gxfr.py - A Sub-Domain Discovering Script Using Google Queries
If you are trying to find all available sub-domains for a domain, you have a few options available:
- axfr - Most likely won't work, as the DNS server probably isn't configured to transfer zones to any host.
- Brute Force - There are tools, such as dnsmap, that will use wordlists to guess sub-domains. Here is a tutorial on dnsmap: http://itswapshop.com/tutorial/dnsmap-30-find-subdomains-brute-forcing
- Google - Since Google indexes everything, naturally they would have indexed the public facing web servers of the sub-domains you are trying to find.
Using Google is the first thing you want to try, as brute forcing is a questionable technique, and you probably won't be able to perform a zone transfer. Using Google to find sub-domains is also the only passive method for searching sub-domains. The other two methods involve directly querying DNS servers. Using custom Google queries related to the domain name and then filtering through the search results looking for sub-domains is effective, but can become quite a pain. This is where gxfr.py comes in. It automates the entire process. Here is a link to the google code page:
To download and install, run these commands:
chmod +x gxfr.py
sudo mv ./gxfr.py /usr/local/bin
In the script's most simple form, you will get results like this:
[-] domain: yahoo.com
[-] user-agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)
[-] querying search engine, please wait...
[-] all available subdomains found...
[-] successful queries made: 16
[subdomains] - 83
While not all listed here, the script found 83 sub-domains for yahoo.com in about 1 minute. Much more time efficient than brute forcing. The script includes much more advanced features, such as:
- Using encrypted queries
- DNS lookup for sub-domains
- Shunning prevention
Run gxfr.py --help to see a list of all available options:
Syntax: ./gxfr.py domain [options]
-h, --help this screen
-v enable verbose mode
-t [num of seconds] set number of seconds to wait between queries (default=15)
-q [max num of queries] restrict to maximum number of queries (default=0, indefinite)
--dns-lookup enable dns lookups of all subdomains
--proxy [file|ip:port|-] use a proxy or list of open proxies to send queries (@random w/list)
- [file] must consist of 1 or more ip:port pairs
- replace filename with '-' (dash) to accept stdin
--user-agent ['string'] set custom user-agent string
--timeout [seconds] set socket timeout (default=system default)
$ ./gxfr.py foxnews.com --dns-lookup -v
$ ./gxfr.py foxnews.com --dns-lookup --proxy open_proxies.txt --timeout 10
$ ./gxfr.py foxnews.com --dns-lookup -t 5 -q 5 -v --proxy 127.0.0.1:8080
$ curl http://rmccurdy.com/scripts/proxy/good.txt | ./gxfrpy foxnews.com -v --proxy -
gxfr.py is currently at version 1.5 and is written in Python 2.7.