{"id":13600617,"url":"https://github.com/knownsec/ksubdomain","last_synced_at":"2025-05-15T16:04:12.350Z","repository":{"id":37386135,"uuid":"289206722","full_name":"knownsec/ksubdomain","owner":"knownsec","description":"无状态子域名爆破工具","archived":false,"fork":false,"pushed_at":"2022-03-16T08:43:46.000Z","size":23120,"stargazers_count":2298,"open_issues_count":28,"forks_count":280,"subscribers_count":35,"default_branch":"master","last_synced_at":"2025-04-07T21:12:52.394Z","etag":null,"topics":["enumeration","hacking-tool","pentesting","security-tools","subdomain"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/knownsec.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-08-21T07:29:04.000Z","updated_at":"2025-04-07T15:28:39.000Z","dependencies_parsed_at":"2022-07-08T07:40:42.027Z","dependency_job_id":null,"html_url":"https://github.com/knownsec/ksubdomain","commit_stats":null,"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knownsec%2Fksubdomain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knownsec%2Fksubdomain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knownsec%2Fksubdomain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/knownsec%2Fksubdomain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/knownsec","download_url":"https://codeload.github.com/knownsec/ksubdomain/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254374404,"owners_count":22060609,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["enumeration","hacking-tool","pentesting","security-tools","subdomain"],"created_at":"2024-08-01T18:00:44.984Z","updated_at":"2025-05-15T16:04:12.322Z","avatar_url":"https://github.com/knownsec.png","language":"Go","funding_links":[],"categories":["Go","扫描器、资产收集、子域名","Go (531)"],"sub_categories":["网络服务_其他"],"readme":"(该仓库同步于作者仓库：\u003chttps://github.com/boy-hack/ksubdomain\u003e)\n\nksubdomain是一款基于无状态子域名爆破工具，支持在Windows/Linux/Mac上使用，它会很快的进行DNS爆破，在Mac和Windows上理论最大发包速度在30w/s,linux上为160w/s的速度。\n## 为什么这么快\nksubdomain的发送和接收是分离且不依赖系统，即使高并发发包，也不会占用系统描述符让系统网络阻塞。\n\n可以用`--test`来测试本地最大发包数,但实际发包的多少和网络情况息息相关，ksubdomain将网络参数简化为了`-b`参数，输入你的网络下载速度如`-b 5m`，ksubdomain将会自动限制发包速度。\n## 可靠性\n类似masscan,这么大的发包速度意味着丢包也会非常严重，ksubdomain有丢包重发机制(这样意味着速度会减小，但比普通的DNS爆破快很多)，会保证每个包都收到DNS服务器的回复，漏报的可能性很小。\n\n## 使用\n从[releases](https://github.com/knownsec/ksubdomain/releases \"releases\")下载二进制文件。 \n\n在linux下，还需要安装`libpcap-dev`,在Windows下需要安装`WinPcap`，mac下可以直接使用。\n```\n _  __   _____       _         _                       _\n| |/ /  / ____|     | |       | |                     (_)\n| ' /  | (___  _   _| |__   __| | ___  _ __ ___   __ _ _ _ __\n|  \u003c    \\___ \\| | | | '_ \\ / _| |/ _ \\| '_   _ \\ / _  | | '_ \\\n| . \\   ____) | |_| | |_) | (_| | (_) | | | | | | (_| | | | | |\n|_|\\_\\ |_____/ \\__,_|_.