{
	"id": "17bfe067-ef61-4495-80c2-2736e7ae2f08",
	"created_at": "2026-04-06T00:09:53.156388Z",
	"updated_at": "2026-04-10T03:35:21.338227Z",
	"deleted_at": null,
	"sha1_hash": "26b347f7f28d3e79dadead244f6c9b9cd4d4b804",
	"title": "GitHub - TheRook/subbrute: A DNS meta-query spider that enumerates DNS records, and subdomains.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52862,
	"plain_text": "GitHub - TheRook/subbrute: A DNS meta-query spider that\r\nenumerates DNS records, and subdomains.\r\nBy brooksbf\r\nArchived: 2026-04-05 14:36:41 UTC\r\nsubdomain-bruteforcer (SubBrute)\r\nSubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain\r\nenumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to\r\ncircumvent DNS rate-limiting (https://www.us-cert.gov/ncas/alerts/TA13-088A). This design also provides a layer\r\nof anonymity, as SubBrute does not send traffic directly to the target's name servers.\r\nWhats new in v2.1?\r\nBetter stablity. Better support for testing cloudflare domains.\r\nThank you for the bug posts!\r\nWhats new in v1.2.1?\r\nThe big news in this version is that SubBrute is now a recursive DNS-spider, and also a library, more on this later.\r\nSubBrute should be easy to use, so the interface should be intuitive (like nmap!), if you would like the interface to\r\nchange, let us know. In this version we are opening up SubBrute's fast DNS resolution pipeline for any DNS\r\nrecord type. Additionally, SubBrute now has a feature to detect subdomains were their resolution is intentionally\r\nblocked, which sometimes happens when a subdomain is intended for for use on an internal network.\r\nSubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted\r\n*.google.com from 123 to 162 subdomains. (Always enabled)\r\n--type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX...)\r\n-s can now read subdomains from result files.\r\nNew useage - The subdomains enumerated from previous scans can now be used as input to enumerate\r\nother DNS records. The following commands demonstrate this new functionality:\r\n./subbrute.py google.com -o google.names\r\n...162 subdomains found...\r\n./subbrute.py -s google.names google.com --type TXT\r\ngoogle.com,\"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all\"\r\nadwords.google.com,\"v=spf1 redirect=google.com\"\r\n...\r\nhttps://github.com/TheRook/subbrute\r\nPage 1 of 3\n\n./subbrute.py -s google.names google.com --type CNAME\r\nblog.google.com,www.blogger.com,blogger.l.google.com\r\ngroups.google.com,groups.l.google.com\r\n...\r\nSubBrute is now a subdomain enumeration library with a python interface: subbrute.run() Do you want to\r\nuse SubBrute in your python projects? Consider the following:\r\nimport subbrute\r\nfor d in subbrute.run(\"google.com\"):\r\nprint d\r\nFeedback welcome.\r\nWhats new in v1.1?\r\nThis version merges pull requests from the community; changes from JordanMilne, KxCode and rc0r is in this\r\nrelease. In SubBrute 1.1 we fixed bugs, improved accuracy, and efficiency. As requested, this project is now\r\nGPLv3.\r\nAccuracy and better wildcard detection:\r\nA new filter that can pickup geolocation aware wildcards.\r\nFilter misbehaving nameservers\r\nFaster:\r\nMore than 2,000 high quality nameservers were added to resolvers.txt, these servers will resolve multiple\r\nqueries in under 1 sec.\r\nNameservers are verified when they are needed. A seperate thread is responsible creating a feed of\r\nnameservers, and corresponding wildcard blacklist.\r\nNew output:\r\n-a will list all addresses associated with a subdomain.\r\n-v debug output, to help developers/hackers debug subbrute.\r\n-o output results to file.\r\nMore Information\r\nnames.txt contains 101,010 subdomains. subs_small.txt was stolen from fierce2 which contains 1896 subdomains.\r\nIf you find more subdomains to add, open a bug report or pull request and I'll be happy to add them.\r\nNo install required for Windows, just cd into the 'windows' folder:\r\nhttps://github.com/TheRook/subbrute\r\nPage 2 of 3\n\nsubbrute.exe google.com\r\nEasy to install: You just need http://www.dnspython.org/ and python2.7 or python3. This tool should work under\r\nany operating system: bsd, osx, windows, linux...\r\n(On a side note giving a makefile root always bothers me, it would be a great way to install a backdoor...)\r\nUnder Ubuntu/Debian all you need is:\r\nsudo apt-get install python-dnspython\r\nOn other operating systems you may have to install dnspython manually:\r\nhttp://www.dnspython.org/\r\nEasy to use:\r\n./subbrute.py google.com\r\nTests multiple domains:\r\n./subbrute.py google.com gmail.com blogger.com\r\nor a newline delimited list of domains:\r\n./subbrute.py -t list.txt\r\nAlso keep in mind that subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):\r\n./subbrute.py gmail.com \u003e gmail.out\r\n./subbrute.py -t gmail.out\r\nCheers!\r\nSource: https://github.com/TheRook/subbrute\r\nhttps://github.com/TheRook/subbrute\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/TheRook/subbrute"
	],
	"report_names": [
		"subbrute"
	],
	"threat_actors": [
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434193,
	"ts_updated_at": 1775792121,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/26b347f7f28d3e79dadead244f6c9b9cd4d4b804.pdf",
		"text": "https://archive.orkl.eu/26b347f7f28d3e79dadead244f6c9b9cd4d4b804.txt",
		"img": "https://archive.orkl.eu/26b347f7f28d3e79dadead244f6c9b9cd4d4b804.jpg"
	}
}