def resolver(dname: str, ip: str, result: str):
query = dns.message.make_query(dname, dns.rdataclass.IN) # create a query
response = dns.query.udp(query, ip, timeout=2) # get a response
if (response.answer):
# received the ip from the authoritative name server
if (response.get_rrset(response.answer, response.answer[0].name,
dns.rdataclass.IN, dns.rdatatype.A) != None):
answer = response.find_rrset(response.answer,
response.answer[0].name,
dns.rdataclass.IN, dns.rdatatype.A)
result += "\t".join(answer.to_text().split()[0:5])
return result
else: # CNAME
answer = response.find_rrset(response.answer,
response.answer[0].name,
dns.rdataclass.IN,
dns.rdatatype.CNAME)
result += "\t".join(answer.to_text().split()[0:5]) + "\n"
dname = answer.to_text().split()[4]
ip = default_root_ip
return resolver(
dname, ip,
result) # iterate through another dns request for CNAME
else:
if (not response.additional):
if (response.get_rrset(
response.authority, response.authority[0].name,
dns.rdataclass.IN, dns.rdatatype.SOA) != None):
authority = response.get_rrset(response.authority,
response.authority[0].name,
dns.rdataclass.IN,
dns.rdatatype.SOA)
if (authority.to_text().split()[0] == '.'):
return "Invalid Input" # if url does not exist
authority = response.find_rrset(response.authority,
response.authority[0].name,
dns.rdataclass.IN,
dns.rdatatype.NS)
result += "\t".join(authority.to_text().split()[0:5]) + "\n"
dname = authority.to_text().split()[4]
ip = default_root_ip
return resolver(
dname, ip, result
) # iterate through another dns request for the NS (name server)
else:
additional = response.find_rrset(response.additional,
response.additional[0].name,
dns.rdataclass.IN,
dns.rdatatype.A)
ip = additional.to_text().split()[4]
return resolver(dname, ip,
result) # go to the next top-level-domain server
def main():
parser = argparse.ArgumentParser(description=u'结合了sublist3r,'+\
u'subDomainsBrute, altdns 功能的子域名查找器',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog='''
Example:
./subd.py example.com
./subd.py example.com -t 1
./subd.py example.com -o example.txt''')
parser.add_argument('domain', help=u'目标域名')
parser.add_argument('-t', '--type', help=u'查找类型,默认是0,即使用'+\
u'三个模块,1 只使用sublist3r, 2 只使用sublist3r,' + \
u'subDomainsBrute.', default=0, type=int)
parser.add_argument('--threads', default='10,3,20,20', help=u'默认'+\
u'值为10,3,20,20. 10为sublist3r的线程数,3为subDomainsBrute'+\
u'进程数,20为subDomainsBrute线程数。20为altdns线程数.')
parser.add_argument('-o',
'--output',
default='domains.txt',
help=u'输出写入的文件')
parser.add_argument('-e', '--engines', help=u'sublist3r使用的搜索引擎,'+\
u'可以使用的有:baidu, yahoo, google, bing, ask, netcraft,' + \
'dnsdumpster, virustotal, threatcrowd, ssl, passivedns',
default=None)
args = parser.parse_args()
sl_threads, sd_process, sd_threads, ad_threads = args.threads.split(',')
sl_result = sublist3r.main(args.domain.strip(), int(sl_threads),
args.engines)
result = resolver(sl_result)
if args.type == 0 or args.type == 2:
from subDomainsBrute import subDomainsBrute
subDomainsBrute.main(args.domain.strip(), int(sd_threads),
int(sd_process), result)
tmp_dir = os.environ['HOME'] + '/Desktop/' + args.domain.strip() + str(
int(time.time()))
if not os.path.exists(tmp_dir):
os.makedirs(tmp_dir)
domains_file = tmp_dir + '/' + args.output
domains_ip_file = tmp_dir + '/ip_' + args.output
with open(domains_file, 'w') as tmp_f:
for d in result.keys():
