Googlesub – Google Subdomain Scraper

In the early stages of doing reconnaissance it is likely that you do not wish to directly access a domain. This is where OSINT comes into play. I wrote a python script that will query Google for a site (site:example.com) and then parse the results. The next query will be crafted so that the found subdomains will be ignored by Google, this will yield better results and make it more likely to find the less popular subdomains as well. This can of course be done manually as well but I highly doubt that it will be done as fast.

While Google generally dislike bots it will start giving the script captcha after awhile. This can either be delayed/avoided by using the scripts delay function (you will be prompted for this). If you only intend to research a small amount of domains it is completely fine to ignore the delay function to decrease the run time.

The script can be downloaded here from my github.

I intend to add support for arguments instead of an “interactive ui”. Will hopefully come in a near future!
Edit:
It does now support args.
-u url
-d use this arg to add a delay
-q amount of queries per subdomain the script should execute

ArchAssault have added it to their repository! Pretty sweet. Can find it here.

bash-3.2$ python googlesub.py -u cisco.com -q 10
[+] Successfully loaded 70 user agent(s)
Google subdomain scraper by Sam

Googlesub will use google dorks to find subdomains without accessing the target domain.
Kill it with ctrl+c or let it finish.
Querying Google for 'site:cisco.com'.
Now please wait while I invade google...
Executing query 1 of 10
Executing query 2 of 10
Executing query 3 of 10
Executing query 4 of 10
Executing query 5 of 10
Executing query 6 of 10
Executing query 7 of 10
Executing query 8 of 10
Executing query 9 of 10
Executing query 10 of 10

##########################################
Found 40 subdomains on cisco.com

6lab.cisco.com
blogs.cisco.com
canadablog.cisco.com
ccpdemo15.cisco.com
cdn.cisco.com
communities.cisco.com
connectedlearningexchange.cisco.com
csc-stage.cisco.com
csc-test1.cisco.com
csr.cisco.com
developer.cisco.com
docwiki.cisco.com
eir.cisco.com
forums.cisco.com
gblogs.cisco.com
home.cisco.com
homestore.cisco.com
homesupport.cisco.com
internetofeverything.cisco.com
investor.cisco.com
jobs.cisco.com
learningnetwork.cisco.com
learningnetworkstore.cisco.com
marketplace.cisco.com
meraki.cisco.com
mhome.cisco.com
mobilize.cisco.com
newsroom.cisco.com
ondemand.cisco.com
res.cisco.com
share.cisco.com
smbmarketplace.cisco.com
socialmedia.cisco.com
solutionpartner.cisco.com
supportforums.cisco.com
technicaleducation.cisco.com
tools.cisco.com
video.cisco.com
www-test.cisco.com
www.cisco.com

##########################################
Done. Quitting...

bash-3.2$