What is Xorn?
Xorn is a versatile subdomain scanner tool written in Go. It enables you to discover subdomains of a given domain by performing DNS resolution, and optionally checking HTTP status codes and retrieving titles of web pages associated with the subdomains.
Features
Subdomain Enumeration
Xorn efficiently enumerates subdomains by performing DNS resolution for a given domain. It can handle large wordlists and parallelize the scanning process to improve performance.
DNS Resolution
The tool resolves subdomains to their corresponding IP addresses using the DNS lookup mechanism. It provides configurable options for timeout, retry attempts, and retry wait duration to fine-tune the resolution process.
HTTP Status Code Checking
Xorn optionally checks the HTTP status codes of the discovered subdomains. This feature allows you to identify active subdomains and determine their accessibility.
Title Retrieval
Additionally, Xorn can retrieve the titles of web pages associated with the discovered subdomains. This information provides insights into the content hosted on each subdomain.
Rate Limiting
To avoid overwhelming the DNS servers, Xorn implements rate limiting for DNS queries. You can configure the rate limit to control the number of queries per second.
Custom Wordlist
You can supply a custom wordlist file containing potential subdomains to scan. Xorn appends the domain name to each entry in the wordlist for enumeration.
Output Options
Xorn provides flexible options for outputting the scan results. You can save the results to a file, specifying the output format and separator.
Installation
From Source
Ensure you have Go installed. Download it from here.
Clone the repository:
git clone https://github.com/symbolexe/Xorn.git
Navigate to the cloned directory:
cd Xorn
Build the tool:
go build
Optionally, move the binary to a directory in your PATH:
sudo mv xorn /usr/local/bin/
From Releases
Download precompiled binaries from the Releases section of this repository. Choose the appropriate binary for your operating system and architecture and download it. Then, move the binary to a directory in your PATH.
Usage
Xorn provides a wide range of options to customize the scanning process. Here's how you can use it
xorn -d <domain> [options]
Options
-d : Specifies the domain to scan subdomains for.
-t : Number of concurrent threads (default is 100).
--timeout : Timeout for DNS resolution (default is 2 seconds).
--retry : Number of retry attempts for DNS resolution (default is 2).
--retry-wait : Wait duration between retry attempts (default is 100 milliseconds).
-o : Output file to save results.
--separator : Separator for output entries (default is ,).
-w : Custom wordlist file for subdomain enumeration.
--rate-limit : Rate limit for DNS queries (queries per second, default is 200).
--batch-size : Batch size for concurrent DNS resolutions (default is 50).
--status-code: Check HTTP status code of subdomains.
--title: Retrieve title of subdomains.
Example
xorn -d example.com -w wordlist.txt -o subdomains.txt --status-code --title
This command scans subdomains of example.com using the wordlist wordlist.txt, saves the results to subdomains.txt, and checks HTTP status codes and retrieves titles of web pages associated with the subdomains.