def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce,
engines, valid):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
# Validate domain
domain_check = re.compile(
"^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent:
print(R + "Error: Please enter a valid domain" + W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
parsed_domain = urlparse.urlparse(domain)
if not silent:
print(B +
"[-] Enumerating subdomains now for %s" % parsed_domain.netloc +
W)
if verbose and not silent:
print(
Y +
"[-] verbosity is enabled, will show the subdomains results in realtime"
+ W)
supported_engines = {
'baidu': BaiduEnum,
'yahoo': YahooEnum,
'google': GoogleEnum,
'bing': BingEnum,
'ask': AskEnum,
'netcraft': NetcraftEnum,
'dnsdumpster': DNSdumpster,
'virustotal': Virustotal,
'threatcrowd': ThreatCrowd,
'ssl': CrtSearch,
'passivedns': PassiveDNS
}
chosenEnums = []
if engines is None:
chosenEnums = [
BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum,
DNSdumpster, Virustotal, ThreatCrowd, CrtSearch, PassiveDNS
]
else:
engines = engines.split(',')
for engine in engines:
if engine.lower() in supported_engines:
chosenEnums.append(supported_engines[engine.lower()])
# Start the engines enumeration
enums = [
enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose)
for enum in chosenEnums
]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent:
print(G + "[-] Starting bruteforce module now using subbrute.." +
W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc,
record_type, subs, resolvers,
process_count, output,
json_output, search_list,
verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(subdomains, key=subdomain_sorting_key)
if valid:
for subdom in subdomains:
result = subprocess.run(['host', subdom], capture_output=True)
if "not found" in result.stdout.decode('utf-8'):
subdomains.remove(subdom)
if savefile:
write_file(savefile, subdomains)
if not silent:
print(Y +
"[-] Total Unique Subdomains Found: %s" % len(subdomains) +
W)
if ports:
if not silent:
print(G +
"[-] Start port scan now for the following ports: %s%s" %
(Y, ports) + W)
ports = ports.split(',')
pscan = portscan(subdomains, ports)
pscan.run()
elif not silent:
for subdomain in subdomains:
print(G + subdomain + W)
return subdomains
def main():
args = parse_args()
domain = args.domain
threads = args.threads
savefile = args.output
google_list = []
bing_list = []
baidu_list = []
bruteforce_list = set()
subdomains_queue = multiprocessing.Queue()
#Check Verbosity
global verbose
verbose = args.verbose
if verbose or verbose is None:
verbose = True
#Check Bruteforce Status
enable_bruteforce = args.bruteforce
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
#Validate domain
domain_check = re.compile("^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,5}$")
if not domain_check.match(domain):
print R+"Error: Please enter a valid domain"+W
sys.exit()
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://'+domain
#Print the Banner
banner()
parsed_domain = urlparse.urlparse(domain)
print B+"[-] Enumerating subdomains now for %s"%parsed_domain.netloc+W
if verbose:
print Y+"[-] verbosity is enabled, will show the subdomains results in realtime"+W
#Start the engines enumeration
enums = [enum(domain, verbose, q=subdomains_queue) for enum in BaiduEnum,
YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum, DNSdumpster]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
search_list = set()
while not subdomains_queue.empty():
search_list= search_list.union(subdomains_queue.get())
if enable_bruteforce:
print G+"[-] Starting bruteforce module now using subbrute.."+W
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc, record_type, subs, resolvers, process_count, output, json_output, search_list, verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
if savefile:
write_file(savefile, subdomains)
print Y+"[-] Total Unique Subdomains Found: %s"%len(subdomains)+W
for subdomain in subdomains:
print G+subdomain+W
def main():
args = parse_args()
domain = args.domain
#threads = args.threads
savefile = args.output
ports = args.ports
bruteforce_list = []
subdomains = []
if not savefile:
now = datetime.datetime.now()
timestr = now.strftime("-%Y-%m-%d-%H-%M")
savefile = domain+timestr+".txt"
enable_bruteforce = args.bruteforce
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
#Validate domain
if not is_domain(domain):
print R+"[!]Error: Please enter a valid domain"+W
sys.exit()
#Print the Banner
banner()
waring = "[!] legal disclaimer: Usage of Teemo for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
print waring
print B+"[-] Enumerating subdomains now for %s"% domain+W
'''
subdomains.extend(callsites(domain,proxy))
domains,emails = callengines(domain,500,proxy)
subdomains.extend(domains)
#print subdomains
'''
Threadlist = []
q_domains = Queue() #to recevie return values
q_emails = Queue()
useragent = random_useragent(allow_random_useragent)
if args.proxy != None:
proxy = args.proxy
