Reconnaissance tool which scans javascript files for subdomains and then iterates over all javascript files hosted on subsequent subdomains to enumerate a list of subdomains for a given URL.
- Scans a domain and identifies all subdomains in javascript files.
- Scans subdomains and identifies all subdomains in subsequent files.
- Continues until no new subdomains are identified.
To install you should first clone this repository and then open the command line in the cloned directory and run the install command below.
pip install -r requirements.txt
Syntax:
$ python subscraper.py -u youtube.com -o output.txt
$ python subscraper.py -u youtube.com -v
$ python subscraper.py -u youtube.com -o output.txt -v
Options:
-h, --help show this help message and exit
-u URL of the website to scan.
-o Output file (for results).
-v Enables verbosity
There's a lot of work left to do here, specifically relating to the whitelisting of which javascript files we scan and which we ignore. Generally speaking, for a domain youtube.com
we would look to check any files which are relative script.js
and /scripts/script.js
. We should also look to include all javascript files hosted on *.youtube.com
and if possible, even include these subdomains in our output, assuming they are not already included in our output. This can often happen if CDNs are hosting javascript files so it's important not to miss anything.