Dnsmap is a subdomain brute-forcing program. It has a built in word list, which makes it easier than ever to use. If you have your own list of subdomains, you can use that instead. Dnsmap is meant to be used by responsible pentesters during the information gathering/enumeration phase of infrastructure security assessments. Only use this tool on domain names you have permission to use it on (such as your own, or ones belonging to the person who is paying you).

Note*** You may want to consider using gxfr.py to find subdomains. This script filters through google search results for subdomain names. It is a very effective passive subdomain finder. Here is a tutorial on it: http://itswapshop.com/tutorial/gxfrpy-sub-domain-discovering-script-using-google-queries

To download and compile dnsmap, run the following commands (tested on Ubuntu and openSUSE):

wget http://dnsmap.googlecode.com/files/dnsmap-0.30.tar.gz

tar -xzf dnsmap-0.30.tar.gz

cd dnsmap-0.30/

make

sudo make install

Simply add a domain name after dnsmap to run the program:

dnsmap my-domain.com

dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

[+] warning: domain might use wildcards. 3.3.3.3 will be ignored from results

[+] searching (sub)domains for my-domain.com using built-in wordlist

[+] using maximum random delay of 10 millisecond(s) between requests

ad.my-domain.com

IP address #1: 2.2.2.2

admin.my-domain.com

IP address #1: 1.1.1.1

...

​You will get a list of subdomains and IP addresses which you can use in the next phase of pentesting. To get a full list of options available with dnsmap, just type dnsmap at the terminal:

dnsmap

dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

usage: dnsmap <target-domain> [options]

options:

-w <wordlist-file>

-r <regular-results-file>

-c <csv-results-file>

-d <delay-millisecs>

-i <ips-to-ignore> (useful if you're obtaining false positives)

e.g.:

dnsmap target-domain.foo

dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt

dnsmap target-fomain.foo -r /tmp/ -d 3000

dnsmap target-fomain.foo -r ./domainbf_results.txt