dnsmap .3.0 - Find Subdomains by Brute-Forcing

Printer-friendly versionPDF version
Linux dnsmap

Dnsmap is a subdomain brute-forcing program. It has a built in word list, which makes it easier than ever to use. If you have your own list of subdomains, you can use that instead. Dnsmap is meant to be used by responsible pentesters during the information gathering/enumeration phase of infrastructure security assessments. Only use this tool on domain names you have permission to use it on (such as your own, or ones belonging to the person who is paying you).

Note*** You may want to consider using gxfr.py to find subdomains. This script filters through google search results for subdomain names. It is a very effective passive subdomain finder. Here is a tutorial on it: http://itswapshop.com/tutorial/gxfrpy-sub-domain-discovering-script-using-google-queries

To download and compile dnsmap, run the following commands (tested on Ubuntu and openSUSE):

wget http://dnsmap.googlecode.com/files/dnsmap-0.30.tar.gz
tar -xzf dnsmap-0.30.tar.gz
cd dnsmap-0.30/
sudo make install

Simply add a domain name after dnsmap to run the program:

dnsmap my-domain.com
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

[+] warning: domain might use wildcards. will be ignored from results
[+] searching (sub)domains for my-domain.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests

IP address #1:

IP address #1:

​You will get a list of subdomains and IP addresses which you can use in the next phase of pentesting. To get a full list of options available with dnsmap, just type dnsmap at the terminal:

dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

usage: dnsmap <target-domain> [options]
-w <wordlist-file>
-r <regular-results-file>
-c <csv-results-file>
-d <delay-millisecs>
-i <ips-to-ignore> (useful if you're obtaining false positives)

dnsmap target-domain.foo
dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
dnsmap target-fomain.foo -r /tmp/ -d 3000
dnsmap target-fomain.foo -r ./domainbf_results.txt

If you are looking for a large word list of subdomains, here is a good one:


Am I missing something? Apart from supplying the wordlist, why is this better than a shell wrapper around dig, with some job control via xargs or GNU parallel or similar? I'm pretty flabbergasted that there's a ~800 line C program to do this!

Post new comment