Provided by: dnsmap_0.36-3_amd64 bug

NAME

       dnsmap - scan for subdomains using bruteforcing techniques

SYNOPSIS

       dnsmap <target-domain> [options]

DESCRIPTION

       dnsmap  scans  a domain for common subdomains using a built-in or an external wordlist (if
       specified with -w option). The internal wordlist has around  1000  words  in  English  and
       Spanish   as   ns1,  firewall,  servicios  and  smtp.  So  will  be  possible  search  for
       smtp.example.com inside example.com automatically.  Results can be saved in CSV and human-
       readable format for further processing. dnsmap does NOT require root privileges to be run,
       and should NOT be run with such privileges for security reasons.

       dnsmap was originally released back in 2006 and was inspired by the fictional  story  "The
       Thief  No  One  Saw" by Paul Craig, which can be found in the book "Stealing the Network -
       How to 0wn the Box".

       dnsmap  is  mainly   meant   to   be   used   by   pentesters   during   the   information
       gathering/enumeration phase of infrastructure security assessments. During the enumeration
       stage, the security consultant would typically discover the target company's IP netblocks,
       domain names, phone numbers, etc.

       Subdomain  bruteforcing is another technique that should be used in the enumeration stage,
       as it's especially useful when other domain enumeration techniques such as zone  transfers
       don't work (is rare to see zone transfers being publicly allowed these days by the way).

       Fun things that can happen:

              1.  Finding interesting remote access servers (e.g.: https://extranet.example.com).

              2.  Finding badly configured and/or unpatched servers (e.g.: test.example.com).

              3.  Finding  new  domain names which will allow you to map non-obvious/hard-to-find
                  netblocks of your target organization (registry lookups -  aka  whois  is  your
                  friend).

              4.  Sometimes  you  find  that  some  bruteforced subdomains resolve to internal IP
                  addresses (RFC 1918).  This is great as sometimes they are real up-to-date  "A"
                  records  which  means  that it *is* possible to enumerate internal servers of a
                  target organization from the Internet by only using standard DNS resolving  (as
                  opposed to zone transfers for instance).

              5.  Discover  embedded  devices  configured  using  Dynamic  DNS services (e.g.: IP
                  Cameras). This method is an alternative to finding devices via  Google  hacking
                  techniques.

OPTIONS

       -w <wordlist-file>
              Use  an  external  wordlist  instead  of  the built-in one. You can use programs as
              crunch or cupp to generate personalized wordlists.

       -r <regular-results-file>
              Save results to a plain text file. If a  file  name  isn't  supplied,  dnsmap  will
              create   an   unique   filename   which   includes  the  current  timestamp.  e.g.:
              dnsmap_example_com_br_2019_11_15_214812.txt. So, you can provide a  directory  name
              only, as -r /tmp.

       -c <csv-results-file>
              Save  results  in  CSV format in a file. If a file name isn't provided, dnsmap will
              create something as dnsmap_example_com_br_2019_11_15_220114.csv. This is a  similar
              behaviour from -r option.

       -d <delay-millisecs>
              Limit  of random delay in milliseconds between successive queries. Delay value is a
              maximum random value. e.g. if you enter 1000, each DNS request will  be  delayed  a
              *maximum*  of  1  second.  By  default,  dnsmap  uses a value of 10 milliseconds of
              maximum delay between DNS lookups. It is  recommended  to  use  the  -d  (delay  in
              milliseconds)  option  in  cases  where  dnsmap  is  interfering  with  your online
              experience. i.e.: killing your bandwidth. If used, delay  must  be  between  1  and
              300000 milliseconds (5 minutes).

       -i <ips-to-ignore>
              IP  addresses  to  ignore  in  the  results  (useful  if  you  get  obtaining false
              positives). Use commas without spaces to separate the  IP  addresses.  The  maximum
              number of IPs to filter is 5. Example: 203.0.113.10,198.51.199.65

INTERNAL WORDLIST

       The built-in wordlist is defined in src/dnsmap.h file. If needed, see the file to know all
       words.

EXAMPLES

       Subdomain bruteforcing using dnsmap's built-in wordlist:

           $ dnsmap example.com

       Subdomain bruteforcing using a user-supplied wordlist:

           $ dnsmap example.com -w wordlist.txt

       Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ :

           $ dnsmap example.com -r /tmp

       Example of subdomain bruteforcing using the  built-in  wordlist,  saving  the  results  to
       /tmp/, and waiting a random maximum of 300 milliseconds between each request:

           $ dnsmap example.com -r /tmp/ -d 300

       Subdomain  bruteforcing  with 0.8 seconds delay, saving results in regular and CSV format,
       filtering 2 user-provided IP and using a user-supplied wordlist:

           $ dnsmap example.com -d 800 -r /tmp/ -c /tmp/ -i 10.55.206.154,10.55.24.100 -w ./wordlist_TLAs.txt

BUGS

       Currently, dnsmap does not yet support parallel scanning and hence take quite a long time.

       New   bugs   should   be    reported    at    https://github.com/resurrecting-open-source-
       projects/dnsmap/issues

SEE ALSO

       crunch(1), cupp(1), dnsmap-bulk(1)

AUTHOR

       dnsmap  was  originally  written  by  "pagvac"  in  2006.  Currently  it  is maintained by
       volunteers,  inside  dnsmap   project,   at   https://github.com/resurrecting-open-source-
       projects/dnsmap/

       This manpage was written by Joao Eriberto Mota Filho.