def init(self):
if self.options["FILE"]:
full_path = os.path.join(os.getcwd(), self.options["FILE"])
with open(full_path) as file:
self.options["TARGET"] = list(
filter(None,
file.read().split('\n')))
else:
self.options["TARGET"] = list(
filter(None, self.options["TARGET"].split(",")))
# Clean up targets
for i in range(len(self.options["TARGET"])):
url = self.options["TARGET"][i]
# Inject protocol if not there
if not re.match(r'http(s?):', url):
url = 'http://' + url
parsed = urlsplit(url)
host = parsed.netloc
self.options["TARGET"][i] = host
try:
domain_str = socket.gethostbyname(host)
ColorPrint.green(
f"Searching for subdomains for {domain_str} ({host})")
except Exception as e:
self.handle_exception(
e,
"Error connecting to target! Make sure you spelled it correctly and it is a resolvable address"
)
raise e
def init(self):
self.options["TARGET"] = self.options["TARGET"].split(",")
for i in range(len(self.options["TARGET"])):
url = self.options["TARGET"][i]
if not re.match(r'http(s?):', url):
url = 'http://' + url
parsed = urlsplit(url)
host = parsed.netloc
if host.startswith('www.'):
host = host[4:]
self.options["TARGET"][i] = host
try:
ColorPrint.green(
"Searching for subdomains for " +
socket.gethostbyname(self.options["TARGET"][i]) + " (" +
self.options["TARGET"][i] + ")")
except Exception as e:
self.handle_exception(
e,
"Error connecting to target! Make sure you spelled it correctly and it is a resolvable address"
)
raise e
print("")
def test_color_print(self):
ColorPrint.red("red")
self.assertIn("91m", sys.stdout.getvalue())
ColorPrint.green("green")
self.assertIn("92m", sys.stdout.getvalue())
ColorPrint.light_purple("light_purple")
self.assertIn("94m", sys.stdout.getvalue())
ColorPrint.purple("purple")
self.assertIn("95m", sys.stdout.getvalue())
ColorPrint.yellow("yellow")
self.assertIn("93m", sys.stdout.getvalue())
def resolve_ips(self):
unique_ips = set()
for domain in self.dedupe:
try:
resolved_ip = socket.gethostbyname(domain)
# TODO - Align domains and ips in stdout
ColorPrint.green(domain + ": " + resolved_ip)
unique_ips.add(resolved_ip)
except Exception as e:
self.handle_exception(e)
print("Found %s unique IPs" % len(unique_ips))
for ip in unique_ips:
ColorPrint.green(ip)
def resolve_ips(self):
unique_ips = set()
for domain in self.dedupe:
try:
# Attempt to get IP
resolved_ip = socket.gethostbyname(domain)
except Exception as e:
self.handle_exception(e)
# If getting IP fails, fallback to empty string
resolved_ip = ""
# TODO - Align domains and ips in stdout
ColorPrint.green(domain + ": " + resolved_ip)
unique_ips.add(resolved_ip)
print("Found %s unique IPs" % len(unique_ips))
for ip in unique_ips:
# String truthiness ignores empty strings
if ip:
ColorPrint.green(ip)
def resolve_ips(self):
unique_ips = set()
for domain in self.dedupe:
try:
# Attempt to get IP
resolved_ip = socket.gethostbyname(domain)
except Exception as e:
self.handle_exception(e)
# If getting IP fails, fallback to empty string
resolved_ip = ""
# TODO - Align domains and ips in stdout
ColorPrint.green(domain + ": " + resolved_ip)
if self.options['--silent']:
sys.stdout.write(domain + '\n', override=True)
if resolved_ip:
unique_ips.add(resolved_ip)
print("Found %s unique IPs" % len(unique_ips))
for ip in unique_ips:
# Ignore empty strings, final sanity check
if ip:
ColorPrint.green(ip)
def run(self):
# Retrieve IP of target and run initial configurations
self.init()
# If multiple targets, create scans for each
for i in range(len(self.options["TARGET"])):
# Default scans that run every time
target = self.options["TARGET"][i]
ColorPrint.green(f"Working on target: {target}")
threads = [
threading.Thread(target=dns_zonetransfer, args=(self, target)),
threading.Thread(target=subdomain_hackertarget,
args=(self, target)),
threading.Thread(target=search_subject_alt_name,
args=(self, target)),
threading.Thread(target=search_netcraft, args=(self, target)),
threading.Thread(target=search_crtsh, args=(self, target)),
threading.Thread(target=search_dnsdumpster,
args=(self, target)),
threading.Thread(target=search_anubisdb, args=(self, target))
]
# Additional options - shodan.io scan
if self.options["--additional-info"]:
threads.append(
threading.Thread(target=search_shodan, args=(self, )))
# Additional options - nmap scan of dnssec script and a host/port scan
if self.options["--with-nmap"]:
threads.append(
threading.Thread(target=dnssecc_subdomain_enum,