proxy = {args.proxy.split(":")[0]: proxy}
elif default_proxies != None and (proxy_switch ==2 or proxy_switch==1): #config.py
proxy = default_proxies
try:
sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sk.settimeout(2)
ip = default_proxies['http'].split("/")[-2].split(":")[0]
port = default_proxies['http'].split("/")[-2].split(":")[1]
sk.connect((ip,int(port)))
sk.close
except:
print "\r\n[!!!]Proxy Test Failed,Please Check!\r\n"
proxy = {}
else:
proxy = {}
#doing zone transfer checking
zonetransfer(domain).check()
for engine in [Alexa, Chaxunla, CrtSearch, DNSdumpster, Googlect, Ilink, Netcraft, PassiveDNS, Pgpsearch, Sitedossier, ThreatCrowd, Threatminer]:
#print callsites_thread(engine,domain,proxy)
t = threading.Thread(target=callsites_thread, args=(engine, domain, q_domains, q_emails, proxy))
Threadlist.append(t)
for engine in [search_ask,search_baidu,search_bing,search_bing_api,search_dogpile,search_duckduckgo,search_exalead,search_fofa,search_google,search_google_cse,
search_shodan,search_so,search_yahoo,search_yandex]:
if proxy_switch == 1 and engine in proxy_default_enabled:
pass
else:
proxy ={}
t = threading.Thread(target=callengines_thread, args=(engine, domain, q_domains, q_emails, useragent, proxy, 500))
#t.setDaemon(True) #变成守护进程,独立于主进程。这里好像不需要
Threadlist.append(t)
#for t in Threadlist:
# print t
for t in Threadlist: # use start() not run()
t.start()
for t in Threadlist:
t.join() #主线程将等待这个线程,直到这个线程运行结束
while not q_domains.empty():
subdomains.append(q_domains.get())
emails = []
while not q_emails.empty():
emails.append(q_emails.get())
if enable_bruteforce:
print G+"[-] Starting bruteforce module now using subbrute.."+W
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = 10
output = False
json_output = False
bruteforce_list = subbrute.print_target(domain, record_type, subs, resolvers, process_count, output, json_output, subdomains)
subdomains.extend(bruteforce_list)
if subdomains is not None:
subdomains = sorted(list(set(subdomains)))
emails = sorted(list(set(emails)))
subdomains.extend(emails) #this function return value is NoneType ,can't use in function directly
#print type(subdomains)
#write_file(savefile, subdomains)
if ports:
print G+"[-] Start port scan now for the following ports: %s%s"%(Y,ports)+W
ports = ports.split(',') #list
pscan = portscan(subdomains,ports)
pscan.run()
else:
for subdomain in subdomains:
print G+subdomain+W
print "[+] {0} domains found in total".format(len(subdomains))
print "[+] {0} emails found in total".format(len(emails))
print "[+] Results saved to {0}".format(write_file(savefile, subdomains))
def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce,
engines, find_ip):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
# Validate domain
domain_check = re.compile(
"^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent:
print(R + "Error: Please enter a valid domain" + W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
parsed_domain = urlparse.urlparse(domain)
if not silent:
print(B +
"[-] Enumerating subdomains now for %s" % parsed_domain.netloc +
W)
if verbose and not silent:
print(
Y +
"[-] verbosity is enabled, will show the subdomains results in realtime"
+ W)
if savefile:
if os.path.isfile(savefile):
user_input = raw_input(
"{}[-] File exists!{} Do you want to overwrite file {}{}{}? [y/n] "
.format(R, W, Y, savefile, W))
if user_input.lower().startswith('y'):
os.remove(savefile)
else:
print(
"{}[-] Please re-run the script with different output file name{}"
.format(R, W))
sys.exit(1)
print("%s[-] Saving results to file: %s%s%s%s" %
(Y, W, R, savefile, W))
supported_engines = {
'baidu': BaiduEnum,
'yahoo': YahooEnum,
'google': GoogleEnum,
'bing': BingEnum,
'ask': AskEnum,
'netcraft': NetcraftEnum,
'dnsdumpster': DNSdumpster,
'virustotal': Virustotal,
'threatcrowd': ThreatCrowd,
'ssl': CrtSearch,
'passivedns': PassiveDNS
}
chosen_enums = []
if engines is None:
chosen_enums = [
BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum,
DNSdumpster, Virustotal, ThreatCrowd, CrtSearch, PassiveDNS
]
else:
engines = engines.split(',')
for engine in engines:
if engine.lower() in supported_engines:
chosen_enums.append(supported_engines[engine.lower()])
# Start the engines enumeration
enums = [
enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose)
for enum in chosen_enums
]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent:
print(G + "[-] Starting bruteforce module now using subbrute.." +
W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc,
record_type, subs, resolvers,
process_count, output,
json_output, search_list,
verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(subdomains, key=subdomain_sorting_key)
if not silent:
print(Y +
"[-] Total Unique Subdomains Found: %s" % len(subdomains) +
W)
if ports:
if not silent:
print(G +
"[-] Start port scan now for the following ports: %s%s" %
(Y, ports) + W)
ports = ports.split(',')
pscan = Portscan(subdomains, ports, savefile, find_ip)
