Tool Documentation:
dnsmap Usage Example
Scan example.com using a wordlist (-w /usr/share/wordlists/dnsmap.txt):
root@kali:~# dnsmap example.com -w /usr/share/wordlists/dnsmap.txt
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] searching (sub)domains for example.com using /usr/share/wordlists/dnsmap.txt
[+] using maximum random delay of 10 millisecond(s) between requests
dnsmap-bulk Usage Example
Create a file containing domain names to scan (domains.txt) and pass it to dnsmap-bulk.sh:
root@kali:~# echo "example.com" >> domains.txt
root@kali:~# echo "example.org" >> domains.txt
root@kali:~# dnsmap-bulk.sh domains.txt
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] searching (sub)domains for example.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests
Packages and Binaries:
dnsmap
DNS domain name brute forcing tool
dnsmap scans a domain for common subdomains using a built-in or an external
wordlist (if specified using -w option). The internal wordlist has around 1000
words in English and Spanish as ns1, firewall servicios and smtp. So will be
possible search for smtp.example.com inside example.com automatically. Results
can be saved in CSV and human-readable format for further processing. dnsmap
does NOT require root privileges to be run, and should NOT be run with such
privileges for security reasons.
dnsmap was originally released back in 2006 and was inspired by the fictional story “The Thief No One Saw” by Paul Craig, which can be found in the book “Stealing the Network - How to 0wn the Box”.
dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc.
Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).
Fun things that can happen:
- Finding interesting remote access servers (e.g.: https:://extranet.example.com).
- Finding badly configured and/or unpatched servers (e.g.: test.example.com).
- Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks of your target organization (registry lookups - aka whois is your friend).
- Sometimes you find that some bruteforced subdomains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that it is possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving (as opposed to zone transfers for instance).
- Discover embedded devices configured using Dynamic DNS services (e.g.: IP Cameras). This method is an alternative to finding devices via Google hacking techniques.
This package provides two possible commands: dnsmap and dnsmap-bulk.
This program is useful for pentesters, ethical hackers and forensics experts. It also can be used for security tests.
Installed size: 259 KB
How to install: sudo apt install dnsmap
Dependencies:
- libc6
dnsmap
Scan for subdomains using bruteforcing techniques
root@kali:~# man dnsmap
dnsmap(1) scan for subdomains using bruteforcing techniques dnsmap(1)
NAME
dnsmap - scan for subdomains using bruteforcing techniques
SYNOPSIS
dnsmap <target-domain> [options]
DESCRIPTION
dnsmap scans a domain for common subdomains using a built-in or an exter-
nal wordlist (if specified with -w option). The internal wordlist has
around 1000 words in English and Spanish as ns1, firewall, servicios and
smtp. So will be possible search for smtp.example.com inside example.com
automatically. Results can be saved in CSV and human-readable format for
further processing. dnsmap does NOT require root privileges to be run, and
should NOT be run with such privileges for security reasons.
dnsmap was originally released back in 2006 and was inspired by the fic-
tional story "The Thief No One Saw" by Paul Craig, which can be found in
the book "Stealing the Network - How to 0wn the Box".
dnsmap is mainly meant to be used by pentesters during the information
gathering/enumeration phase of infrastructure security assessments. During
the enumeration stage, the security consultant would typically discover
the target company's IP netblocks, domain names, phone numbers, etc.
Subdomain bruteforcing is another technique that should be used in the
enumeration stage, as it's especially useful when other domain enumeration
techniques such as zone transfers don't work (is rare to see zone trans-
fers being publicly allowed these days by the way).
Fun things that can happen:
1. Finding interesting remote access servers (e.g.: https://ex-
tranet.example.com).
2. Finding badly configured and/or unpatched servers (e.g.:
test.example.com).
3. Finding new domain names which will allow you to map non-obvi-
ous/hard-to-find netblocks of your target organization (reg-
istry lookups - aka whois is your friend).
4. Sometimes you find that some bruteforced subdomains resolve to
internal IP addresses (RFC 1918). This is great as sometimes
they are real up-to-date "A" records which means that it *is*
possible to enumerate internal servers of a target organization
from the Internet by only using standard DNS resolving (as op-
posed to zone transfers for instance).
5. Discover embedded devices configured using Dynamic DNS services
(e.g.: IP Cameras). This method is an alternative to finding
devices via Google hacking techniques.
OPTIONS
-w <wordlist-file>
Use an external wordlist instead of the built-in one. You can use
programs as crunch or cupp to generate personalized wordlists.
