def check_azure_vms(names, nameserver, threads):
"""
Checks for Azure Virtual Machines
"""
print("[+] Checking for Azure Virtual Machines")
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Pull the regions from a config file
regions = azure_regions.REGIONS
print("[*] Testing across {} regions defined in the config file".format(
len(regions)))
for region in regions:
# Initialize the list of domain names to look up
candidates = [name + '.' + region + '.' + VM_URL for name in names]
# Azure VMs use DNS sub-domains. If it resolves, it is registered.
utils.fast_dns_lookup(candidates,
nameserver,
callback=print_vm_response,
threads=threads)
# Stop the timer
utils.stop_timer(start_time)
def check_awsapps(names, threads, nameserver, cverbose=True):
"""
Checks for existence of AWS Apps
(ie. WorkDocs, WorkMail, Connect, etc.)
"""
if cverbose: print("[+] Checking for AWS Apps")
pname = ['AWS Apps ', 2]
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Initialize the list of domain names to look up
candidates = []
# Initialize the list of valid hostnames
valid_names = []
# Take each mutated keyword craft a domain name to lookup.
for name in names:
candidates.append('{}.{}'.format(name, APPS_URL))
# AWS Apps use DNS sub-domains. First, see which are valid.
valid_names = utils.fast_dns_lookup(candidates,
nameserver,
pname,
cverbose,
threads=threads)
for name in valid_names:
if cverbose:
utils.printc(" App Found: https://{}\n".format(name), 'orange')
# Stop the timer
utils.stop_timer(start_time, cverbose)
def check_azure_databases(names, nameserver):
"""
Checks for Azure Databases
"""
print("[+] Checking for Azure Databases")
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Initialize the list of domain names to look up
candidates = [name + '.' + DATABASE_URL for name in names]
# Azure databases use DNS sub-domains. If it resolves, it is registered.
utils.fast_dns_lookup(candidates,
nameserver,
callback=print_database_response)
# Stop the timer
utils.stop_timer(start_time)
def check_azure_websites(names, nameserver, threads):
"""
Checks for Azure Websites (PaaS)
"""
print("[+] Checking for Azure Websites")
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Initialize the list of domain names to look up
candidates = [name + '.' + WEBAPP_URL for name in names]
# Azure Websites use DNS sub-domains. If it resolves, it is registered.
utils.fast_dns_lookup(candidates,
nameserver,
callback=print_website_response,
threads=threads)
# Stop the timer
utils.stop_timer(start_time)
def check_storage_accounts(names, threads, nameserver, cverbose=True):
"""
Checks storage account names
"""
if cverbose: print("[+] Checking for Azure Storage Accounts")
pname = ['Azure Valid Names ', 3]
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Initialize the list of domain names to look up
candidates = []
# Initialize the list of valid hostnames
valid_names = []
# Take each mutated keyword craft a domain name to lookup.
# As Azure Storage Accounts can contain only letters and numbers,
# discard those not matching to save time on the DNS lookups.
regex = re.compile('[^a-zA-Z0-9]')
names = list(
set([
name.replace('www.',
'').replace('www-', '').replace('.com', '').replace(
'.net', '').replace('.gov', '') for name in names
]))
for name in names:
if not re.search(regex, name):
candidates.append('{}.{}'.format(name, BLOB_URL))
if candidates:
# Azure Storage Accounts use DNS sub-domains. First, see which are valid.
valid_names = utils.fast_dns_lookup(candidates,
nameserver,
pname,
cverbose,
threads=threads)
if valid_names:
pname[0] = 'Azure Storage Acts'
# Send the valid names to the batch HTTP processor
utils.get_url_batch(valid_names,
pname,
cverbose,
use_ssl=False,
callback=print_account_response,
threads=threads)
# Stop the timer
utils.stop_timer(start_time, cverbose)
# de-dupe the results and return
return list(set(valid_names))
def check_awsapps(names, threads, nameserver):
"""
Checks for existence of AWS Apps
(ie. WorkDocs, WorkMail, Connect, etc.)
"""
data = {
'platform': 'aws',
'msg': 'AWS App Found:',
'target': '',
'access': ''
}
print("[+] Checking for AWS Apps")
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Initialize the list of domain names to look up
candidates = []
# Initialize the list of valid hostnames
valid_names = []
# Take each mutated keyword craft a domain name to lookup.
for name in names:
candidates.append(f'{name}.{APPS_URL}')
# AWS Apps use DNS sub-domains. First, see which are valid.
valid_names = utils.fast_dns_lookup(candidates,
nameserver,
threads=threads)
for name in valid_names:
data['target'] = f'https://{name}'
data['access'] = 'protected'
utils.fmt_output(data)
# Stop the timer
utils.stop_timer(start_time)
def check_storage_accounts(names, threads, nameserver):
"""
Checks storage account names
"""
print("[+] Checking for Azure Storage Accounts")
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Initialize the list of domain names to look up
candidates = []
# Initialize the list of valid hostnames
valid_names = []
# Take each mutated keyword craft a domain name to lookup.
# As Azure Storage Accounts can contain only letters and numbers,
# discard those not matching to save time on the DNS lookups.
regex = re.compile('[^a-zA-Z0-9]')
for name in names:
if not re.search(regex, name):
candidates.append(f'{name}.{BLOB_URL}')
# Azure Storage Accounts use DNS sub-domains. First, see which are valid.
valid_names = utils.fast_dns_lookup(candidates,
nameserver,
threads=threads)
# Send the valid names to the batch HTTP processor
utils.get_url_batch(valid_names,
use_ssl=False,
callback=print_account_response,
threads=threads)
# Stop the timer
utils.stop_timer(start_time)
# de-dupe the results and return
return list(set(valid_names))
def check_awsapps(names, threads, nameserver):
"""
Checks for existence of AWS Apps
(ie. WorkDocs, WorkMail, Connect, etc.)
"""
print("[+] Checking for AWS Apps")
# Start a counter to report on elapsed time
start_time = utils.start_timer()
# Initialize the list of domain names to look up
candidates = []
# Initialize the list of valid hostnames
valid_names = []
# Take each mutated keyword craft a domain name to lookup.
for name in names:
candidates.append('{}.{}'.format(name, APPS_URL))
# AWS Apps use DNS sub-domains. First, see which are valid.
valid_names = utils.fast_dns_lookup(candidates,
nameserver,
threads=threads)
# Send the valid names to the batch HTTP processor
utils.get_url_batch(valid_names,
use_ssl=False,
callback=print_awsapps_response,
threads=threads)
# Stop the timer
utils.stop_timer(start_time)
# de-dupe the results and return
return list(set(valid_names))
