I have decided to port a script I done in C to PHP which I have made available online. I called it domRecon, it basically “hunts” for sub-domains for a domain that you provide.

It works by trying to get lucky by preforming a DNS zone transfer (AXFR) but on most domains this will fail. It will then use a list of about 2000 common sub-domain names and try see if it has a A record lookup on each sub-domain . Once that has finished it will scan 254 IP address (/24) of the networks looking for any more sub-domains.

A normal a complete scan would take about 20secs when checking 2000 sub-domains and scanning about 5 networks. However, large networks will take a lot longer. Status messages are displayed which will update you on the progress of the scan.

You can use the script by going to the following URL:
domrecon.jayscott.co.uk