tmp_f.write(d + '\n')
with open(domains_ip_file, 'w') as tmp_f:
for i in result.items():
tmp_f.write(i[0] + '\t' + i[1] + '\n')
if args.type == 0:
tmp_outputfile = tmp_dir + '/altdnsoutput.txt'
tmp_save = tmp_dir + '/save.txt'
altdns.main(domains_file, tmp_outputfile, int(ad_threads), tmp_save)
print('Result in %s, %s' % (domains_file, domains_ip_file))
def iplist(self):
log.debug('FQDNs: %s', self.fqdns)
resolver = self._resolve_catch_err
addresses = filter(None, flatten([list(resolver(fqdn)) for fqdn in self.fqdns]))
addresses = list(set([x.address for x in addresses]))
addresses.sort()
return addresses
def build_chain(qname, qtype):
"""Build TLS DNSSEC chain data structure"""
qname = dns.name.from_text(qname, dns.name.root)
qtype = dns.rdatatype.from_text(qtype)
chain = Chain()
r = resolver()
ans, errmsg = do_query(r, qname, qtype)
if ans:
data_rrset = None
sig_rrset = None
rrset_list, signer = unpack_answer(ans.response.answer)
chain.add(rrset_list)
elif errmsg:
print("ERROR: %s %s: %s" % (qname, qtype, errmsg))
return None
qname = signer
while (qname != TA_ZONE):
ans, errmsg = do_query(r, qname, 'DNSKEY')
if ans:
rrset_list, signer = unpack_answer(ans.response.answer)
chain.add(rrset_list)
elif errmsg:
print("ERROR: %s %s: %s" % (qname, qtype, errmsg))
return None
ans, errmsg = do_query(r, qname, 'DS')
if ans:
rrset_list, signer = unpack_answer(ans.response.answer)
chain.add(rrset_list)
elif errmsg:
print("ERROR: %s %s: %s" % (qname, qtype, errmsg))
return None
qname = signer
if (qname == TA_ZONE):
ans, errmsg = do_query(r, qname, 'DNSKEY')
if ans:
rrset_list, signer = unpack_answer(ans.response.answer)
chain.add(rrset_list)
elif errmsg:
print("ERROR: %s %s: %s" % (qname, qtype, errmsg))
return None
return chain
def _multi_srvr(**res_kwargs):
for server in servers:
s_res = resolver(server=server, **res_kwargs)
if s_res:
return s_res
def lookup(name,
rdtype,
method=None,
servers=None,
timeout=None,
walk=False,
walk_tld=False,
secure=None):
'''
Lookup DNS record data
:param name: name to lookup
:param rdtype: DNS record type
:param method: gai (getaddrinfo()), dnspython, dig, drill, host, nslookup or auto (default)
:param servers: (list of) server(s) to try in-order
:param timeout: query timeout or a valiant approximation of that
:param walk: Find records in parents if they don't exist
:param walk_tld: Include the final domain in the walk
:param secure: return only DNSSEC secured responses
:return: [] of record data
'''
# opts = __opts__.get('dns', {})
opts = {}
method = method or opts.get('method', 'auto')
secure = secure or opts.get('secure', None)
servers = servers or opts.get('servers', None)
timeout = timeout or opts.get('timeout', False)
rdtype = rdtype.upper()
# pylint: disable=bad-whitespace,multiple-spaces-before-keyword
query_methods = (
('gai', _lookup_gai, not any(
(rdtype not in ('A', 'AAAA'), servers, secure))),
('dnspython', _lookup_dnspython, HAS_DNSPYTHON),
('dig', _lookup_dig, HAS_DIG),
('drill', _lookup_drill, HAS_DRILL),
('host', _lookup_host, HAS_HOST and not secure),
('nslookup', _lookup_nslookup, HAS_NSLOOKUP and not secure),
)
# pylint: enable=bad-whitespace,multiple-spaces-before-keyword
try:
if method == 'auto':
# The first one not to bork on the conditions becomes the function
method, resolver = next(
((rname, rcb) for rname, rcb, rtest in query_methods if rtest))
else:
# The first one not to bork on the conditions becomes the function. And the name must match.
resolver = next((rcb for rname, rcb, rtest in query_methods
if rname == method and rtest))
except StopIteration:
log.error(
'Unable to lookup %s/%s: Resolver method %s invalid, unsupported '
'or unable to perform query', method, rdtype, name)
return False
res_kwargs = {
'rdtype': rdtype,
}
if servers:
if not isinstance(servers, (list, tuple)):
servers = [servers]
if method in ('dnspython', 'dig', 'drill'):
res_kwargs['servers'] = servers
else:
if timeout:
timeout /= len(servers)
# Inject a wrapper for multi-server behaviour
def _multi_srvr(**res_kwargs):
for server in servers:
s_res = resolver(server=server, **res_kwargs)
if s_res:
return s_res
resolver = _multi_srvr
if not walk:
name = [name]
else:
idx = 0
if rdtype == 'SRV': # The only rr I know that has 2 name components
idx = name.find('.') + 1
idx = name.find('.', idx) + 1
domain = name[idx:]
name = name[0:idx]
name = [name + domain for domain in _tree(domain, walk_tld)]
if timeout:
timeout /= len(name)
if secure:
res_kwargs['secure'] = secure
if timeout:
res_kwargs['timeout'] = timeout
for rname in name:
res = resolver(name=rname, **res_kwargs)
if res:
return res
def query(name, rdtype, method=None, servers=None, timeout=None, secure=None):
'''
Lookup DNS records
:param name: name to lookup
:param rdtype: DNS record type
:param method: simple, pydns, dig, drill, host, nslookup or auto (default)
:param servers: (list of) server(s) to try in-order
:param timeout: query timeout or a valiant approximation of that
:param secure: return only DNSSEC secured responses
:return: [] of record data
'''
# opts = __opts__.get('dns', {})
opts = {}
rdtype = rdtype.upper()
# pylint: disable=bad-whitespace,multiple-spaces-before-keyword
query_methods = (
('simple', _query_simple, not any(
(rdtype not in ('A', 'AAAA'), servers, secure))),
('pydns', _query_pydns, HAS_PYDNS),
('dig', _query_dig, HAS_DIG),
('drill', _query_drill, HAS_DRILL),
('host', _query_host, HAS_HOST and not secure),
('nslookup', _query_nslookup, HAS_NSLOOKUP and not secure),
)
# pylint: enable=bad-whitespace,multiple-spaces-before-keyword
method = method or opts.get('method', 'auto')
try:
if method == 'auto':
method, resolver = next(
((rname, rcb) for rname, rcb, rtest in query_methods if rtest))
else:
resolver = next((rcb for rname, rcb, rtest in query_methods
if rname == method and rtest))
except StopIteration:
log.error(
'Unable to lookup {1}/{2}: Resolver method {0} invalid, unsupported or unable to perform query'
.format(method, rdtype, name))
return False
res_kwargs = {'name': name, 'rdtype': rdtype}
if timeout:
res_kwargs['timeout'] = timeout
if secure:
res_kwargs['secure'] = secure
if not servers:
res = resolver(**res_kwargs)
else:
if not isinstance(servers, (list, tuple)):
servers = [servers]
if method in ('pydns', 'dig', 'drill'):
res_kwargs['servers'] = servers
res = resolver(**res_kwargs)
else:
if timeout:
res_kwargs['timeout'] = timeout / len(servers)
for server in servers:
res = resolver(server=server, **res_kwargs)
if res:
break
return res
dns.rdataclass.IN,
dns.rdatatype.NS)
result += "\t".join(authority.to_text().split()[0:5]) + "\n"
dname = authority.to_text().split()[4]
ip = default_root_ip
return resolver(
dname, ip, result
) # iterate through another dns request for the NS (name server)
else:
additional = response.find_rrset(response.additional,
response.additional[0].name,
dns.rdataclass.IN,
dns.rdatatype.A)
ip = additional.to_text().split()[4]
return resolver(dname, ip,
result) # go to the next top-level-domain server
# RRset :
# AUTHORITY = DNS
# ADDITIONAL = IP address(es)
when = datetime.now().strftime("%m/%d/%y %H:%M:%S") # current date and time
start_time = datetime.now() # get start time before query
dig = resolver(url, default_root_ip, "") # resolve
qtime = (datetime.now() - start_time) # total time of query
qtime = qtime.total_seconds() * 1000 # milli seconds
print("ANSWER SECTION:")
print(dig)
print("Query time: " + str(qtime) + " msec")
print("WHEN: " + when)
def lookup(
name,
rdtype,
method=None,
servers=None,
timeout=None,
walk=False,
walk_tld=False,
secure=None,
):
"""
Lookup DNS records and return their data
:param name: name to lookup
:param rdtype: DNS record type
:param method: gai (getaddrinfo()), dnspython, dig, drill, host, nslookup or auto (default)
:param servers: (list of) server(s) to try in-order
:param timeout: query timeout or a valiant approximation of that
:param walk: Walk the DNS upwards looking for the record type or name/recordtype if walk='name'.