-r <regular-results-file>
Save results to a plain text file. If a file name isn't supplied,
dnsmap will create an unique filename which includes the current
timestamp. e.g.: dnsmap_example_com_br_2019_11_15_214812.txt. So,
you can provide a directory name only, as -r /tmp.
-c <csv-results-file>
Save results in CSV format in a file. If a file name isn't pro-
vided, dnsmap will create something as dnsmap_exam-
ple_com_br_2019_11_15_220114.csv. This is a similar behaviour from
-r option.
-d <delay-millisecs>
Limit of random delay in milliseconds between successive queries.
Delay value is a maximum random value. e.g. if you enter 1000, each
DNS request will be delayed a *maximum* of 1 second. By default,
dnsmap uses a value of 10 milliseconds of maximum delay between DNS
lookups. It is recommended to use the -d (delay in milliseconds)
option in cases where dnsmap is interfering with your online expe-
rience. i.e.: killing your bandwidth. If used, delay must be be-
tween 1 and 300000 milliseconds (5 minutes).
-i <ips-to-ignore>
IP addresses to ignore in the results (useful if you get obtaining
false positives). Use commas without spaces to separate the IP ad-
dresses. The maximum number of IPs to filter is 5. Example:
203.0.113.10,198.51.199.65
INTERNAL WORDLIST
The built-in wordlist is defined in src/dnsmap.h file. If needed, see the
file to know all words.
EXAMPLES
Subdomain bruteforcing using dnsmap's built-in wordlist:
$ dnsmap example.com
Subdomain bruteforcing using a user-supplied wordlist:
$ dnsmap example.com -w wordlist.txt
Subdomain bruteforcing using the built-in wordlist and saving the results
to /tmp/ :
$ dnsmap example.com -r /tmp
Example of subdomain bruteforcing using the built-in wordlist, saving the
results to /tmp/, and waiting a random maximum of 300 milliseconds between
each request:
$ dnsmap example.com -r /tmp/ -d 300
Subdomain bruteforcing with 0.8 seconds delay, saving results in regular
and CSV format, filtering 2 user-provided IP and using a user-supplied
wordlist:
$ dnsmap example.com -d 800 -r /tmp/ -c /tmp/ -i 10.55.206.154,10.55.24.100 -w ./wordlist_TLAs.txt
BUGS
Currently, dnsmap does not yet support parallel scanning and hence take
quite a long time.
New bugs should be reported at https://github.com/resurrecting-open-
source-projects/dnsmap/issues
SEE ALSO
crunch(1), cupp(1), dnsmap-bulk(1)
AUTHOR
dnsmap was originally written by "pagvac" in 2006. Currently it is main-
tained by volunteers, inside dnsmap project, at https://github.com/resur-
recting-open-source-projects/dnsmap/
This manpage was written by Joao Eriberto Mota Filho.
dnsmap-0.36 25 Feb 2021 dnsmap(1)
dnsmap-bulk
Mass scan using dnsmap
root@kali:~# man dnsmap-bulk
dnsmap-bulk(1) mass scan using dnsmap dnsmap-bulk(1)
NAME
dnsmap-bulk - mass scan using dnsmap
SYNOPSIS
dnsmap-bulk <domains-file> [results-path]
DESCRIPTION
dnsmap-bulk is used to bruteforce several target domains in bulk fashion.
In other words, is possible get a list of domains from a file to scan mul-
tiple targets using dnsmap as backend.
WARNING: using dnsmap-bulk, dnsmap will always use the default options,
i.e. built-in wordlist, delay = 10 ms, never ignoring IPs.
OPTIONS
domain-file
A file with domains to be scanned, one per line.
results-path
A path where the results will be saved. dnsmap will use the -r op-
tion to name files and will be created a file for each domain. This
item is optional and if not supplied, dnsmap won't create files.
EXAMPLE
For bruteforcing a list of target domains in a bulk fashion, saving all
results inside a directory:
$ dnsmap-bulk domains.txt /tmp/results/
SEE ALSO
dnsmap(1)
AUTHOR
dnsmap-bulk was originally written by "pagvac" in 2006. Currently it is
maintained by volunteers, inside dnsmap project, at
https://github.com/resurrecting-open-source-projects/dnsmap/
This manpage was written by Joao Eriberto Mota Filho.
dnsmap-bulk-0.1 18 Nov 2019 dnsmap-bulk(1)
Updated on: 2026-May-25