Waldo is a new security tool which brute forces subdomains and also directories depending on the mode it is placed in. It is multi-threaded and multi-processed which makes it very fast. The leading tool that comes to mind is Dirbuster which is based on Java. Waldo is written in python and we plan on maintaining this open source project.
sudo python waldo.py -m s -w default.txt -d starbucks.com -t 2
Waldo comes with a default wordlist however with the proper flags set, you can specify you own. You can also specify the amount of threads to spin up. In the above example, I just used 2 which returns results pretty quickly. Waldo also tells you the server response codes. It is programmed to only show valid redirects and 200 OK's. You may see result 0 is www.starbucks.com and result 50 is mail. Instead of displaying 0-50 as bad pages, we only show valid pages. Mostly I care about 200's. Lets checkout "e.starbucks.com"
What the heck is that ? I don't know, it could be some sort of validation or status code.... or something used for mobile, not sure. Im sure could google it and get more results but anyhow. It's just an example. You can switch the mode from "s" (subdomain) to "d" which would look up directories like Dirbuster does. I think with using python, it functions much better than Java. We do have future plans to probably put in proxy support, logging, and other smart checks like looking at robots.txt and other things. Anyhow, support our project here!
intl.starbucks.com looked interesting...here is what comes up... smh
Hey guys, right now ive been busy with travel the last couple of weeks and we have Derbycon coming up at the end of this week. Hope to see some of you out there. On another note we have had a lot going on. We have updates coming for our existing courses. The Python course is done and should be available soon as well. Other than that, I have made a couple posts about game cheats and making trainers. If any of you find that interesting or would like to know how to do it, please let me know and maybe we can set up a weekend or evening class for that!
Scott "R4v3N", co-founder and trainer for Top-Hat-Sec.