The script saves temporary files in the /tmp/dnsexplorer/ folder which are deleted at the end of its execution, in case of a runtime error it is a good idea to delete this directory if the evidence worries you a lot.
The script has two main modes of operation, which correspond to a basic enumeration of a domain and its DNS servers in order to discover more subdomains.
After discovering the DNS servers behind a domain, the script tries to do an AXFR zone transfer on each of the servers with an NS record.
In case all servers fail and zone transfer is not possible, or DNSSec is enabled, the script will automatically switch to brute force function.
Custom: In case you have a custom dictionary and you want to fuzz the subdomains with information taken from your information gathering phase, you can specify the file path.
This file must be specified using the basolute path, or just the name if it is in the same directory as the script. Note: The file must be text and correspond to the “ASCII text” format, any other format will not be for the script.
TLS SAN Validation
The script validates if it can connect to the domain using openssl against port 443 in order to find a secure website, then it inspects its TLS certificate for SAN records and displays them to the user.
Port 443 is used by default because the vast majority of domains on the internet host their secure web service on that port. However, this can be changed in the script code for specific cases.
Ideal to be run in hostile shell environments, for example a low-privilege remote reverse shell. Unnecessary output and bash colors have been removed, the script has been shortened to optimize its performance by removing unnecessary line breaks.