pscan.run()
elif not silent:
for subdomain in subdomains:
if find_ip:
ip = get_host_by_name(subdomain)
print("{}{} ({}){}".format(G, subdomain, ip, W))
if savefile:
write_file(savefile, "{},{}".format(subdomain, ip))
else:
print("{}{}{}".format(G, subdomain, W))
if savefile:
write_file(savefile, "{},{}".format(subdomain, ip))
return subdomains
def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
# Validate domain
domain_check = re.compile("^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent:
print(R + "Error: Please enter a valid domain" + W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
parsed_domain = urlparse.urlparse(domain)
if not silent:
print(B + "[-] Enumerating subdomains now for %s" % parsed_domain.netloc + W)
if verbose and not silent:
print(Y + "[-] verbosity is enabled, will show the subdomains results in realtime" + W)
supported_engines = {'baidu': BaiduEnum,
'yahoo': YahooEnum,
'google': GoogleEnum,
'bing': BingEnum,
'ask': AskEnum,
'netcraft': NetcraftEnum,
'dnsdumpster': DNSdumpster,
'virustotal': Virustotal,
'threatcrowd': ThreatCrowd,
'ssl': CrtSearch,
'passivedns': PassiveDNS
}
chosenEnums = []
if engines is None:
chosenEnums = [
BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum,
NetcraftEnum, DNSdumpster, Virustotal, ThreatCrowd,
CrtSearch, PassiveDNS
]
else:
engines = engines.split(',')
for engine in engines:
if engine.lower() in supported_engines:
chosenEnums.append(supported_engines[engine.lower()])
# Start the engines enumeration
enums = [enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose) for enum in chosenEnums]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent:
print(G + "[-] Starting bruteforce module now using subbrute.." + W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc, record_type, subs, resolvers, process_count, output, json_output, search_list, verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(subdomains, key=subdomain_sorting_key)
if savefile:
write_file(savefile, subdomains)
if not silent:
print(Y + "[-] Total Unique Subdomains Found: %s" % len(subdomains) + W)
if ports:
if not silent:
print(G + "[-] Start port scan now for the following ports: %s%s" % (Y, ports) + W)
ports = ports.split(',')
pscan = portscan(subdomains, ports)
pscan.run()
elif not silent:
for subdomain in subdomains:
print(G + subdomain + W)
return subdomains
def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, engines):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
# Validate domain
domain_check = re.compile("^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent:
print(R + "Error: Please enter a valid domain" + W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
parsed_domain = urlparse.urlparse(domain)
if not silent:
# print(B + "[-] Enumerating subdomains now for %s" % parsed_domain.netloc + W)
print("Enumerating subdomains now..")
if verbose and not silent:
print(Y + "[-] verbosity is enabled, will show the subdomains results in realtime" + W)
supported_engines = {'baidu': BaiduEnum,
'yahoo': YahooEnum,
'google': GoogleEnum,
'bing': BingEnum,
'ask': AskEnum,
'netcraft': NetcraftEnum,
'dnsdumpster': DNSdumpster,
'virustotal': Virustotal,
'threatcrowd': ThreatCrowd,
'ssl': CrtSearch,
'passivedns': PassiveDNS
}
chosenEnums = []
if engines is None:
chosenEnums = [
BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum,
NetcraftEnum, DNSdumpster, Virustotal, ThreatCrowd,
CrtSearch, PassiveDNS
]
else:
engines = engines.split(',')
for engine in engines:
if engine.lower() in supported_engines:
chosenEnums.append(supported_engines[engine.lower()])
# Start the engines enumeration
enums = [enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose) for enum in chosenEnums]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent:
print(G + "[-] Starting bruteforce module now using subbrute.." + W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc, record_type, subs, resolvers, process_count, output, json_output, search_list, verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(subdomains, key=subdomain_sorting_key)
if savefile:
write_file(savefile, subdomains)
if not silent:
print(Y + "[-] Total Unique Subdomains Found %s" % len(subdomains) + W)
if ports:
if not silent:
print(G + "[-] Start port scan now for the following ports: %s%s" % (Y, ports) + W)
ports = ports.split(',')
pscan = portscan(subdomains, ports)
pscan.run()
# elif not silent:
# # print(subdomains)
# for subdomain in subdomains:
# print(G + subdomain + W)
# return subdomains
elif not silent:
sub=""
for subdomain in subdomains:
sub+=subdomain + "\n"
#########################################Email module started#################################
MY_ADDRESS = '*****@*****.**' #CHANGE ME
PASSWORD = '******' #CHANGE ME
s = smtplib.SMTP(host='smtp.host.com', port=587) #CHANGE ME
# s.ehlo()
s.starttls()
# s.ehlo()
s.login(MY_ADDRESS, PASSWORD)
#The email address where you want to receive the results.
