Skip to content

Instantly share code, notes, and snippets.

Created August 8, 2019 16:43
  • Star 29 You must be signed in to star a gist
  • Fork 9 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Browser-based subdomain bruteforcing using DNS over HTTP(s) (DoH)
Developer: Marzavec ( )
Description: A simple browser-based subdomain bruteforcing script, using DoH providers. Developed as a 5 minute hack, just to see it's preformance. Many improvements could be made, such as adding error handling or informing the user when the script is done.
Usage: Open the browsers dev console (usually F12), paste this script, change the `rootTld`, press enter to run. Ezpz.
const rootTld = ''; // change to your target's root tld
// url to newline seperated wordlist
const wordlistUrl = '';
// array of dns over https providers, these have been tested against ratelimiting
const providerArray = ['','','','','','',''];
// pull wordlist from source path
async function pullWordlist(path) {
let response = await fetch(path);
let data = await response.text();
return data.split("\n");
// loop through each word and start the dns request
async function start(wordlist) {
wordlist.forEach((word) => {
// preforms the get request to a random doh provider
async function requestDns(domain) {
let provider = providerArray[Math.floor(Math.random()*providerArray.length)];
let response = await fetch(`${provider}?name=${domain}&type=A&cd=true`);
let record = await response.json();
// check provider's response, `Status` will be 0 if found
function checkResponse(record) {
if (record.Status === 0) {
console.log(`Found ${record.Answer[0].name} at ${record.Answer[0].data}`);
// request wordlist, then start processing
.then(wordlist => start(wordlist));
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment