
  2. Brute Force - There are tools, such as dnsmap, that will use wordlists to guess sub-domains. Here is a tutorial on dnsmap: http://itswapshop.com/tutorial/dnsmap-30-find-subdomains-brute-forcing
  3. Google - Since Google indexes everything, naturally they would have indexed the public facing web servers of the sub-domains you are trying to find.

Using Google is the first thing you want to try, as brute forcing is a questionable technique, and you probably won't be able to perform a zone transfer. Using Google to find sub-domains is also the only passive method for searching sub-domains. The other two methods involve directly querying DNS servers. Using custom Google queries related to the domain name and then filtering through the search results looking for sub-domains is effective, but can become quite a pain. This is where gxfr.py comes in. It automates the entire process. Here is a link to the google code page:


To download and install, run these commands:

wget http://ptscripts.googlecode.com/svn/trunk/gxfr.py
chmod +x gxfr.py
sudo mv ./gxfr.py /usr/local/bin

In the script's most simple form, you will get results like this:

gxfr.py yahoo.com
[-] domain: yahoo.com
[-] user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
[-] querying search engine, please wait...
[-] all available subdomains found...
[-] successful queries made: 16

[subdomains] - 83

While not all listed here, the script found 83 sub-domains for yahoo.com in about 1 minute. Much more time efficient than brute forcing. The script includes much more advanced features, such as:

  • Using encrypted queries
  • DNS lookup for sub-domains
  • Proxies
  • Shunning prevention

Run gxfr.py --help to see a list of all available options:

gxfr.py --help
  Syntax: ./gxfr.py domain [options]
  -h, --help               this screen
  -v                       enable verbose mode
  -t [num of seconds]      set number of seconds to wait between queries (default=15)
  -q [max num of queries]  restrict to maximum number of queries (default=0, indefinite)
  --dns-lookup             enable dns lookups of all subdomains
  --proxy [file|ip:port|-] use a proxy or list of open proxies to send queries (@random w/list)
                             - [file] must consist of 1 or more ip:port pairs
                             - replace filename with '-' (dash) to accept stdin
  --user-agent ['string']  set custom user-agent string
  --timeout [seconds]      set socket timeout (default=system default)
  $ ./gxfr.py foxnews.com --dns-lookup -v
  $ ./gxfr.py foxnews.com --dns-lookup --proxy open_proxies.txt --timeout 10
  $ ./gxfr.py foxnews.com --dns-lookup -t 5 -q 5 -v --proxy
  $ curl http://rmccurdy.com/scripts/proxy/good.txt | ./gxfrpy foxnews.com -v --proxy -

gxfr.py is currently at version 1.5 and is written in Python 2.7.

I am getting this : Syntax Error, when I run this command-"gxfr.py yahoo.com". I wanted to fetch sub domains from a given domain name, so I found this script. I have installed python 3.3.0 on windows and on rhel I've installed 2.7.3 but on both of these platforms I am getting the same error, can you please help me out how to run this script properly, I really appreciate your efforts on creating this script, I am learning a lot out of it .

Looks like the most recent version has changed the format slightly. Try running this command:

gxfr.py --gxfr

You will then be prompted for a domain name. It looks like they only have an interactive mode now:


       _/_/_/  _/      _/  _/_/_/_/  _/_/_/   
    _/          _/  _/    _/        _/    _/  
   _/  _/_/      _/      _/_/_/    _/_/_/     
  _/    _/    _/  _/    _/        _/    _/    
   _/_/_/  _/      _/  _/        _/    _/     
Enter Domain Name:

Awesome script! Is there any way to run it with a file that is storing a column of domains? With each line as an input to the "Enter Domain:" ?

I don't think there's a way do this. You would have to write script that loops through a list of domains.

From the documentation, this doesn't seem to be a feature currently.

Hi, I am trying to use this script with Python on Windows. How do I set the sys.stdin path? The default is triggering an error and when I use any combination of forward/back slashes, it also generated an error that the file is un-writable, including the addition of a predefined file that exists... Appreciate any help!

Haven't tried it on Windows, but I will this week and see if I can answer your questions

Post new comment