Let’s Build Subdomain Finder using Python
Fist step of Penetration test is Information Gathering. In information gathering we try to find as much possible information of target by passive information gathering or active information gathering. Sub-domain Finding is important step of Information Gathering. Subdomains are important and can reveal less-known applications.
There are different methods used in subdomain enumeration and subdomain search. Today we will implement Brut Force attack method.
Brut Force Attack
It’s oldest ways to test host-name combinations in remote host discovery tasks.
Brute force attack for subdomain finding is also the slowest way. It’s a time-consuming task because attacker must wait until the script tests all the combination of host name.
Let’s Start
Importing libraries
requests:
Requests allows you to send HTTP/1.1 requests extremely easily. There’s no need to manually add query strings to your URLs, or to form-encode your POST data. Keep-alive and HTTP connection pooling are 100% automatic, thanks to urllib3. read more
We will first check command line argument.
If user has entered correct command line arguments then we will first take domain name from arguments and pass it to subdomain_finder function.
Now let’s create subdomain_finder function.
To do Brut force attack we need file that contain all possible sub domain list. list will contain words like “www,ftp,blog,ns1,..etc” so first let’s open that file. you can find whole list in github link which is attached at end of blog.
Now let’s read line by line this file. we will remove spaces from start and end of the word using strip() method and store it in sub_domain variable. Now we will append sub_domain with original domain.
Now we will use simple logic.
We will send new_url via get method of requests library in try block.
If we get any response then we will say that we found sub_domain.
if we get any error then we will catch error via except method.
So let’s join all things at see how our script looks like.
We can add “total time taken by script” by date-time module.
Github Link For Source Code:
https://github.com/raj1997/Python-For Pentester/tree/master/Subdomain%20finder
Note : This is simplest approach in which we sent n-number of get request with different sub-domains and if we get response then we will say we found sub-domain. This approach may not be 100% efficient.
