Provided by: dnsmap_0.35-3_amd64 bug

NAME
       dnsmap - scan for subdomains using bruteforcing techniques


SYNOPSIS
       dnsmap <target-domain> [options]


DESCRIPTION
       dnsmap  scans  a domain for common subdomains using a built-in or an external wordlist (if specified with
       -w option). The internal wordlist has around  1000  words  in  English  and  Spanish  as  ns1,  firewall,
       servicios  and  smtp.  So  will be possible search for smtp.example.com inside example.com automatically.
       Results can be saved in CSV and human-readable format for further processing.  dnsmap  does  NOT  require
       root privileges to be run, and should NOT be run with such privileges for security reasons.

       dnsmap  was  originally  released  back in 2006 and was inspired by the fictional story "The Thief No One
       Saw" by Paul Craig, which can be found in the book "Stealing the Network - How to 0wn the Box".

       dnsmap is mainly meant to be used by pentesters during the  information  gathering/enumeration  phase  of
       infrastructure  security  assessments.  During  the  enumeration  stage,  the  security  consultant would
       typically discover the target company's IP netblocks, domain names, phone numbers, etc.

       Subdomain bruteforcing is another technique that should  be  used  in  the  enumeration  stage,  as  it's
       especially  useful when other domain enumeration techniques such as zone transfers don't work (is rare to
       see zone transfers being publicly allowed these days by the way).

       Fun things that can happen:

              1.  Finding interesting remote access servers (e.g.: https://extranet.example.com).

              2.  Finding badly configured and/or unpatched servers (e.g.: test.example.com).

              3.  Finding new domain names which will allow you to  map  non-obvious/hard-to-find  netblocks  of
                  your target organization (registry lookups - aka whois is your friend).

              4.  Sometimes  you  find  that  some  bruteforced subdomains resolve to internal IP addresses (RFC
                  1918).  This is great as sometimes they are real up-to-date "A" records which  means  that  it
                  *is* possible to enumerate internal servers of a target organization from the Internet by only
                  using standard DNS resolving (as opposed to zone transfers for instance).

              5.  Discover embedded devices configured using Dynamic  DNS  services  (e.g.:  IP  Cameras).  This
                  method is an alternative to finding devices via Google hacking techniques.


OPTIONS
       -w <wordlist-file>
              Use  an  external  wordlist instead of the built-in one. You can use programs as crunch or cupp to
              generate personalized wordlists.

       -r <regular-results-file>
              Save results to a plain text file. If a file name isn't supplied, dnsmap  will  create  an  unique
              filename  which includes the current timestamp. e.g.: dnsmap_example_com_br_2019_11_15_214812.txt.
              So, you can provide a directory name only, as -r /tmp.

       -c <csv-results-file>
              Save results in CSV format in a file. If a file name isn't provided, dnsmap will create  something
              as dnsmap_example_com_br_2019_11_15_220114.csv. This is a similar behaviour from -r option.

       -d <delay-millisecs>
              Limit  of random delay in milliseconds between successive queries. Delay value is a maximum random
              value. e.g. if you enter 1000, each DNS request will be  delayed  a  *maximum*  of  1  second.  By
              default,  dnsmap  uses  a  value  of  10  milliseconds of maximum delay between DNS lookups. It is
              recommended to use the -d (delay in milliseconds) option in cases where dnsmap is interfering with
              your  online experience. i.e.: killing your bandwidth. If used, delay must be between 1 and 300000
              milliseconds (5 minutes).

       -i <ips-to-ignore>
              IP addresses to ignore in the results (useful if you get obtaining false  positives).  Use  commas
              without  spaces  to  separate the IP addresses. The maximum number of IPs to filter is 5. Example:
              203.0.113.10,198.51.199.65


INTERNAL WORDLIST
       The built-in wordlist is defined in src/dnsmap.h file. If needed, see the file to know all words.


EXAMPLES
       Subdomain bruteforcing using dnsmap's built-in wordlist:

           $ dnsmap example.com

       Subdomain bruteforcing using a user-supplied wordlist:

           $ dnsmap example.com -w wordlist.txt

       Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ :

           $ dnsmap example.com -r /tmp

       Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/, and waiting a
       random maximum of 300 milliseconds between each request:

           $ dnsmap example.com -r /tmp/ -d 300

       Subdomain  bruteforcing  with  0.8  seconds  delay, saving results in regular and CSV format, filtering 2
       user-provided IP and using a user-supplied wordlist:

           $ dnsmap example.com -d 800 -r /tmp/ -c /tmp/ -i 10.55.206.154,10.55.24.100 -w ./wordlist_TLAs.txt


BUGS
       Currently, dnsmap does not yet support parallel scanning and hence take quite a long time.

       New bugs should be reported at https://github.com/resurrecting-open-source-projects/dnsmap/issues


SEE ALSO
       crunch(1), cupp(1), dnsmap-bulk(1)


AUTHOR
       dnsmap was originally written by "pagvac" in 2006. Currently  it  is  maintained  by  volunteers,  inside
       dnsmap project, at https://github.com/resurrecting-open-source-projects/dnsmap/

       This manpage was written by Joao Eriberto Mota Filho.