email="*****@*****.**" #CHANGE ME
msg = MIMEMultipart()
msg['From']=MY_ADDRESS
msg['To']=email
msg['Subject']="Subdomain results for:" + domain
# add in the message body
msg.attach(MIMEText(sub))
# send the message via the server set up earlier.
s.send_message(msg)
print("email sent successfully")
del msg
# Terminate the SMTP session and close the connection
s.quit()
def main():
args = parse_args()
domain = args.domain
#threads = args.threads
savefile = args.output
ports = args.ports
bruteforce_list = []
subdomains = []
if not savefile:
now = datetime.datetime.now()
timestr = now.strftime("%Y-%m-%d-%H-%M")
savefile = domain+timestr+".txt"
if args.proxy != None:
proxy = args.proxy
proxy = {args.proxy.split(":")[0]: proxy}
else:
proxy = proxies
#Check Verbosity
#global verbose
#verbose = args.verbose
#if verbose or verbose is None:
#verbose = True
#Check Bruteforce Status
enable_bruteforce = args.bruteforce
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
#Validate domain
if not is_domain(domain):
print R+"Error: Please enter a valid domain"+W
sys.exit()
#Print the Banner
banner()
waring = "[!] legal disclaimer: Usage of Teemo for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program"
print waring
print B+"[-] Enumerating subdomains now for %s"% domain+W
'''
subdomains.extend(callsites(domain,proxy))
domains,emails = callengines(domain,500,proxy)
subdomains.extend(domains)
#print subdomains
'''
Threadlist = []
q_domains = queue.Queue() #to recevie return values
q_emails = queue.Queue()
for engine in [Alexa,Chaxunla,CrtSearch,DNSdumpster,Googlect,Ilink,Netcraft,PassiveDNS,Pgpsearch,Sitedossier,ThreatCrowd,Threatminer]:
#print callsites_thread(engine,domain,proxy)
t = threading.Thread(target=callsites_thread,args=(engine, domain, q_domains, q_emails, proxy))
Threadlist.append(t)
for engine in [baidu_search, ask_search, bing_search, dogpile_search, exalead_search, google_search, yandex_search, yahoo_search]:
t = threading.Thread(target=callengines_thread,args=(engine, domain, q_domains, q_emails, proxy, 500))
Threadlist.append(t)
#for t in Threadlist:
# print t
for t in Threadlist: # use start() not run()
t.start()
for t in Threadlist:
t.join()
while not q_domains.empty():
subdomains.append(q_domains.get())
emails = []
while not q_emails.empty():
emails.append(q_emails.get())
if enable_bruteforce:
print G+"[-] Starting bruteforce module now using subDomainsBrute.."+W
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'dict', 'names.txt')
resolvers = os.path.join(path_to_file, 'resolvers.txt')
process_count = 10
output = False
json_output = False
bruteforce_list = subbrute.print_target(domain, record_type, subs, resolvers, process_count, output, json_output, subdomains)
subdomains.extend(bruteforce_list)
if subdomains is not None:
subdomains = sorted(list(set(subdomains)))
emails = sorted(list(set(emails)))
subdomains.extend(emails) #this function return value is NoneType ,can't use in function directly
#print type(subdomains)
write_file(savefile, subdomains)
if ports:
print G+"[-] Start port scan now for the following ports: %s%s"%(Y,ports)+W
ports = ports.split(',') #list
pscan = portscan(subdomains,ports)
pscan.run()
else:
for subdomain in subdomains:
print G+subdomain+W
print "[+] {0} domains found in total".format(len(subdomains))
print "[+] {0} emails found in total".format(len(emails))
print "[+] Results saved to {0} in {1}".format(savefile,os.getcwd())
def main():
args = parse_args()
domain = args.domain
threads = args.threads
savefile = args.output
google_list = []
bing_list = []
baidu_list = []
bruteforce_list = set()
subdomains_queue = multiprocessing.Queue()
#Check Verbosity
global verbose
verbose = args.verbose
if verbose or verbose is None:
verbose = True
#Check Bruteforce Status
enable_bruteforce = args.bruteforce
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
#Validate domain
domain_check = re.compile(
"^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
print R + "Error: Please enter a valid domain" + W
sys.exit()
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
#Print the Banner
banner()
parsed_domain = urlparse.urlparse(domain)
print B + "[-] Enumerating subdomains now for %s" % parsed_domain.netloc + W
if verbose:
print Y + "[-] verbosity is enabled, will show the subdomains results in realtime" + W
#Start the engines enumeration
enums = [
enum(domain, verbose, q=subdomains_queue) for enum in BaiduEnum,
YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum, DNSdumpster
]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
search_list = set()
while not subdomains_queue.empty():
search_list = search_list.union(subdomains_queue.get())
if enable_bruteforce:
print G + "[-] Starting bruteforce module now using subbrute.." + W
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc,
record_type, subs, resolvers,
process_count, output,
json_output, search_list,
verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
if savefile:
write_file(savefile, subdomains)
print Y + "[-] Total Unique Subdomains Found: %s" % len(subdomains) + W
subdomains = sorted(set(subdomains))
for subdomain in subdomains:
print G + subdomain + W
def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
#Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
#Validate domain
domain_check = re.compile("^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent: print(R+"Error: Please enter a valid domain"+W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://'+domain
parsed_domain = urlparse.urlparse(domain)
if not silent: print(B+"[-] Enumerating subdomains now for %s"%parsed_domain.netloc+W)
if verbose and not silent:
print(Y+"[-] verbosity is enabled, will show the subdomains results in realtime"+W)
#Start the engines enumeration
enums = [enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose) for enum in (BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum, DNSdumpster, Virustotal, ThreatCrowd, CrtSearch, PassiveDNS)]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent: print(G+"[-] Starting bruteforce module now using subbrute.."+W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc, record_type, subs, resolvers, process_count, output, json_output, search_list, verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(
subdomains,
key=functools.cmp_to_key(subdomain_cmp),
)
if savefile:
write_file(savefile, subdomains)
if not silent: print(Y+"[-] Total Unique Subdomains Found: %s"%len(subdomains)+W)
if ports:
if not silent: print(G+"[-] Start port scan now for the following ports: %s%s"%(Y,ports)+W)
ports = ports.split(',')
pscan = portscan(subdomains,ports)
pscan.run()
elif not silent:
for subdomain in subdomains:
print(G+subdomain+W)
return subdomains
def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce,
engines):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
# Validate domain
domain_check = re.compile(
"^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent:
print(R + "Error: Please enter a valid domain" + W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
parsed_domain = urlparse.urlparse(domain)
if not silent:
print(B +
"[-] Enumerating subdomains now for %s" % parsed_domain.netloc +
W)
if verbose and not silent:
print(
Y +
"[-] verbosity is enabled, will show the subdomains results in realtime"
+ W)
supported_engines = {
'baidu': BaiduEnum,
'yahoo': YahooEnum,
'google': GoogleEnum,
'bing': BingEnum,
'ask': AskEnum,
'netcraft': NetcraftEnum,
'dnsdumpster': DNSdumpster,
'virustotal': Virustotal,
'threatcrowd': ThreatCrowd,
'ssl': CrtSearch,
'passivedns': PassiveDNS
}
chosenEnums = []
if engines is None:
chosenEnums = [
BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum,
DNSdumpster, Virustotal, ThreatCrowd, CrtSearch, PassiveDNS
]
else:
engines = engines.split(',')
for engine in engines:
if engine.lower() in supported_engines:
chosenEnums.append(supported_engines[engine.lower()])
# Start the engines enumeration
enums = [
enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose)
for enum in chosenEnums
]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent:
print(G + "[-] Starting bruteforce module now using subbrute.." +
W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc,
record_type, subs, resolvers,
process_count, output,
json_output, search_list,
verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(
subdomains,
key=functools.cmp_to_key(subdomain_cmp),
)
if savefile:
write_file(savefile, subdomains)
if not silent:
print(Y +
"[-] Total Unique Subdomains Found: %s" % len(subdomains) +
W)
if ports:
if not silent:
print(G +
"[-] Start port scan now for the following ports: %s%s" %
(Y, ports) + W)
ports = ports.split(',')
pscan = portscan(subdomains, ports)
pscan.run()
elif not silent:
table = Texttable()
table.set_deco(Texttable.HEADER)
for subdomain in subdomains:
try:
geo = geolite2.lookup(socket.gethostbyname(subdomain))
if geo:
table.add_rows(
[["Subdomain", "IP Address", "Location"],
[
subdomain,
socket.gethostbyname(subdomain),
str(geo.country) + " - " + str(geo.location)
]])
else:
table.add_rows(
[["Subdomain", "IP Address", "Location"],
[subdomain,
socket.gethostbyname(subdomain), "-"]])
except socket.gaierror:
table.add_rows([["Subdomain", "IP Address", "Location"],
[subdomain, "-", "-"]])
print(G + table.draw() + W)
return subdomains
def scan(self):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
# if self.scan_flags.BruteForce or self.scan_flags.BruteForce is None:
# self.scan_flags.BruteForce = True
# Check Takeover Status
# if self.scan_flags.TakeoverCheck or self.scan_flags.TakeoverCheck is None:
# self.scan_flags.TakeoverCheck = True
# Validate domain
domain_check = re.compile(
"^(http|https)?[a-zA-Z0-9]+([\-.][a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(self.domain):
if not self.scan_flags.Silent:
print(self.logger.R + "Error: Please enter a valid domain" +
self.logger.W)
return []
if not self.domain.startswith(
'http://') and not self.domain.startswith('https://'):
self.domain = 'http://' + self.domain
parsed_domain = urlparse.urlparse(self.domain)
if not self.scan_flags.Silent:
print(self.logger.B + "[-] Enumerating subdomains now for %s" %
parsed_domain.netloc + self.logger.W)
if self.scan_flags.Verbose and not self.scan_flags.Silent:
print(
self.logger.Y +
"[-] verbosity is enabled, will show the subdomains results in realtime"
+ self.logger.W)
chosenEnums = []
