I am no longer maintaing this tool. BSW has served me well, and was written in Go in 2013. I would suggest using amass as it is actively supported.
blacksheepwall is a hostname reconnaissance tool written in Go. It can also be used as a stand-alone package in your tools.
Binary packages for every supported operating system are available here.
You can download a compiled binary and just run it. Alternatively, if you have Go installed and configured with a workspace, you can run:
$ go get github.com/tomsteele/blacksheepwall
Usage: blacksheepwall [options] <ip address or CIDR>
Options:
-h, --help Show Usage and exit.
-version Show version and exit.
-debug Enable debugging and show errors returned from tasks.
-config Location of a YAML file containing any of the options below.
Hypens should be replaced with underscores (e.g. bing-html, bing_html).
Options that do not take an argument are booleans and should be represented
using true/false (e.g. bing_html: true).
-timeout Maximum timeout in seconds for SOCKET connections. [default .5 seconds]
-concurrency <int> Max amount of concurrent tasks. [default: 100]
-server <string> DNS server address. [default: "8.8.8.8"]
-input <string> Line separated file of networks (CIDR) or IP Addresses.
-ipv6 Look for additional AAAA records where applicable.
-domain <string> Target domain to use for certain tasks, can be a single
domain or a file of line separated domains.
-fcrdns Verify results by attempting to retrieve the A or AAAA record for
each result previously identified hostname.
-parse <string> Generate output by parsing JSON from a file from a previous scan.
-validate Validate hostnames using a RFC compliant regex.
Passive:
-dictionary <string> Attempt to retrieve the CNAME and A record for
each subdomain in the line separated file.
-ns Lookup the ip and hostname of any nameservers for the domain.
-mx Lookup the ip and hostmame of any mx records for the domain.
-yandex <string> Provided a Yandex search XML API url. Use the Yandex
search 'rhost:' operator to find subdomains of a
provided domain.
-bing <string> Provided a base64 encoded API key. Use the Bing search
API's 'ip:' operator to lookup hostnames for each ip, and the
'domain:' operator to find ips/hostnames for a domain.
-bing-html Use Bing search 'ip:' operator to lookup hostname for each ip, and the
'domain:' operator to find ips/hostnames for a domain. Only
the first page is scraped. This does not use the API.
-shodan <string> Provided a Shodan API key. Use Shodan's API '/dns/reverse' to lookup hostnames for
each ip, and '/shodan/host/search' to lookup ips/hostnames for a domain.
A single call is made for all ips.
-reverse Retrieve the PTR for each host.
-viewdns-html Lookup each host using viewdns.info's Reverse IP
Lookup function. Use sparingly as they will block you.
-viewdns <string> Lookup each host using viewdns.info's API and Reverse IP Lookup function.
-logontube Lookup each host and/or domain using logontube.com's API. As of this release
the site is down.
-exfiltrated Lookup hostnames returned from exfiltrated.com's hostname search.
-censys <string> Searches censys.io for a domain. Names are gathered from TLS certificates for each host
returned from this search. The provided string should be your API ID and Secret separated
by a colon.
-crtsh Searches crt.sh for certificates related to the provided domain.
-vt Searches VirusTotal for subdomains for the provided domain.
-srv Find DNS SRV record and retrieve associated hostname/IP info.
-cmn-crawl <string> Search commoncrawl.org for subdomains of a domain. The provided argument should be the index
to be used. For example: "CC-MAIN-2017-04-index"
Active:
-axfr Attempt a zone transfer on the domain.
-headers Perform HTTP(s) requests to each host and look for
hostnames in a possible Location header.
-tls Attempt to retrieve names from TLS certificates
(CommonName and Subject Alternative Name).
Output Options:
-clean Print results as unique hostnames for each host.
-csv Print results in csv format.
-json Print results as JSON.