This script takes in a list of hosts (from a Sublist3r.py scan for example), performs a port scan on each from port 0-800, and then groups them by IP address.
This is how I kick off web application pen tests, it helps sort domains to see which ones are on the same server.
Subdomain is used in lot of cases, websites have subdomain for their own users, for example, for certain customers or for employees, so they are not advertised unless it is some sort of VIP customer. For example, you find out there is a subdomain named "test" that is on the same server as <insert-high-value-target-here>, then you can figure out where to spend your time faster.
- Collect a list of hostnames for which you want to find out which ones have the same IP address (I recommend using Sublist3r.py)
- Put the hostnames in hosts.txt
- Run main.py and the result will be output to result_domain.txt
+------------------+----------------+----------------+---------+
| REVERSE DNS | IP ADDRESS | OPEN PORTS | DOMAINS |
|------------------+----------------+----------------+---------+
+------------------+----------------+----------------+---------+