Gotator is a tool to generate DNS wordlists through permutations.

Overview

Gotator

Gotator is a tool to generate DNS wordlists through permutations.


🛠️ Installation

If you want to make modifications locally and compile it, follow the instructions below:

> git clone https://github.com/Josue87/gotator.git
> cd gotator
> go build

If you are only interested in using the program:

> go get github.com/Josue87/gotator

🐳 Docker option:

> git clone https://github.com/Josue87/gotator.git
> cd gotator
> docker build -t gotator . 
# Usage 
> docker run gotator -sub subdomains.txt  [...]

Note If you are using version 1.16 or higher and you have any errors, run the following command:

> go env -w GO111MODULE="auto"

To upgrade the version add the -u parameter to the installation command.

Features

Gotator has the following features for permutation:

  • Checks domain and TLD analyzing ccSLDs to avoid going out of scope (example.com, example.com.mx, etc.).
  • Permute numbers up and down [-numbers ], for example:
    • Target subdomain is 10 and numbers flag is set to 3 [-numbers 3], as a result we will have between 7 and 13.
    • Target subdomain is dev1 and numbers flag is set to 3 [-numbers 3], we will see dev0, dev1, dev2, dev3, and dev4 (avoiding negative numbers).
  • Gotator has 3 levels of depth [-depth ]:
    • If depth is set to 1 (default mode), to permute test word on example.com, we will get test.example.com. With this option if subdomain target is tech.example.com and permutation is test we also interchange the position for the permutation "-" and "", obtaining results such as techtest.example.com and tech-test.example.com (check example 1).
    • If depth is set to 2, and we have to permute dev and demo on example.com, we will obtain dev.demo.example.com or demo-dev.example.com apart from demo.example.com and dev.example.com. Depth level 3 is an extension of this example.
  • Control and reduce duplicates (due to the high number of lines generated, the objective here is to reduce as much as possible the domains with almost null possibilities to exist):
    • If we have test.example.com and the next permutation will be test again, it is ignored.
    • If we have testing.example.com and test comes up, when matching test it will be joined with . and -, avoiding testtesting.example.com
    • If we have 100.example.com and it gets 90 to permute, the permutation is ignored as it already has a number permutation feature.
    • If we have test100.example.com and it gets test to permute, we remove numbers and test==test so the permutation is ignored as it already has something very similar.
  • For the subdomains within the target, for example demo210.example.com, we get the value demo210 and add it to the permutations list.
  • Mode to "swap" domains, i.e. if the target is dev.tech.example.com, it will be added as target tech.example.com and example.com [-md].
  • Option to add default permutations list defined in gotator [-prefixes].
  • Only the results are written to the standard output. Banner and messages are sent to the error output. So you can pipe the command.

🗒 Options

The flags that can be used to launch the tool:

Flag Type Mandatory Description Example
sub string yes List of domains to be swapped. -sub subdomains.txt
perm string no List of permutations. -perm permutations.txt
depth uint no Configure the depth (Between 1 and 3) - Default 1. -depth 2
numbers uint no Configure the number of iterations to the numbers found in the permutations (up and down). Default 0 Skip!. -numbers 10
prefixes bool no Adding default gotator prefixes to permutations. If not configured perm is used by default. If perm is specified with this flag you merge the permutations. -prefixes
md bool no Extract 'previous' domains and subdomains from subdomains found in the list 'sub'. -md
silent bool no Gotator banner is not displayed. -silent

👾 Usage

gotator -sub domains.txt -perm permutations.txt -depth 2 -numbers 5 > output.txt

To filter the result and remove possible duplicates:

gotator -sub domains.txt -perm permutations.txt -depth 3 -numbers 10 -md | uniq > output2.txt

Change uniq to sort -u of the previous command if you want to sort them. (Not recommended due to time)

Note: If you are compiling locally don't forget the ./ in front of your binary!

🚀 Examples

We have the following lists:

image

In the first example we mutate on the specified subdomain

image

In the following example we instruct Gotator to extract possible domains from the subdomains with -md:

image

You can see that example.com is taken into account. Now an example with a list of permutations containing test100demo and we give it the argument -numbers 3:

image

Finally, it is possible to see a greater mutation depth and also specify the prefixes parameter (which adds a small mutation list).

image

The last example shows only part of the output.

👉 Disclaimer

This tool can generate huge size files and some duplicates, we encourage to filter the output with uniq or sort -u and take care of depth flag due to the size output (it's easy to generate files > 10 GB). Keep in mind piped output to other tools requires the tool processing the whole output at once (sort, uniq).

