LinuxCommandLibrary

braa

I cannot provide a useful response

TLDR

Walk the SNMP tree of host with public string querying all OIDs under .1.3.6

$ braa public@[ip_address]:[.1.3.6.*]
copy

Query the whole subnet ip_range for system.sysLocation.0
$ braa public@[ip_range]:[.1.3.6.1.2.1.1.6.0]
copy

Attempt to set the value of system.sysLocation.0 to a specific workgroup
$ braa private@[ip_address]:[.1.3.6.1.2.1.1.6.0]=s'[workgroup]'
copy

SYNOPSIS

braa [-4|-6] [-p port] [-s srcport] [-S srcaddr] [-H] [-h] [-i] [-t timeout] [-T threads] [-v] domain [{hostlist} | -f file]

PARAMETERS

-4
    IPv4 queries only

-6
    IPv6 queries only

-p port
    UDP/TCP destination port (default 53)

-s srcport
    Source port

-S srcaddr
    Source IPv4/IPv6 address

-H
    Skip reverse (PTR) queries

-h
    Show summary/help

-i
    Interactive mode

-t timeout
    Timeout in ms (default 500)

-T threads
    Number of threads (default 20)

-v
    Verbose output

-f file
    Read hostnames from file

DESCRIPTION

Braa is a high-speed tool for performing massive DNS brute-force attacks against domains. It rapidly queries DNS servers for various record types including A, AAAA, MX, NS, SOA, TXT, CNAME, SRV, and others, using parallel UDP queries to maximize efficiency.

Unlike slower tools like dig or host, braa sends thousands of queries per second by multiplexing them across multiple threads and source ports. This makes it ideal for reconnaissance in penetration testing, where discovering hidden subdomains is key. Specify a target domain and a list of potential hostnames (from arguments, stdin, or file), and braa attempts resolution for each.

It supports IPv4/IPv6, custom source addresses/ports, timeouts, and verbosity levels. Results show resolved IPs alongside queried names, helping identify live hosts quickly. Primarily used by security professionals for network mapping, but requires caution due to potential abuse against public DNS infrastructure.

CAVEATS

High query rates may trigger rate-limiting or blacklisting by DNS servers; use responsibly. No built-in rate limiting. Requires raw sockets for optimal speed (may need root).

EXAMPLE USAGE

Basic scan:
braa example.com www mail ftp admin

From file:
braa -T 50 -t 1000 example.com -f /usr/share/wordlists/subdomains.txt

OUTPUT FORMAT

Shows: hostname -> IP (type); unresolved names listed separately.

HISTORY

Developed by Anna Arto around 2004 as a faster alternative to dnsenum and fierce. Maintained sporadically; last major updates pre-2010. Widely used in Kali Linux for pentesting.

SEE ALSO

dig(1), host(1), dnsmap(1), nmap(1)

Copied to clipboard