brute force all subdomain names using dig up to certain length

domain_search.sh

#!/usr/bin/env bash
# Copyright (c) 2023, CaseSolved.co.uk

if [ -z "$1" ]; then
  echo "supply hostname character length"
  exit 1
fi
clength="$1"

if [ -z "$2" ]; then
  echo "supply domain name"
  exit 2
fi
domain="$2"

chars="0123456789abcdefghijklmnopqrstuvwxyz_"
xchars="$chars-"

get_ns () {
  local out line
  out=$(dig $domain NS +short)
  line=( $out )
  out=$(dig ${line[0]} +short)
  line=( $out )
  nameserver="${line[0]}"
}

get_ns

log_msg () {
  echo "$(date '+%F %T') $@" 1>&2
}

# dig filters
is_short () {
  if [ ${#1} -le 3 ]; then
    return 0
  fi
  return 1
}

has_vowel () {
  if [[ "$1" == *a* ]] || [[ "$1" == *e* ]] || [[ "$1" == *i* ]] || [[ "$1" == *o* ]] || [[ "$1" == *u* ]] || [[ "$1" == *y* ]]; then
    return 0
  fi
  return 1
}

# search for any hostname length using recursion
# arg1: current index
# arg2: current length
# arg3: current prefix
recurse () {
  local i x prefix idx name charstr
  idx=$1
  idx=$((idx+1))

  if [ "$idx" -eq 1 ]; then
    charstr=$chars
    log_msg "length $2 started"
  else
    charstr=$xchars
  fi

  for (( i=0; i<${#charstr}; i++ )); do
    x=${charstr:$i:1}
    prefix="$3$x"
    if [ "$idx" -eq "$2" ]; then
      # assume subdomain is a word
      if is_short "$prefix" || has_vowel "$prefix" && ! has_vowel "$prefix"; then
        name="$prefix.$domain"
        #echo "$name"
        #out=$(dig "$name" @"$nameserver" +short)
        out=$(dig "$name" @"$nameserver" +short +noidnin +noidnout)
        if [ -n "$out" ]; then
          echo "$name"
          echo "$out"
        fi
      fi
    else
      recurse "$idx" "$2" "$prefix"
    fi
  done
}

log_msg "'$@' started"
for (( j=1; j<=$clength; j++ )); do
  recurse "0" "$j" ""
done
log_msg "'$@' done"