Browser-based subdomain bruteforcing using DNS over HTTP(s) (DoH)
/* | |
Developer: Marzavec ( https://github.com/marzavec ) | |
Description: A simple browser-based subdomain bruteforcing script, using DoH providers. Developed as a 5 minute hack, just to see it's preformance. Many improvements could be made, such as adding error handling or informing the user when the script is done. | |
Usage: Open the browsers dev console (usually F12), paste this script, change the `rootTld`, press enter to run. Ezpz. | |
*/ | |
const rootTld = 'lyka.pro'; // change to your target's root tld | |
// url to newline seperated wordlist | |
const wordlistUrl = 'https://raw.githubusercontent.com/rbsec/dnscan/master/subdomains.txt'; | |
// array of dns over https providers, these have been tested against ratelimiting | |
const providerArray = ['https://dns.google.com/resolve','https://doh-jp.blahdns.com/dns-query','https://doh-de.blahdns.com/dns-query','https://dns.dns-over-https.com/dns-query','https://doh.securedns.eu/dns-query','https://doh.dns.sb/dns-query','https://doh.li/dns-query']; | |
// pull wordlist from source path | |
async function pullWordlist(path) { | |
let response = await fetch(path); | |
let data = await response.text(); | |
return data.split("\n"); | |
} | |
// loop through each word and start the dns request | |
async function start(wordlist) { | |
wordlist.forEach((word) => { | |
requestDns(`${word}.${rootTld}`); | |
}); | |
} | |
// preforms the get request to a random doh provider | |
async function requestDns(domain) { | |
let provider = providerArray[Math.floor(Math.random()*providerArray.length)]; | |
let response = await fetch(`${provider}?name=${domain}&type=A&cd=true`); | |
let record = await response.json(); | |
checkResponse(record); | |
} | |
// check provider's response, `Status` will be 0 if found | |
function checkResponse(record) { | |
if (record.Status === 0) { | |
console.log(`Found ${record.Answer[0].name} at ${record.Answer[0].data}`); | |
} | |
} | |
// request wordlist, then start processing | |
pullWordlist(wordlistUrl) | |
.then(wordlist => start(wordlist)); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment