Xorn is a versatile subdomain scanner tool written in Go. It enables you to discover subdomains of a given domain by performing DNS resolution, and optionally checking HTTP status codes and retrieving titles of web pages associated with the subdomains.
Xorn efficiently enumerates subdomains by performing DNS resolution for a given domain. It can handle large wordlists and parallelize the scanning process to improve performance.
The tool resolves subdomains to their corresponding IP addresses using the DNS lookup mechanism. It provides configurable options for timeout, retry attempts, and retry wait duration to fine-tune the resolution process.
Xorn optionally checks the HTTP status codes of the discovered subdomains. This feature allows you to identify active subdomains and determine their accessibility.
Additionally, Xorn can retrieve the titles of web pages associated with the discovered subdomains. This information provides insights into the content hosted on each subdomain.
To avoid overwhelming the DNS servers, Xorn implements rate limiting for DNS queries. You can configure the rate limit to control the number of queries per second.
You can supply a custom wordlist file containing potential subdomains to scan. Xorn appends the domain name to each entry in the wordlist for enumeration.
Xorn provides flexible options for outputting the scan results. You can save the results to a file, specifying the output format and separator.
-
Ensure you have Go installed. Download it from here.
-
Clone the repository:
git clone https://github.com/symbolexe/Xorn.git
-
Navigate to the cloned directory:
cd Xorn
-
Build the tool:
go build
-
Optionally, move the binary to a directory in your PATH:
sudo mv xorn /usr/local/bin/
Download precompiled binaries from the Releases section of this repository. Choose the appropriate binary for your operating system and architecture and download it. Then, move the binary to a directory in your PATH.
Xorn provides a wide range of options to customize the scanning process. Here's how you can use it
./xorn -d <domain> [options]
- -d : Specifies the domain to scan subdomains for.
- -t : Number of concurrent threads (default is 100).
- --timeout : Timeout for DNS resolution (default is 2 seconds).
- --retry : Number of retry attempts for DNS resolution (default is 2).
- --retry-wait : Wait duration between retry attempts (default is 100 milliseconds).
- -o : Output file to save results.
- --separator : Separator for output entries (default is ,).
- -w : Custom wordlist file for subdomain enumeration.
- --rate-limit : Rate limit for DNS queries (queries per second, default is 200).
- --batch-size : Batch size for concurrent DNS resolutions (default is 50).
- --status-code: Check HTTP status code of subdomains.
- --title: Retrieve title of subdomains.
./xorn -d example.com -w wordlist.txt -o subdomains.txt --status-code --title
This command scans subdomains of example.com using the wordlist wordlist.txt, saves the results to subdomains.txt, and checks HTTP status codes and retrieves titles of web pages associated with the subdomains.