Passive DNS network mapper a.k.a. subdomains bruteforcer
For those who have never used dnsmap, dnsmap is a command line tool originally released in 2006 which helps discover target subdomains and IP ranges during the initial stages of an infrastructure pentest. dnsmap is a passive(ish) discovery tool meant to be used before an actual active attack. It’s an alternative to other discovery techniques such as whois lookups, scanning large IP ranges, etc … Run dnsmap and you should be able spot netblocks of a target organization in a relatively short period of time.
dnsmap is open source and is known to work on Linux, FreeBSD and Windows using Cygwin, although it has mostly been tested on Linux.
New features included:
delay option (-d) added. This is useful in cases where dnsmap is killing your bandwidth
ignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dnsmap to produce false positives
changes made to make dnsmap compatible with OpenDNS
disclosure of internal IP addresses (RFC 1918) are reported
updated built-in wordlist
included a standalone three-letter acronym (TLA) subdomains wordlist
domains susceptible to “same site” scripting are reported
completion time is now displayed to the user
mechanism to attempt to bruteforce wildcard-enabled domains
unique filename containing timestamp is now created when no specific output filename is supplied by user
various minor bugs fixed
Download and more info about dnsmap: http://code.google.com/p/dnsmap