args=(self, target)))
threads.append(
threading.Thread(target=scan_host, args=(self, )))
# Start all threads and wait for them to finish
for x in threads:
x.start()
for x in threads:
x.join()
# Run a recursive search on each subdomain - rarely useful, but nice to have
# just in case
if self.options["--recursive"]:
recursive_search(self)
# remove duplicates and clean up
self.domains = self.clean_domains(self.domains)
self.dedupe = set(self.domains)
print("Found", len(self.dedupe), "subdomains")
print("----------------")
if self.options["--ip"]:
self.resolve_ips()
else:
for domain in self.dedupe:
cleaned_domain = domain.strip()
ColorPrint.green(cleaned_domain)
if self.options['--silent']:
sys.stdout.write(cleaned_domain, override=True)
if self.options["--send-to-anubis-db"]:
send_to_anubisdb(self, [target])
# reset per domain
self.domains = list()
def run(self):
# Retrieve IP of target and run initial configurations
self.init()
ColorPrint.green("Searching for subdomains for " + self.ip + " (" +
self.options["TARGET"] + ")\n")
# Default scans that run every time
threads = [
Thread(target=dns_zonetransfer(self, self.options["TARGET"])),
Thread(
target=search_subject_alt_name(self, self.options["TARGET"])),
Thread(
target=subdomain_hackertarget(self, self.options["TARGET"])),
Thread(target=search_virustotal(self, self.options["TARGET"])),
Thread(target=search_pkey(self, self.options["TARGET"])),
Thread(target=search_netcraft(self, self.options["TARGET"])),
Thread(target=search_crtsh(self, self.options["TARGET"])),
Thread(target=search_dnsdumpster(self, self.options["TARGET"])),
Thread(target=search_anubisdb(self, self.options["TARGET"]))
]
# Additional options - ssl cert scan
if self.options["--ssl"]:
threads.append(
Thread(target=ssl_scan(self, self.options["TARGET"])))
# Additional options - shodan.io scan
if self.options["--additional-info"]:
threads.append(Thread(target=search_shodan(self)))
# Additional options - nmap scan of dnssec script and a host/port scan
if self.options["--with-nmap"]:
threads.append(
Thread(target=dnssecc_subdomain_enum(self,
self.options["TARGET"])))
threads.append(Thread(target=scan_host(self)))
# Additional options - brute force common subdomains
if self.options["--brute-force"]:
threads.append(
Thread(target=brute_force(self, self.options["TARGET"])))
# Start all threads
for x in threads:
x.start()
# Wait for all of them to finish
for x in threads:
x.join()
# remove duplicates and clean up
if self.options["--recursive"]:
self.recursive_search()
self.domains = self.clean_domains(self.domains)
self.dedupe = set(self.domains)
print("Found", len(self.dedupe), "subdomains")
print("----------------")
if self.options["--ip"]:
self.resolve_ips()
else:
for domain in self.dedupe:
ColorPrint.green(domain.strip())
if not self.options["--no-anubis-db"]:
send_to_anubisdb(self, self.options["TARGET"])
def run(self):
# Retrieve IP of target and run initial configurations
self.init()
# If multiple targets, create scans for each
for i in range(len(self.options["TARGET"])):
# Default scans that run every time
target = self.options["TARGET"][i]
threads = [
threading.Thread(target=dns_zonetransfer, args=(self, target)),
threading.Thread(target=subdomain_hackertarget,
args=(self, target)),
threading.Thread(target=search_subject_alt_name,
args=(self, target)),
threading.Thread(target=search_virustotal,
args=(self, target)),
# threading.Thread(target=search_pkey, args=(self, target)),
# Removed pkey as of June 18 2018 due to issues on their end (not connecting)
threading.Thread(target=search_netcraft, args=(self, target)),
threading.Thread(target=search_crtsh, args=(self, target)),
threading.Thread(target=search_dnsdumpster,
args=(self, target)),
threading.Thread(target=search_anubisdb, args=(self, target))
]
# Additional options - shodan.io scan
if self.options["--additional-info"]:
threads.append(
threading.Thread(target=search_shodan, args=(self, )))
# Additional options - ssl
if self.options["--ssl"]:
threads.append(
threading.Thread(target=ssl_scan, args=(self, target)))
# Additional options - nmap scan of dnssec script and a host/port scan
if self.options["--with-nmap"]:
threads.append(
threading.Thread(target=dnssecc_subdomain_enum,
args=(self, target)))
threads.append(
threading.Thread(target=scan_host, args=(self, )))
# Start all threads and wait for them to finish
for x in threads:
x.start()
for x in threads:
x.join()