:param walk_tld: Include the final domain in the walk
:param secure: return only DNSSEC secured responses
:return: [] of record data
"""
# opts = __opts__.get('dns', {})
opts = {}
method = method or opts.get("method", "auto")
secure = secure or opts.get("secure", None)
servers = servers or opts.get("servers", None)
timeout = timeout or opts.get("timeout", False)
rdtype = rdtype.upper()
# pylint: disable=bad-whitespace,multiple-spaces-before-keyword
query_methods = (
("gai", _lookup_gai, not any(
(rdtype not in ("A", "AAAA"), servers, secure))),
("dnspython", _lookup_dnspython, HAS_DNSPYTHON),
("dig", _lookup_dig, HAS_DIG),
("drill", _lookup_drill, HAS_DRILL),
("host", _lookup_host, HAS_HOST and not secure),
("nslookup", _lookup_nslookup, HAS_NSLOOKUP and not secure),
)
# pylint: enable=bad-whitespace,multiple-spaces-before-keyword
try:
if method == "auto":
# The first one not to bork on the conditions becomes the function
method, resolver = next(
((rname, rcb) for rname, rcb, rtest in query_methods if rtest))
else:
# The first one not to bork on the conditions becomes the function. And the name must match.
resolver = next((rcb for rname, rcb, rtest in query_methods
if rname == method and rtest))
except StopIteration:
log.error(
"Unable to lookup %s/%s: Resolver method %s invalid, unsupported "
"or unable to perform query",
method,
rdtype,
name,
)
return False
res_kwargs = {
"rdtype": rdtype,
}
if servers:
if not isinstance(servers, (list, tuple)):
servers = [servers]
if method in ("dnspython", "dig", "drill"):
res_kwargs["servers"] = servers
else:
if timeout:
timeout /= len(servers)
# Inject a wrapper for multi-server behaviour
def _multi_srvr(resolv_func):
@functools.wraps(resolv_func)
def _wrapper(**res_kwargs):
for server in servers:
s_res = resolv_func(server=server, **res_kwargs)
if s_res:
return s_res
return _wrapper
resolver = _multi_srvr(resolver)
if not walk:
name = [name]
else:
idx = 0
if rdtype in (
"SRV",
"TLSA"): # The only RRs I know that have 2 name components
idx = name.find(".") + 1
idx = name.find(".", idx) + 1
domain = name[idx:]
rname = name[0:idx]
name = _tree(domain, walk_tld)
if walk == "name":
name = [rname + domain for domain in name]
if timeout:
timeout /= len(name)
if secure:
res_kwargs["secure"] = secure
if timeout:
res_kwargs["timeout"] = timeout
for rname in name:
res = resolver(name=rname, **res_kwargs)
if res:
return res
return res
def myDig(ipAddress, fullName, iteration, first):
#print("\nGOT TO THE FRONT")
#first = 0
#I split up the name to be used for the resolver part
lengthWeb2 = 0
partsOfName = web.split(".")
for i in partsOfName:
lengthWeb2 = lengthWeb2 + 1
i = i + "."
