projectdiscovery / Shuffledns
Programming Languages
Projects that are alternatives of or similar to Shuffledns
massDNS wrapper to bruteforce and resolve the subdomains with wildcard handling support
Feature • Install • Run • Wildcard • License • Discord
shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support.
Based on the work on massdns project by @blechschmidt.
Features
- Simple and modular code base making it easy to contribute.
- Fast And Simple active subdomain scanning.
- Handles wildcard subdomains in a smart manner.
- Optimized for ease of use
- Stdin and stdout support for integrating in workflows
Usage
▶ shuffledns -h
This will display help for the tool. Here are all the switches it supports.
| Flag | Description | Example |
|---|---|---|
| d | Domain to find or resolve subdomains for | shuffledns -d hackerone.com |
| directory | Temporary directory for enumeration | shuffledns -directory /hdd |
| r | File containing resolvers for enumeration | shuffledns -r resolvers.txt |
| nC | Don't Use colors in output | shuffledns -nC |
| o | File to save output result (optional) | shuffledns -o hackerone.txt |
| list | List of subdomains to process for | shuffledns -list bugcrowd.txt |
| massdns | Massdns binary path | shuffledns -massdns /usr/bin/massdns |
| retries | Number of retries for dns enumeration (default 5) | shuffledns -retries 1 |
| silent | Show only subdomains in output | shuffledns -silent |
| t | Number of concurrent massdns resolves (default 10000) | shuffledns -t 100 |
| v | Show Verbose output | shuffledns -v |
| version | Show version of shuffledns | shuffledns -version |
| w | File containing words to bruteforce for domain | shuffledns -w words.txt |
| wt | Number of concurrent wildcard checks (default 25) | shuffledns -wt 100 |
| raw-input | File containing existing massdns output | shuffledns -massdns-file output.txt |
Prerequisiteshuffledns requires massdns to be installed in order to perform its operations. You can see the install instructions at massdns project. If you place the binary in The tool also needs a list of valid resolvers. The dnsvalidator project can be used to generate these lists. You also need to provide wordlist, you can use a custom wordlist or use the commonspeak2-wordlist. |
Installation Instructions
shuffledns requires go1.14+ to install successfully. Run the following command to get the repo -
▶ GO111MODULE=on go get -v github.com/projectdiscovery/shuffledns/cmd/shuffledns
Running shuffledns
shuffledns supports two types of operations.
Subdomain resolving
To resolve a list of subdomains, you can pass the list of subdomains via the list option.
▶ shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt
This will run the tool against subdomains in example-subdomains.txt and returns the results. The tool uses the resolvers specified with -r flag to do the resolving.
You can also pass the list of subdomains at standard input (STDIN). This allows for easy integration in automation pipelines.
▶ subfinder -d example.com | shuffledns -d example.com -r resolvers.txt
This uses the subdomains found passively by subfinder and resolves them with shuffledns returning only the unique and valid subdomains.
Subdomain Bruteforcing
shuffledns also supports bruteforce of a target with a given wordlist. You can use the w flag to pass a wordlist which will be used to generate permutations that will be resolved using massdns.
▶ shuffledns -d hackerone.com -w wordlist.txt -r resolvers.txt
This will run the tool against hackerone.com with the wordlist wordlist.txt. The domain bruteforce can also be done with standard input as in previous example for resolving the subdomains.
▶ echo hackerone.com | shuffledns -w wordlist.txt -r resolvers.txt
Handling WildcardsA special feature of shuffleDNS is its ability to handle multi-level DNS based wildcards and do it so with very less number of DNS requests. Sometimes all the subdomains will resolve which will lead to lots of garbage in the results. The way shuffleDNS handles this is it will keep track of how many subdomains point to an IP and if the count of the Subdomains increase beyond a certain small threshold, it will check for wildcard on all the levels of the hosts for that IP iteratively. |
Notes
- Wildcard filter feature works with domain (-d) input only.
- Resolving or Brute-forcing only one operation can be done at a time.
License
shuffledns is distributed under MIT License