# Run a recursive search on each subdomain - rarely useful, but nice to have
# just in case
if self.options["--recursive"]:
recursive_search(self)
# remove duplicates and clean up
self.domains = self.clean_domains(self.domains)
self.dedupe = set(self.domains)
print("Found", len(self.dedupe), "subdomains")
print("----------------")
if self.options["--ip"]:
self.resolve_ips()
else:
for domain in self.dedupe:
ColorPrint.green(domain.strip())
if self.options["--send-to-anubis-db"]:
send_to_anubisdb(self, self.options["TARGET"])
def run(self):
# Retrieve IP of target and run initial configurations
self.init()
ColorPrint.green("Searching for subdomains for " + self.ip + " (" +
self.options["TARGET"] + ")\n")
# Multithreaded scans
threads = [
Thread(target=self.scan_subject_alt_name()),
Thread(target=self.dns_zonetransfer()),
Thread(target=self.subdomain_hackertarget()),
Thread(target=self.search_virustotal()),
Thread(target=self.search_pkey()),
Thread(target=self.search_netcraft()),
Thread(target=self.search_dnsdumpster())
]
# Default scans that run every time
# If they want to send and receive results from Anubis DB
if not self.options["--no-anubis-db"]:
threads.append(Thread(target=self.scan_anubisdb()))
# Additional options - ssl cert scan
if self.options["--ssl"]:
threads.append(Thread(target=self.ssl_scan()))
# Additional options - shodan.io scan
if self.options["--additional-info"]:
threads.append(Thread(target=self.search_shodan()))
# Additional options - nmap scan of dnssec script and a host/port scan
if self.options["--with-nmap"]:
threads.append(Thread(target=self.dnssecc_subdomain_enum()))
threads.append(Thread(target=self.scan_host()))
# Additional options - brute force common subdomains
if self.options["--brute-force"]:
threads.append(Thread(target=self.brute_force()))
# Not sure what data we can get from censys yet, but might be useful in the future
# self.search_censys()
# Start all threads
for x in threads:
x.start()
# Wait for all of them to finish
for x in threads:
x.join()
# remove duplicates and clean up
self.domains = self.clean_domains()
self.dedupe = set(self.domains)
print("Found", len(self.dedupe), "domains")
print("----------------")
if self.options["--ip"]:
self.resolve_ips()
else:
for domain in self.dedupe:
ColorPrint.green(domain.strip())
if not self.options["--no-anubis-db"]:
self.send_to_anubisdb()
def run(self):
# Retrieve IP of target and run initial configurations
self.init()
for i in range(len(self.options["TARGET"])):
# Default scans that run every time
target = self.options["TARGET"][i]
threads = [
threading.Thread(target=dns_zonetransfer, args=(self, target)),
threading.Thread(target=search_subject_alt_name,
args=(self, target)),
threading.Thread(target=subdomain_hackertarget,
args=(self, target)),
threading.Thread(target=search_virustotal,
args=(self, target)),
threading.Thread(target=search_pkey, args=(self, target)),
threading.Thread(target=search_netcraft, args=(self, target)),
threading.Thread(target=search_crtsh, args=(self, target)),
threading.Thread(target=search_dnsdumpster,
args=(self, target)),
threading.Thread(target=search_anubisdb, args=(self, target))
]
print('test')
# Additional options - ssl cert scan
if self.options["--ssl"]:
threads.append(
threading.Thread(target=ssl_scan, args=(self, target)))
# Additional options - shodan.io scan
if self.options["--additional-info"]:
threads.append(
threading.Thread(target=search_shodan, args=(self, )))
# Additional options - nmap scan of dnssec script and a host/port scan
if self.options["--with-nmap"]:
threads.append(
threading.Thread(target=dnssecc_subdomain_enum,
args=(self, target)))
threads.append(
threading.Thread(target=scan_host, args=(self, )))
# Additional options - brute force common subdomains
if self.options["--brute-force"]:
threads.append(
threading.Thread(target=brute_force, args=(self, target)))
# Start all threads
for x in threads:
x.start()
# Wait for all of them to finish
for x in threads:
x.join()
# remove duplicates and clean up
if self.options["--recursive"]:
recursive_search(self)
self.domains = self.clean_domains(self.domains)
self.dedupe = set(self.domains)
print("Found", len(self.dedupe), "subdomains")
print("----------------")
if self.options["--ip"]:
self.resolve_ips()
else:
for domain in self.dedupe:
ColorPrint.green(domain.strip())
if self.options["--send-to-anubis-db"]:
send_to_anubisdb(self, self.options["TARGET"])
