VEnum — Subdomain Enumeration Tool
The first step in any Pentesting engagement or Bug Hunting is to mapping and enumerate all target’s assets specially if you will go blackbox with huge company with huge asseet of domains.
So, I decided to create a simple bash script with easy usage to collect all subdomains via combines various subdomain discovery tools such as:
- subfinder
- assetfinder
- findomain
- amass
- httprobe
- dnsrecon
- sublist3r
and processes the results to provide a comprehensive list of subdomains for a given target domain.
Setup and installation:
You can easily download it from: https://github.com/heshamm1/VEnum, and after successfully download it you can run the setup.sh
script to install all required tools and dependencies:
chmod +x setup.sh
sudo ./setup.sh
After this step you only have re-configure its permission and using it:
chmod +x VEnum.sh
./VEnum.sh -h
Usage:
The tool gives you the ability to use it in its default state to only collect subdomain from multiple sources and re-arrange the asset and remove duplicates and print all the out put on file to assess it later.
./VEnum.sh -d tesla.com -f subs.txt -v
Or you can use its options to configure your scan result:
Options:
-d: Target domain (required)
-f: Filepath and name to save results (default: subs.txt)
-v: Verbose output
--resolve: Resolve subdomains to IPs and save to specified file
--proxy: Use a proxy (format: http://IP:Port)
--only: Use specific tools (comma-separated list)
-a: Use all available tools (default)
Or if you have list of subdomain enumeration tools, the tool is opensource you can easily open the VEnum.sh file and add any tool on this line:
tools="subfinder,assetfinder,findomain,amass,httprobe,dnsrecon,sublist3r"
If you need a fast response, you can modify the asset list by using argument — only that will the ability to use some specific tools to enumerate your target:
./VEnum.sh -d tesla.com -f subs.txt --only assetfinder,amass
Also, If you connected to the target through proxy, the — proxy argument will add value to your enumeration:
./VEnum.sh -d tesla.com -f subs.txt --proxy http://127.0.0.1:8080
And if you want to resolve all discovered hosts into IPs to scan it, argument — resolve will help you in this journey:
./VEnum.sh -d tesla.com -f subs.txt --resolve ips.txt
In the end, this tool is designed for personal use, but I don’t mind spreading the benefit, but only for ethical porpuse :)