if self.scan_flags.Engines is None:
chosenEnums = Engines.supported_engines.values()
else:
engines = self.scan_flags.Engines.split(',')
for engine in engines:
if engine.lower() in Engines.supported_engines:
chosenEnums.append(
Engines.supported_engines[engine.lower()])
# Start the engines enumeration
enums = [
enum(self.domain, [],
q=subdomains_queue,
silent=self.scan_flags.Silent,
logger=self.logger) for enum in chosenEnums
]
for e in enums:
e.start()
for e in enums:
e.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if self.scan_flags.BruteForce:
if not self.scan_flags.Silent:
print(self.logger.G +
"[-] Starting bruteforce module now using subbrute.." +
self.logger.W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = self.scan_flags.ThreadCount
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc,
record_type, subs,
resolvers, process_count,
output, json_output,
search_list,
self.scan_flags.Verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(subdomains, key=Util.subdomain_sorting_key)
if self.scan_flags.SaveFile:
print("%s[-] Saving results to file: %s%s%s%s" %
(self.logger.Y, self.logger.W, self.logger.R,
self.scan_flags.SaveFile, self.logger.W))
Util.write_file(self.scan_flags.SaveFile, subdomains)
if not self.scan_flags.Silent:
print(self.logger.Y + "[-] Total Unique Subdomains Found: %s" %
len(subdomains) + self.logger.W)
if self.scan_flags.TakeoverCheck:
print(
self.logger.G +
"[-] Checking for subdomains pointing to unregistered services"
+ self.logger.W)
for subdomain in subdomains:
if self.scan_flags.Verbose:
print(self.logger.G + "[-] Checking " + subdomain +
self.logger.W)
services = Util.get_url_signatures("http://" + subdomain)
if len(services) > 0:
for service in services:
print(self.logger.Y +
"[-] Found unregistered service \"" +
service + "\" on subdomain " + subdomain +
self.logger.W)
if self.scan_flags.Ports:
if not self.scan_flags.Silent:
print(
self.logger.G +
"[-] Starting port scan for the following ports: %s%s" %
(self.logger.Y, self.scan_flags.Ports) + self.logger.W)
ports = self.scan_flags.Ports.split(',')
pscan = PortScanner(subdomains, ports, self.logger)
pscan.run()
elif not self.scan_flags.Silent:
for subdomain in subdomains:
print(self.logger.G + subdomain + self.logger.W)
return subdomains
def main():
args = parse_args()
domain = args.domain
threads = args.threads
savefile = args.output
resolve = args.resolve
resolvedfile = args.rsave
ports = args.ports
google_list = []
bing_list = []
baidu_list = []
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
#Check Verbosity
global verbose
verbose = args.verbose
if verbose or verbose is None:
verbose = True
#Check Bruteforce Status
enable_bruteforce = args.bruteforce
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
#Validate domain
domain_check = re.compile("^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
print R+"Error: Please enter a valid domain"+W
sys.exit()
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://'+domain
#Print the Banner
banner()
parsed_domain = urlparse.urlparse(domain)
print B+"[-] Enumerating subdomains now for %s"%parsed_domain.netloc+W
if verbose:
print Y+"[-] verbosity is enabled, will show the subdomains results in realtime"+W
#Start the engines enumeration
enums = [enum(domain, verbose, q=subdomains_queue) for enum in BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum, DNSdumpster, Virustotal, ThreatCrowd, CrtSearch, PassiveDNS]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
print G+"[-] Starting bruteforce module now using subbrute.."+W
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc, record_type, subs, resolvers, process_count, output, json_output, search_list, verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(subdomains)
if savefile:
write_file(savefile, subdomains)
if resolvedfile:
write_ipfile(resolvedfile, subdomains)
if resolve:
for subdomain in subdomains:
try:
print G+subdomain+" with the IP address of: "+socket.gethostbyname(subdomain)+""+W
except:
print G+subdomain+" could not be resolved. Maybe a private hostname."+W
print Y+"[-] Total Unique Subdomains Found: %s"%len(subdomains)+W
if ports:
print G+"[-] Start port scan now for the following ports: %s%s"%(Y,ports)+W
ports = ports.split(',')
pscan = portscan(subdomains,ports)
pscan.run()
else:
for subdomain in subdomains:
print G+subdomain+W
def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce,
engines):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
# Validate domain
domain_check = re.compile(
"^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent:
print(R + "Error: Please enter a valid domain" + W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
parsed_domain = urlparse.urlparse(domain)
if not silent:
api = 'http://ip-api.com/json/'
print(B +
"[-] Enumerating subdomains now for %s" % parsed_domain.netloc +
W)
print("Ip address for %s" % parsed_domain.netloc + R)
response_text = requests.get(api + parsed_domain.netloc).text
response_json = json.loads(response_text)
if response_json.get('status') == "success":
print("Request Successful Displaying Response:\n")
else:
print("[!] The Request Failed. Try again with a different IP "
"or check your internet connection. [!]")