  • Examples:
# Filter output by size
gotator -sub subs.txt -perm perm.txt -depth 2 -numbers 5 -md | head -c 1G > output1G.txt

# Filter output by lines
gotator -sub subs.txt -perm perm.txt -depth 3 -numbers 20 | head -n 100000 > output100Klines.txt

# Sort unique lines
gotator -sub subs.txt -perm perm.txt -depth 2 -numbers 10 -prefixes | sort -u > outputSortUnique.txt

# Unique lines 
gotator -sub subs.txt -perm perm.txt -depth 3 | uniq > outputUnique.txt

# Sort unique with limit size
gotator -sub subs.txt -perm perm.txt -prefixes | head -c 1G | sort -u > output1GSortedUnique.txt

Note: Examples have been given using sort -u, that will slow down the generation of results. There is no need to sort the results, it is recommended to use uniq or anew.

Comments
  • Numbers Switch

    Numbers Switch

    @Josue87 It would be good if it have a switch to control the number mutations like if we want to mutate only 5 numbers like: Gotator -sub domains.txt -perm permutations.txt -depth 3 -numbers +5 -t 200 > output.txt One more things that gotator is not swapping the word from the subdomain list like:

    Wordlist one domainlist

    test.example.com
    

    gotator mutate like

    test.example.com
    one.test.example.com
    one-test.example.com
    onetest.example.com
    
    

    Here I like to have mutations as below (give attention on test word)

    one.test.example.com
    test.one.example.com
    onetest.example.com
    one-test.example.com
    testone.example.com
    test-one.example.com
    
    opened by jaikishantulswani 8
  • Threads Flag & Missing Mutation

    Threads Flag & Missing Mutation

    @Josue87 Can you please add a flag to control the number of threads meanwhile I also found that gotator is missing one mutation when we don't want to use depth flag so this would be in default mutation list but it is missing words:

    junk
    

    domain:

    new.example.com
    

    command

    gotator -sub domain -perm words -md | sort -u
    

    Result

    example.com
    junk.example.com
    junk-new.example.com
    junk.new.example.com
    junknew.example.com
    new.example.com
    new-junk.example.com
    newjunk.example.com
    new-new.example.com
    newnew.example.com
    

    As you see it is missing new.junk.example.com when it is having new-junk.example.com, results are also containing duplicates

    opened by jaikishantulswani 6
  • flag provided but not defined

    flag provided but not defined

    gotator -sub subdomains.txt -perm /usr/share/wordlists/dns/permutations_list.txt -depth 1 -numbers 10 -mindup -adv -md > permutations.txt 2 ⨯ When I run the above command it shows this -> flag provided but not defined: -mindup

    opened by 0xSudip 1
  • Permutation with numbers

    Permutation with numbers

    Hello,

    I recently found an issue on Gotator, which is related to the numbering. Imagine, here is the list of my initial subdomains:

    api.target.com
    js.target.com
    target.com
    ws.target.com
    www.target.com
    

    I then ran the following command:

    gotator -silent -sub subs.txt  -perm vhosts.txt -depth 1 -numbers 3 -mindup -adv -md >> permutation.txt
    

    but the tool is unable to create the js2.target.com, which is pretty odd as I am using the numbers properly. Also, please note that this example subdomain was vulnerable to a subdomain takeover, which is not nice to miss.

    Thanks in advance!

    Kind regards, HolyBugx

    opened by HolyBugx 1
  • no -adv flag

    no -adv flag

    hey thank you for the tool when i downloaded from binary of go there is no -adv option present

    flag provided but not defined: -adv Usage of gotator: -depth uint Specify the depth (Between 1 and 3) (default 1) -md Extract domains and subdomains from subdomains found in 'sub' list -mindup Set this flag to minimize duplicates. (For heavy workloads, it is recommended to activate this flag) -numbers uint Permute the numbers found in the list of permutations -perm string List of permutations (1 per line) -prefixes Adding gotator prefixes to permutations -silent Gotator banner is not displayed -sub string List of domains to be swapped (1 per line) [Required] -t uint Max Go routines (default 10) -version Show Gotator version

    opened by MR-pentestGuy 1
  • Can we have an option to estimate size/amount of output?

    Can we have an option to estimate size/amount of output?

    Sometimes output of permutation is over millions lines because of our settings. I thinks it is really helpful to estimate amount of output lines before we run, so we can optimize better settings.

    opened by sting8k 1
Releases(v1.1)
Owner
Josué Encinar
Offensive Security Engineer
Josué Encinar
Simple application written in Go that combines two wordlists and a list of TLDs to form domain names and check if they are already registered.

