Skip to content

Easy subdomain finder from a list of company names, IP ranges or domains.

Notifications You must be signed in to change notification settings

ricardojoserf/subdoler

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

89 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Subdoler

Subdoler is a subdomain lister which calculates:

When calculating the subdomains, it creates a TMUX session. You can wait until the programs end or process everything later with -p. Also, you can kill the tmux session with -k.


One of these arguments is necessary:

  • -c: File of companies. Ex: ./subdoler.py -c /tmp/companies.txt
  • -C: List of companies. Ex: ./subdoler.py -C company1,company2
  • -r: File of IP ranges. Ex: ./subdoler.py -r /tmp/ip_ranges.txt
  • -R: List of IP ranges. Ex: ./subdoler.py -R 10.20.30.40/24,11.21.31.41/22
  • -d: File of domains. Ex: ./subdoler.py -d /tmp/domains.txt
  • -R: List of domains. Ex: ./subdoler.py -D company1.com,company2.es
  • -k: Kill tmux session. Ex: ./subdoler.py -k

Optional arguments:

  • -o: Output directory. Ex: ./subdoler.py -c /tmp/companies.txt -o /tmp/subdoler_results
  • -cf: Country filter for IP range extraction from IPv4info. Ex: ./subdoler.py -c /tmp/companies.txt -cf ES,IT,US
  • -ns: No subdomain calculation. Ex: ./subdoler.py -r /tmp/ip_ranges.txt -ns
  • -p: Process results (useful for closing everything except the tmux session and process the resulting files some hours later). Ex: ./subdoler.py -o /tmp/subdoler_results -p

You can decide which programs are used for subdomain calculation setting the value of these options to True in the config.py file:

  • Options to enumerate subdomains:

  • Options to enumerate leaked information:

    • theharvester_active - Use theHarvester to search leaked email addresses

    • pwndb_active - Use PwnDB to search leaked credentials (the service tor needs to get started, it asks for root privileges)


Installation

git clone https://github.com/ricardojoserf/subdoler
cd subdoler/install
sh install.sh

1. IP ranges, domains and subdomains from a list of companies (-c or -C)

It calculates the IP ranges of the companies in IPv4info, extracts the domains in these IPs and then the subdomains:

From a file:

python3 subdoler.py -c COMPANIES_FILE -o OUTPUT_DIRECTORY 

From a comma separated list:

python3 subdoler.py -C company1,company2 -o OUTPUT_DIRECTORY 

First, the IP ranges of each company are calculated:

image

image

Second, the domains in these IP ranges:

image

Third, the subdomains of these domains are calculated using a Tmux session:

image

Then, the program will wait until the user enters a key:

  • If it is 'q', it will quit and you can calculate the data later using the option '-p' (--process)

  • If it is not 'q', it will calculate the data in the files.

image

Finally, the unique subdomains and the leaked information are listed and the output is stored in different files int he output directory:

image

image

Different files are created in the specified output directory:

  • main_domains.txt: It contains the domains (hostnames) from the IP ranges calculated

  • subdomain_by_source.csv: It contains the subdomains with the program which discovered them, the reverse lookup IP and which range it is part of

  • ranges_information.csv: It contains information about the ranges

  • leaked_information.txt: It contains the leaked email accounts and credentials

  • results.xlsx: It contains all the information in an Excel file with different sheets

image

image


2. Domains and subdomains from a list of IP ranges (-r or -R)

It skips the step of calculating the ranges of the companies, working with the IP ranges directly.

From a file:

python3 subdoler.py -r RANGES_FILE -o OUTPUT_DIRECTORY 

image

From a comma separated list:

python3 subdoler.py -R companyrange1,companyrange2 -o OUTPUT_DIRECTORY 

image


3. Subdomains from a list of domains (-d or -D)

It skips the steps of calculating the ranges of the companies and the domains in the IP ranges, extracting the subdomains from the domains list directly:

From a file:

python3 subdoler.py -d DOMAINS_FILE -o OUTPUT_DIRECTORY 

image

From a comma separated list:

python3 subdoler.py -D domain1,domain2,domain3 -o OUTPUT_DIRECTORY 

image


4. IP ranges and domains (no subdomains) from a list of companies (-c or -C and -ns)

Using the option --no_subdomains (-ns), the step of calculating the subdomains is skipped, calculating just the IP ranges of the companies and the domains in them:

python3 subdoler.py -ns -c COMPANIES_FILE -o OUTPUT_DIRECTORY

image9

image10


5. Domains (no subdomains) from a list of ranges (-r or -R and -ns)

python3 subdoler.py -ns -r RANGES_FILE -o OUTPUT_DIRECTORY 

image11

image12


6. Process files (-p)

python3 subdoler.py -o OUTPUT_DIRECTORY --process

image18


7. Process files (-p)

python3 subdoler.py -k