Dnsmap – Passive DNS network mapper a.k.a. subdomains bruteforcer.
dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …
Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work.
dnsmap <target-domain> [options]
-w <wordlist-file> -r <regular-results-file> -c <csv-results-file> -d <delay-millisecs> -i <ips-to-ignore> (useful if you're obtaining false positives)
dnsmap target-domain.foo dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt dnsmap target-fomain.foo -r /tmp/ -d 3000 dnsmap target-fomain.foo -r ./domainbf_results.txt
user@kali:~# dnsmap example.com
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for example.com using built-in wordlist [+] using maximum random delay of 10 millisecond(s) between requests sftp.example.com IP address #1: 127.0.0.1 email.example.com IP address #1: 127.0.0.1 webmail.example.com IP address #1: 127.0.0.1 www.example.com IP address #1: 127.0.0.1 [+] 4 (sub)domains and 4 IP address(es) found [+] completion time: 195 second(s)