__/ \\__,_|\\___/|_| |_| |_|\\__,_|_|_| |_|\n\n[INFO] Current Version: 0.7\nUsage of ./cmd:\n  -api\n        使用网络接口\n  -b string\n        宽带的下行速度，可以5M,5K,5G (default \"1M\")\n  -check-origin\n        会从返回包检查DNS是否为设定的，防止其他包的干扰\n  -csv\n        输出excel文件\n  -d string\n        爆破域名\n  -dl string\n        从文件中读取爆破域名\n  -e int\n        默认网络设备ID,默认-1，如果有多个网络设备会在命令行中选择 (default -1)\n  -f string\n        字典路径,-d下文件为子域名字典，-verify下文件为需要验证的域名\n  -filter-wild\n        自动分析并过滤泛解析，最终输出文件，需要与'-o'搭配\n  -full\n        完整模式，使用网络接口和内置字典\n  -l int\n        爆破域名层级,默认爆破一级域名 (default 1)\n  -list-network\n        列出所有网络设备\n  -o string\n        输出文件路径\n  -s string\n        resolvers文件路径,默认使用内置DNS\n  -sf string\n        三级域名爆破字典文件(默认内置)\n  -silent\n        使用后屏幕将仅输出域名\n  -skip-wild\n        跳过泛解析的域名\n  -summary\n        在扫描完毕后整理域名归属asn以及IP段\n  -test\n        测试本地最大发包数\n  -ttl\n        导出格式中包含TTL选项\n  -verify\n        验证模式\n\n```\n### 常用命令\n```\n使用内置字典爆破\nksubdomain -d seebug.org\n\n使用字典爆破域名\nksubdomain -d seebug.org -f subdomains.dict\n\n字典里都是域名，可使用验证模式\nksubdomain -f dns.txt -verify\n\n爆破三级域名\nksubdomain -d seebug.org -l 2\n\n通过管道爆破\necho \"seebug.org\"|ksubdomain\n\n通过管道验证域名\necho \"paper.seebug.org\"|ksubdomain -verify\n\n仅使用网络API接口获取域名\nksubdomain -d seebug.org -api\n\n完整模式,先使用网络API，在此基础使用内置字典进行爆破\nksubdomain -d seebug.org -full\n```\n[![asciicast](https://asciinema.org/a/356138.svg)](https://asciinema.org/a/356138)\n## Summary整理\nksubdomain加入了整理的功能，当参数后面加上`-summary`。\n\n例如`ksubdomain -d seebug.org -summary`之后，会根据域名归属的asn以及IP段自动整理输出，方便确认资产的范围。\n\n![WX20200904-164515](./images/WX20200904-164515.png)\n\n\n## 管道操作\n借助知名的`subfinder`，`httpx`等工具，可以用管道结合在一起配合工作。达到收集域名，验证域名，http验证存活目的。\n```bash\n./subfinder -d baidu.com -silent|./ksubdomain -verify -silent|./httpx -title -content-length -status-code\n```\n- subfinder 通过各种搜索引擎获取域名\n- ksubdomain 验证域名\n- httpx http请求获得数据,验证存活\n![image-20200902160128305](./images/image-20200902160128305.png)\n\n## 编译\n因为pcap包的特殊性，无法交叉编译，只能每个系统编译每个文件。\n```bash\ngit clone https://github.com/knownsec/ksubdomain\ncd ksubdomain\ngo mod download\ncd cmd\ngo build ksubdomain.go\n```\n\n## Script编写\nKsubdomain 网络API引擎脚本使用`lua`，文件路径在`resources/scripts`  \n![WX20200904-164515](./images/WX20210112-175029.png)\n```lua \nname = \"Sublist3rAPI\" -- * 插件名称(必须)\ntype = \"api\" -- 插件类型(不必须)\n\nlocal json = require(\"json\")\n\nfunction buildurl(domain)\n    return \"https://api.sublist3r.com/search.php?domain=\" .. domain\nend\n\n-- 需要实现一个vertical函数，返回类型为一个域名的table，如果失败可以返回nil\nfunction vertical(domain)\n    local page, err = request({url=buildurl(domain)})\n    if (err ~= nil and err ~= \"\") then\n        return\n    end\n    local resp = json.decode(page)\n    if (resp == nil or #resp == 0) then\n        return\n    end\n    local a = {}\n    for i, v in pairs(resp) do\n        table.insert(a, v)\n    end\n    return a\nend\n```\n在编写插件完毕后，打包文件\n```bash\nstatik -src=resources\n```\n## 常见问题\n- linux下 error while loading shared libraries 报错\n  - https://github.com/knownsec/ksubdomain/issues/1\n- Python调用\n  - https://github.com/knownsec/ksubdomain/issues/27\n## 参考\n- 从 Masscan, Zmap 源码分析到开发实践 \u003chttps://paper.seebug.org/1052/\u003e\n- ksubdomain 无状态域名爆破工具介绍 \u003chttps://paper.seebug.org/1325/\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknownsec%2Fksubdomain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fknownsec%2Fksubdomain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fknownsec%2Fksubdomain/lists"}