exit(1)
print("IP: {query}".format(**response_json))
print("ISP/Server: {isp}\n".format(**response_json))
print("Location: {city}, {regionName} {country} {zip}".format(
**response_json))
details = requests.get("https://www." + parsed_domain.netloc)
print(details.headers)
if verbose and not silent:
print(
Y +
"[-] verbosity is enabled, will show the subdomains results in realtime"
+ W)
supported_engines = {
'baidu': BaiduEnum,
'yahoo': YahooEnum,
'google': GoogleEnum,
'bing': BingEnum,
'ask': AskEnum,
'netcraft': NetcraftEnum,
'dnsdumpster': DNSdumpster,
'virustotal': Virustotal,
'threatcrowd': ThreatCrowd,
'ssl': CrtSearch,
'passivedns': PassiveDNS
}
chosenEnums = []
if engines is None:
chosenEnums = [
BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum,
DNSdumpster, Virustotal, ThreatCrowd, CrtSearch, PassiveDNS
]
else:
engines = engines.split(',')
for engine in engines:
if engine.lower() in supported_engines:
chosenEnums.append(supported_engines[engine.lower()])
# Start the engines enumeration
enums = [
enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose)
for enum in chosenEnums
]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent:
print(G + "[-] Starting bruteforce module now using subbrute.." +
W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc,
record_type, subs, resolvers,
process_count, output,
json_output, search_list,
verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(subdomains, key=subdomain_sorting_key)
if savefile:
write_file(savefile, subdomains)
if not silent:
print(Y +
"[-] Total Unique Subdomains Found: %s" % len(subdomains) +
W)
if ports:
if not silent:
print(G +
"[-] Start port scan now for the following ports: %s%s" %
(Y, ports) + W)
ports = ports.split(',')
pscan = portscan(subdomains, ports)
pscan.run()
elif not silent:
for subdomain in subdomains:
print(G + subdomain + W)
return subdomains
def main():
args = parse_args()
domain = args.domain
#threads = args.threads
savefile = args.output
ports = args.ports
bruteforce_list = []
subdomains = []
if args.proxy != None:
proxy = args.proxy
proxy = {args.proxy.split(":")[0]: proxy}
else:
proxy = proxies
#Check Verbosity
#global verbose
#verbose = args.verbose
#if verbose or verbose is None:
#verbose = True
#Check Bruteforce Status
enable_bruteforce = args.bruteforce
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
#Validate domain
if not is_domain(domain):
print R + "Error: Please enter a valid domain" + W
sys.exit()
#Print the Banner
banner()
print B + "[-] Enumerating subdomains now for %s" % domain + W
'''
subdomains.extend(callsites(domain,proxy))
domains,emails = callengines(domain,500,proxy)
subdomains.extend(domains)
#print subdomains
'''
Threadlist = []
q_domains = queue.Queue() #to recevie return values
q_emails = queue.Queue()
for engine in [
Alexa, Chaxunla, CrtSearch, DNSdumpster, Googlect, Ilink, Netcraft,
PassiveDNS, Pgpsearch, Sitedossier, ThreatCrowd, Threatminer
]:
#print callsites_thread(engine,domain,proxy)
t = threading.Thread(target=callsites_thread,
args=(engine, domain, q_domains, q_emails, proxy))
Threadlist.append(t)
for engine in [
baidu_search, ask_search, bing_search, dogpile_search,
exalead_search, google_search, yandex_search, yahoo_search
]:
t = threading.Thread(target=callengines_thread,
args=(engine, domain, q_domains, q_emails, proxy,
500))
Threadlist.append(t)
#for t in Threadlist:
# print t
for t in Threadlist: # use start() not run()
t.start()
for t in Threadlist:
t.join()
while not q_domains.empty():
subdomains.append(q_domains.get())
emails = []
while not q_emails.empty():
emails.append(q_emails.get())
if enable_bruteforce:
print G + "[-] Starting bruteforce module now using subDomainsBrute.." + W
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'dict', 'names.txt')
resolvers = os.path.join(path_to_file, 'resolvers.txt')
process_count = 10
output = False
json_output = False
bruteforce_list = subbrute.print_target(domain, record_type, subs,
resolvers, process_count,
output, json_output,
subdomains)
subdomains.extend(bruteforce_list)
print subdomains
print len(subdomains)
print "[+] {0} domains found in total".format(len(subdomains))
print "[+] {0} emails found in total".format(len(emails))
if subdomains is not None:
subdomains = sorted(list(set(subdomains)))
emails = sorted(list(set(emails)))
subdomains.extend(
emails
) #this function return value is NoneType ,can't use in function directly
#print type(subdomains)
if savefile:
write_file(savefile, subdomains)
else:
write_file(domain, subdomains)
if ports:
print G + "[-] Start port scan now for the following ports: %s%s" % (
Y, ports) + W
ports = ports.split(',') #list
pscan = portscan(subdomains, ports)
pscan.run()
else:
for subdomain in subdomains:
print G + subdomain + W
def main(domain,
threads,
savefile,
ports,
silent=False,
verbose=False,
enable_bruteforce=False,
enable_rdns=True,
enable_ranges=False,
engines=None):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
# Validate domain
domain_check = re.compile(