#print(i)
wwwPresent = 0
if (partsOfName[0] == "www"):
#print("\nGOT STUCK HERE")
wwwPresent = 1
# i get the information from the server
answer = dns.message.make_query(fullName, queryType)
response = dns.query.udp(answer, ipAddress)
# types of responses
additionalSection = response.additional
answerSection = response.answer
authoritativeSection = response.authority
# counts
answerSection_count = 0
additionalSection_count = 0
authoritativeSection_count = 0
# I count the lines in all the sections
for lines in additionalSection:
additionalSection_count = additionalSection_count + 1
for lines in answerSection:
answerSection_count = answerSection_count + 1
# lines = lines.to_text().split(" ")
currentCount = len(authoritativeSection)
if (currentCount != 0):
authSection = authoritativeSection[0].to_text().splitlines()
for lines in authSection:
authoritativeSection_count = authoritativeSection_count + 1
# lines = lines.to_text().split()
name = ""
# if there is something in the answer section
if (answerSection_count > 0):
#print("\nIN ANSWERS")
for x in answerSection:
x = x.to_text().split(" ")
# name = ""
if x[3] == "CNAME":
#found the cname
name = x[4]
#I find out the iteration to start with for the new name
temp = name
#print("\nNAME")
#print(name)
temp = temp.split(".")
count = 0
for i in temp:
count = count + 1
iteration = count
#print("\nITERATION VAL")
#print(count)
resloveAns = resolver(temp[count - 2], rootServer, queryType)
if (resloveAns["success"] == False):
exit()
#DO I NEED TO CALL RESOLVER
myDig(rootServer, name, iteration, first)
break
if x[3] == "A":
testingCount = 1
# we found the answer --> Verification was successful
#NEED TO CHECK KSK
verificationSuccessful()
break
elif (additionalSection_count > 0):
#print("\nIN ADDITIONAL")
for lines in additionalSection:
lines = lines.to_text().split(" ")
if (first == 0):
#we have yet to validate anything, we need to check with the root
#NEED TO HAVE A WAY OF CHECKING THIS
valRoot = validRoot(ipAddress)
if (valRoot["success"] == False):
exit()
if (first > 0):
#oldName = ""
newName = ""
#firstGo = 0
countForIt = 0
#I take parts of my name to be used in the resovler
for blah in partsOfName:
if ((blah == "www") or (countForIt < (iteration))):
#continue
print("")
else:
newName = newName + blah + "."
countForIt = countForIt + 1
#I call on my resolver function to see if we can validate this part
resolveAns = resolver(newName, ipAddress, queryType)
if (resolveAns["success"] == False):
exit()
first = 1
iteration = iteration - 1
if (lines[3] == "A"):
ipAddress = lines[4]
#print("\nGOT TO A")
#print(ipAddress)
myDig(ipAddress, fullName, iteration, first)
break
elif ((answerSection_count == 0) and (additionalSection_count == 0)):
#print("\nIN OTHER")
# if there is nothing in the answer section or the additional section, I check the authority section
# print authSection
for lines in authSection:
lines = lines.split()
name = lines[4]
#print("\nNAME")
#print(name)
temp = name.split(".")
countTemp2 = 0
for parts in temp:
#print (parts)
countTemp2 = countTemp2 + 1
#print ("\n\nCOUNT TEMP")
#print (countTemp2)
#print("\nPRINTING VALUE")
#print (temp[countTemp2-2])
resolveAns = resolver(temp[countTemp2 - 2], rootServer, queryType)
if (resolveAns["success"] == False):
exit()
myDig(rootServer, name, iteration, first)
result = set()
for i in range(start, start + 1000):
p = Popen((('dig +short @114.114.114.114 a '
'r%d-1.googlevideo.com') % i).split(),
stdin=PIPE, stdout=PIPE, stderr=PIPE, close_fds=True)
output = p.stdout.read()
if output:
print >>sys.stderr, i - start, output.strip()
result.add(output.strip())
return result
def resolver():
dns_servers = ['8.8.8.8', '1.1.1.1', '1.34.1.37']
resolver = dns.resolver.Resolver()
start = random.randint(0, 1000000)
result = set()
for i in range(start, start + 1000):
response = resolver.query(('r%d-1.googlevideo.com') % i, "A")
for ip in response:
if ip not in result:
print (i - start, ip)
result.add(str(ip))
return result
if __name__ == '__main__':
result = dig() if "--dig" in sys.argv[1:] else resolver()
print (result)
with open("iplist.txt", "w") as out:
out.write("\n".join(result))
