https://github.com/projectdiscovery/shuffledns

MassDNS wrapper written in go to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard filtering and easy input-output support.
https://github.com/projectdiscovery/shuffledns

dns dns-bruteforcer dns-resolution dns-resolver hacktoberfest massdns reconnaissance subdomain-bruteforcing

Last synced: about 14 hours ago
JSON representation

MassDNS wrapper written in go to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard filtering and easy input-output support.

• Host: GitHub
• URL: https://github.com/projectdiscovery/shuffledns
• Owner: projectdiscovery
• License: gpl-3.0
• Created: 2020-02-25T19:04:25.000Z (over 4 years ago)
• Default Branch: main
• Last Pushed: 2024-10-21T19:35:00.000Z (13 days ago)
• Last Synced: 2024-10-22T12:44:28.885Z (12 days ago)
• Topics: dns, dns-bruteforcer, dns-resolution, dns-resolver, hacktoberfest, massdns, reconnaissance, subdomain-bruteforcing
• Language: Go
• Homepage: https://projectdiscovery.io
• Size: 1.48 MB
• Stars: 1,310
• Watchers: 37
• Forks: 187
• Open Issues: 4
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md

Awesome Lists containing this project

• awesome-bugbounty-tools - shuffledns - shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output… (Recon / Subdomain Enumeration)
• WebHackersWeapons - shuffledns - output support. ||[`dns`](/categorize/tags/dns.md)|[](/categorize/langs/Go.md)| (Weapons / Tools)
• awesome-hacking-lists - projectdiscovery/shuffledns - MassDNS wrapper written in go to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard filtering and easy input-output support. (Go)
• StarryDivineSky - projectdiscovery/shuffledns

README

        


  

  




massDNS wrapper to bruteforce and resolve the subdomains with wildcard handling support
















      



  Feature •

  Install •

  Run •

  Wildcard •

  License •

  Discord



---

`shuffleDNS` is a wrapper around `massdns`, written in go, that allows you to enumerate valid subdomains using active bruteforce, as well as resolve subdomains with wildcard handling and easy input-output support.

Based on the work on `massdns` project by [@blechschmidt](https://github.com/blechschmidt).

 # Features



  

  




 - Simple and modular code base making it easy to contribute.

 - Fast And Simple active subdomain scanning.

 - Handles wildcard subdomains in a smart manner.

 - Optimized for **ease of use**

 - **Stdin** and **stdout** support for integrating in workflows

# Usage

```bash

shuffledns -h

```

This will display help for the tool. Here are all the switches it supports.

```yaml

shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output support.

Usage:

  ./shuffledns [flags]

Flags:

Flags:

INPUT:

   -d, -domain string[]           Domain to find or resolve subdomains for

   -l, -list string               File containing list of subdomains to resolve

   -w, -wordlist string           File containing words to bruteforce for domain

   -r, -resolver string           File containing list of resolvers for enumeration

   -tr, -trusted-resolver string  File containing list of trusted resolvers

   -ri, -raw-input string         Validate raw full massdns output

   -mode string                   Execution mode (bruteforce, resolve, filter)

RATE-LIMIT:

   -t int  Number of concurrent massdns resolves (default 10000)

UPDATE:

   -up, -update                 update shuffledns to latest version

   -duc, -disable-update-check  disable automatic shuffledns update check

OUTPUT:

   -o, -output string            File to write output to (optional)

   -j, -json                     Make output format as ndjson

   -wo, -wildcard-output string  Dump wildcard ips to output file

CONFIGURATIONS:

   -m, -massdns string         Path to the massdns binary

   -mcmd, -massdns-cmd string  Optional massdns commands to run (example '-i 10')

   -directory string           Temporary directory for enumeration

OPTIMIZATIONS:

   -retries int           Number of retries for dns enumeration (default 5)

   -sw, -strict-wildcard  Perform wildcard check on all found subdomains

   -wt int                Number of concurrent wildcard checks (default 250)

DEBUG:

   -silent         Show only subdomains in output

   -version        Show version of shuffledns

   -v              Show Verbose output

   -nc, -no-color  Don't Use colors in output

```

  

## Prerequisite

`shuffledns` requires `massdns` to be installed in order to perform its operations. You can see the installation instructions at [massdns project](https://github.com/blechschmidt/massdns#compilation). If you place the binary in `/usr/bin/massdns` or `/usr/local/bin/massdns`, the tool will auto-detect the presence of the binary and use it. On Windows, you need to supply the path to the binary for the tool to work.

The tool also needs a list of valid resolvers. The [dnsvalidator](https://github.com/vortexau/dnsvalidator) project can be used to generate these lists. You also need to provide wordlist, you can use a custom wordlist or use the [commonspeak2-wordlist](https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt).

## Installation Instructions

`shuffledns` requires `go1.21+` to install successfully. Run the following command to install the latest version: 

```bash

go install -v github.com/projectdiscovery/shuffledns/cmd/shuffledns@latest

```

## Running shuffledns

`shuffledns` supports two types of operations:

**Subdomain resolving**

To resolve a list of subdomains, you can pass the list of subdomains via the `-list` option.

```bash

shuffledns -d example.com -list example-subdomains.txt -r resolvers.txt -mode resolve

```

This will run the tool against subdomains in `example-subdomains.txt` and returns the results. The tool uses the resolvers specified with `-r` flag to do the resolving.

You can also pass the list of subdomains at standard input (STDIN). This allows for easy integration in automation pipelines.

```bash

subfinder -d example.com | shuffledns -d example.com -r resolvers.txt -mode resolve

```

This uses the subdomains found passively by `subfinder` and resolves them with `shuffledns` returning only the unique and valid subdomains.

**Subdomain Bruteforcing**

`shuffledns` also supports bruteforce of a target with a given wordlist. You can use the `w` flag to pass a wordlist which will be used to generate permutations that will be resolved using massdns.

```bash

shuffledns -d hackerone.com -w wordlist.txt -r resolvers.txt -mode bruteforce

```

This will run the tool against `hackerone.com` with the wordlist `wordlist.txt`. The domain bruteforce can also be done with standard input as in previous example for resolving the subdomains.

```bash

echo hackerone.com | shuffledns -w wordlist.txt -r resolvers.txt -mode bruteforce

```

---

## Handling Wildcards

A special feature of `shuffleDNS` is its ability to handle multi-level DNS based wildcards, and do it so with a very reduced number of DNS requests. Sometimes all the subdomains would resolve, leading to lots of garbage in the results. The way `shuffleDNS` handles this is by keeping track of how many subdomains point to an IP, and if the number of subdomains increase beyond a certain small threshold, it checks for wildcard on all the levels of the hosts for that IP iteratively.

### Notes

- Wildcard filter feature works with domain (`-d`) input only.

- Resolving or Brute-forcing only one operation can be done at a time. 

### License

`shuffledns` is distributed under [GPL v3 License](https://github.com/projectdiscovery/shuffledns/blob/main/LICENSE.md)