"^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent:
print(R + "Error: Please enter a valid domain" + W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
parsed_domain = urlparse.urlparse(domain)
if not silent:
print(B +
"[-] Enumerating subdomains now for %s" % parsed_domain.netloc +
W)
if verbose and not silent:
print(
Y +
"[-] verbosity is enabled, will show the subdomains results in realtime"
+ W)
supported_engines = {
'baidu': BaiduEnum,
'yahoo': YahooEnum,
'google': GoogleEnum,
'bing': BingEnum,
'ask': AskEnum,
'netcraft': NetcraftEnum,
'dnsdumpster': DNSdumpster,
'virustotal': Virustotal,
'threatcrowd': ThreatCrowd,
'ssl': CrtSearch,
'passivedns': PassiveDNS
}
chosenEnums = []
if engines is None:
chosenEnums = [
BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum,
DNSdumpster, Virustotal, ThreatCrowd, CrtSearch, PassiveDNS
]
else:
engines = engines.split(',')
for engine in engines:
if engine.lower() in supported_engines:
chosenEnums.append(supported_engines[engine.lower()])
# Start the engines enumeration
enums = [
enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose)
for enum in chosenEnums
]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent:
print(G + "[-] Starting bruteforce module now using subbrute.." +
W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc,
record_type, subs, resolvers,
process_count, output,
json_output, search_list,
verbose)
subdomains = search_list.union(bruteforce_list)
if enable_rdns:
if not silent:
print(G + "[-] Starting RDNS module now.." + W)
rdns_subdomains, rdns_ips = recurse_rdns(subdomains)
print(G + "[-] RDNS finds:" + W)
for domain in rdns_subdomains - subdomains:
print(G + ' - ' + domain + W)
subdomains |= rdns_subdomains
if subdomains:
subdomains = sorted(subdomains, key=subdomain_sorting_key)
if savefile:
write_file(savefile, subdomains)
if not silent:
print(Y +
"[-] Total Unique Subdomains Found: %s" % len(subdomains) +
W)
if ports:
if not silent:
print(G +
"[-] Start port scan now for the following ports: %s%s" %
(Y, ports) + W)
ports = ports.split(',')
pscan = portscan(subdomains, ports)
pscan.run()
elif not silent:
for subdomain in subdomains:
print(G + subdomain + W)
if enable_ranges:
print(G + "[-] Starting ranges module now.." + W)
ranges = get_ranges(subdomains)
by_cidr = {}
for subdomain, results in ranges.items():
for result in results:
asn_cidr = result['asn_cidr']
ip = result['ip']
if asn_cidr not in by_cidr:
by_cidr[asn_cidr] = result
by_cidr[asn_cidr]['hosts'] = []
by_cidr[asn_cidr]['hosts'].append((subdomain, ip))
for asn_cidr, result in by_cidr.items():
name = result['network_name']
cidr = result['network_cidr']
asn_desc = result['asn_description']
hosts = result['hosts']
print(G + '=== {} ==='.format(asn_cidr) + W)
print(G + 'ASN description: {}'.format(asn_desc) + W)
print(G + 'Network name: {}'.format(name) + W)
if cidr == asn_cidr:
note = ' (same as ASN)'
else:
note = ''
print(G + 'Network cidr: {}{}'.format(cidr, note) + W)
print(G + 'Hosts:' + W)
for subdomain, ip in hosts:
print(G + ' - {}\t{}'.format(subdomain, ip) + W)
print()
return subdomains
def main():
args = parse_args()
domain = args.domain
#threads = args.threads
savefile = args.output
ports = args.ports
bruteforce_list = []
subdomains = []
if args.proxy != None:
proxy = args.proxy
proxy = {args.proxy.split(":")[0]: proxy}
else:
proxy = proxies
#Check Verbosity
#global verbose
#verbose = args.verbose
#if verbose or verbose is None:
#verbose = True
#Check Bruteforce Status
enable_bruteforce = args.bruteforce
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
#Validate domain
if not is_domain(domain):
print R+"Error: Please enter a valid domain"+W
sys.exit()
#Print the Banner
banner()
print B+"[-] Enumerating subdomains now for %s"% domain+W
subdomains.extend(callsites(domain,proxy))
domains,emails = callengines(domain,500,proxy)
subdomains.extend(domains)
#print subdomains
if enable_bruteforce:
print G+"[-] Starting bruteforce module now using subDomainsBrute.."+W
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'dict', 'names.txt')
resolvers = os.path.join(path_to_file, 'resolvers.txt')
process_count = 10
output = False
json_output = False
bruteforce_list = subbrute.print_target(domain, record_type, subs, resolvers, process_count, output, json_output, subdomains)
subdomains.extend(bruteforce_list)
print subdomains
print len(subdomains)
print "[+] {0} domains found in total".format(len(subdomains))
print "[+] {0} emails found in total".format(len(emails))
if subdomains is not None:
subdomains = sorted(subdomains)
emails = sorted(emails)
subdomains.extend(emails) #this function return value is NoneType ,can't use in function directly
#print type(subdomains)
if savefile:
write_file(savefile, subdomains)
else:
write_file(domain, subdomains)
if ports:
print G+"[-] Start port scan now for the following ports: %s%s"%(Y,ports)+W
ports = ports.split(',') #list
pscan = portscan(subdomains,ports)
pscan.run()
else:
for subdomain in subdomains:
print G+subdomain+W
