Home

Awesome

Project Status

Please note I am not actively supporting this project. I may return to subdomain research at some point but my security interests lie elsewhere at the moment and my time is divided among other things. If you find an issue feel free to send a PR or fork it into your own project. Thanks.

Turbolist3r

Turbolist3r is a fork of the sublist3r subdomain discovery tool. In addition to the original OSINT capabilties of sublist3r, turbolist3r automates some analysis of the results, with a focus on subdomain takeover.

Turbolist3r queries public DNS servers for each discovered subdomain. If the subdomain exists (i.e. the resolver replied with an address), the answer is categorized as CNAME or A record. By examining A records, it is possible to discover potential penetration testing targets for a given domain. Likewise, the process of looking for subdomain takeovers is simple; view the discovered CNAME records and investigate any that point to applicable cloud services.

Please do not use for illegal purposes.

Screenshots

Screenshot 1

Screenshot 2

Usage

Short FormLong FormDescription
-d--domainDomain name to enumerate subdomains of
-b--bruteforceEnable the subbrute bruteforce module
-p--portsScan the found subdomains against specific tcp ports
-v--verboseEnable the verbose mode and display results in realtime
-t--threadsNumber of threads to use for subbrute bruteforce
-e--enginesSpecify a comma-separated list of search engines
-o--outputSave discovered domain names to specified text file
-h--helpshow the help message and exit
-a--analyzeDo reverse DNS analysis and output results
(none)--saverdnsSave reverse DNS analysis to specified file
(none)--inputfileRead domains from specified file, and use them for analysis
(none)--debugPrint debug information during the analysis module (-a). Prints mostly raw DNS data, familarity with the DIG Linux DNS utility and it's output is helpful to interpret the debug output
-r--resolversFile with DNS servers to populate as resolvers. File must have only one server IP address per line and only IP addresses are accepted
-q--quietOnly print found domains and/or CNAME mappings. Note errors may be printed as well

Examples

python turbolist3r.py -h

python turbolist3r.py -d example.com -a --saverdns analysis_file.txt

python turbolist3r.py -d example.com -a --inputfile subdomains.txt

python turbolist3r.py -d example.com -a --inputfile subdomains.txt -r dns_servers.txt

python turbolist3r.py -d example.com

python turbolist3r.py -d example.com -o example_hosts.txt

python turbolist3r.py -v -d example.com

python turbolist3r.py -b -d example.com

python turbolist3r.py -e google,yahoo,virustotal -d example.com

Dependencies:

Turbolist3r depends on the dnslib, requests, and argparse python modules. The subbrute module is required for bruteforce capability, but Turbolist3r should run without it as long as you don't invoke bruteforce. Submit a PR or contact me if you have issues.

dnslib Module

The dnslib module can be downloaded from https://bitbucket.org/paulc/dnslib/ or installed on many systems using:

pip install dnslib

requests Module

sudo apt-get install python-requests
sudo yum install python-requests
sudo pip install requests

argparse Module

sudo apt-get install python-argparse
sudo yum install python-argparse
sudo pip install argparse

License

Turbolist3r is licensed under the GNU GPL license. take a look at the LICENSE for more information.

Respect legal restrictions and only conduct testing against infrastructure that you have permission to target.

Credits

Thanks