Domainerator Domainerator was my first Go application. It combines two wordlists (prefixes and suffixes) and a list of TLDs to form domain names and c

Herbert Fischer 27 Sep 16, 2022
A DNS client in Go that supports Google DNS over HTTPS

dingo A DNS client (stub resolver) implemented in Go for the Google DNS-over-HTTPS. It effectively encrypts all your DNS traffic. It also supports Ope

Pawel Foremski 756 Jul 6, 2022
dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.

Overview A flexible DNS proxy, with support for modern encrypted DNS protocols such as DNSCrypt v2, DNS-over-HTTPS and Anonymized DNSCrypt. dnscrypt-p

DNSCrypt 9.3k Sep 30, 2022
A smol DNS server (<100 loc) that's configured with a static JSON file. Useful for split-dns.

A smol DNS server (<100 loc) that's configured with a static JSON file. Useful for split-dns.

Arne Bahlo 79 Jul 27, 2022
DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover

DNSTake — A fast tool to check missing hosted DNS zones that can lead to subdomain takeover

Pwnesia 659 Sep 16, 2022
A tool to solve DNS pollution of GitHub website. Query the real IP address of domain names such as github.com, and refresh the domain name setting of the system hosts file.

githubDNS Target A tool to solve DNS pollution of GitHub website. Query the real IP address of domain names such as github.com, and refresh the domain

null 0 Oct 14, 2021
Dangling DNS entries detection tool.

dnscheck Introduction dnscheck is a tool that reads a list of domains from a file and checks them for the following issues: CNAMEs pointing to an uncl

Mathieu Deous 1 Oct 23, 2021
DNS library in Go

Alternative (more granular) approach to a DNS library Less is more. Complete and usable DNS library. All Resource Records are supported, including the

Miek Gieben 6.5k Oct 2, 2022
DNS over HTTPS [mirror]

dnss dnss is a daemon for using DNS over HTTPS. It can act as a proxy, receiving DNS requests and resolving them using DNS-over-HTTPs (DoH). This can

Alberto Bertogli 99 Aug 19, 2022
DNS server with per-client targeted responses

GeoDNS servers This is the DNS server powering the NTP Pool system and other similar services. Questions or suggestions? For bug reports or feature re

Ask Bjørn Hansen 1.3k Sep 26, 2022
GRONG is a DNS (Domain Name System) authoritative name server.It is more a research project than a production-ready program.

GRONG (Gross and ROugh Nameserver written in Go) is a DNS (Domain Name System) authoritative name server. It is intended as a research project and is

Stéphane Bortzmeyer 57 Oct 17, 2020
Multicast DNS library for Go

Introduction This package allows Go processes to publish multicast DNS style records onto their local network segment. For more information about mDNS

Dave Cheney 191 Sep 20, 2022
Resolver (DNS) cache daemon.

RESCACHED(1) Manual Page NAME rescached - DNS resolver cache daemon. Table of Contents SYNOPSIS OPTIONS DESCRIPTION FEATURES BEHIND THE DNS HOW CACHE

Shulhan 27 Aug 25, 2022
CUP - Cloudflare (DNS) Updater Program

CUP The Cloudflare (DNS) Updater CUP is a tool to turn CloudFlare DNS into a Dynamic DNS service. Documentation Documentation can be found in the docs

Taylor Vierrether 29 Jun 6, 2022
🐶 Command-line DNS Client for Humans. Written in Golang

doggo ?? Command-line DNS client for humans doggo is a modern command-line DNS client (like dig) written in Golang. It outputs information in a neat c

Karan Sharma 974 Sep 23, 2022
CoreDNS is a DNS server that chains plugins

CoreDNS is a DNS server/forwarder, written in Go, that chains plugins. Each plugin performs a (DNS) function. CoreDNS is a Cloud Native Computing Foun

CoreDNS 9.8k Oct 1, 2022
Fast and lightweight DNS proxy as ad-blocker for local network with many features

Blocky Blocky is a DNS proxy and ad-blocker for the local network written in Go with following features: Features Blocking - Blocking of DNS queries w

Dimitri Herzog 1.9k Sep 26, 2022
Are you forwarding DNS traffic to another server for some reason, but want to make sure only queries for certain names are passed? Say no more.

DNSFWD Redirect DNS traffic to an upstream. Get Latest: wget https://github.com/C-Sto/dnsfwd/releases/latest/download/dnsfwd_linux (replace linux with

C_Sto 15 Jul 25, 2022
Fast DNS implementation for Go

Fast DNS implementation for Go Features 0 Dependency Similar Interface with net/http Fast DoH Server Co-create with fasthttp Fast DNS Client with rich

phuslu 101 Sep 21, 2022