def init(self):
if self.options["FILE"]:
full_path = os.path.join(os.getcwd(), self.options["FILE"])
with open(full_path) as file:
self.options["TARGET"] = list(filter(None, file.read().split('\n')))
else:
self.options["TARGET"] = list(
filter(None, self.options["TARGET"].split(",")))
# Clean up targets
for i in range(len(self.options["TARGET"])):
url = self.options["TARGET"][i]
# Inject protocol if not there
if not re.match(r'http(s?):', url):
url = 'http://' + url
parsed = urlsplit(url)
host = parsed.netloc
self.options["TARGET"][i] = host
try:
ip_str = socket.gethostbyname(host)
ColorPrint.green(f"Searching for subdomains for {ip_str} ({host})")
except Exception as e:
self.handle_exception(e,
"Error connecting to target! Make sure you spelled it correctly and it is a resolvable address")
def test_color_print(self):
ColorPrint.red("red")
self.assertIn("91m", sys.stdout.getvalue())
ColorPrint.green("green")
self.assertIn("92m", sys.stdout.getvalue())
ColorPrint.light_purple("light_purple")
self.assertIn("94m", sys.stdout.getvalue())
ColorPrint.purple("purple")
self.assertIn("95m", sys.stdout.getvalue())
ColorPrint.yellow("yellow")
self.assertIn("93m", sys.stdout.getvalue())
def send_to_anubisdb(self, target):
if len(target) == 1:
print("Sending to AnubisDB")
data = {'subdomains': self.domains}
# Sends found subdomains to Anubis (max 10,000/post)
res = requests.post("https://jonlu.ca/anubis/subdomains/" + target[0],
json=data)
if res.status_code != 200:
ColorPrint.red(
"Error sending results to AnubisDB - Status Code: " +
str(res.status_code))
else:
print("Cannot send multiple domains to AnubisDB")
def search_censys(self, target):
print("Searching Censys")
try:
from anubis.API import CENSYS_ID, CENSYS_SECRET
except ImportError:
ColorPrint.red(
"To run a Censys scan, you must add your API keys to anubis/API.py")
return
if not CENSYS_SECRET or not CENSYS_ID:
ColorPrint.red(
"To run a Censys scan, you must add your API keys to anubis/API.py")
return
# Print certificate information for domains
c = censys.certificates.CensysCertificates(CENSYS_ID, CENSYS_SECRET)
for cert in c.search("." + target):
print(cert)
def dnssecc_subdomain_enum(self, target):
# Must run as root
if os.getuid() == 0:
print("Starting DNSSEC Enum")
nm = nmap.PortScanner()
arguments = '-sSU -p 53 --script dns-nsec-enum --script-args dns-nsec-enum.domains=' + target
nm.scan(hosts=target, arguments=arguments)
for host in nm.all_hosts():
try:
print(nm[host]['udp'][53]['script']['dns-nsec-enum'])
except:
pass
else:
ColorPrint.red(
"To run a DNSSEC subdomain enumeration, Anubis must be run as root"
)
def resolve_ips(self):
unique_ips = set()
for domain in self.dedupe:
try:
# Attempt to get IP
resolved_ip = socket.gethostbyname(domain)
except Exception as e:
# If getting IP fails, fallback to empty string
resolved_ip = ""
# TODO - Align domains and ips in stdout
ColorPrint.green(domain + ": " + resolved_ip)
if self.options['--silent']:
sys.stdout.write(domain + '\n', override=True)
if resolved_ip:
unique_ips.add(resolved_ip)
print("Found %s unique IPs" % len(unique_ips))
for ip in unique_ips:
# Ignore empty strings, final sanity check
if ip:
ColorPrint.green(ip)
def search_shodan(self):
print("Searching Shodan.io for additional information")
try:
from anubis.API import SHODAN_KEY
except ImportError:
ColorPrint.red("Unable to import API keys - make sure API.py exists!")
return
api = shodan.Shodan(SHODAN_KEY)
for i in range(len(self.options["TARGET"])):
try:
results = api.host(socket.gethostbyname(self.options["TARGET"][i]))
print('Server Location: ' + str(results['city']) + ", " +
str(results['country_code']) + ' - ' +
str(results['postal_code']))
print("ISP or Hosting Company: %s" % str(results['isp']))
if results['os'] is not None:
print("Possible OS: %s" % str(results['os']))
except Exception as e:
self.handle_exception(e, "Error retrieving additional info")
def run(self):
# Retrieve IP of target and run initial configurations
self.init()
# If multiple targets, create scans for each
for i in range(len(self.options["TARGET"])):
# Default scans that run every time
target = self.options["TARGET"][i]
ColorPrint.green(f"Working on target: {target}")
threads = [threading.Thread(target=dns_zonetransfer, args=(self, target)),
threading.Thread(target=search_sublist3r,
args=(self, target)),
threading.Thread(target=subdomain_hackertarget,
args=(self, target)),
threading.Thread(target=search_subject_alt_name,
args=(self, target)),
threading.Thread(target=search_netcraft, args=(self, target)),
threading.Thread(target=search_crtsh, args=(self, target)),
threading.Thread(target=search_dnsdumpster,
args=(self, target)),
threading.Thread(target=search_spyse,
args=(self, target)),
threading.Thread(target=search_anubisdb, args=(self, target))]
# Additional options - shodan.io scan
if self.options["--additional-info"]:
threads.append(threading.Thread(target=search_shodan, args=(self,)))
# Additional options - nmap scan of dnssec script and a host/port scan
if self.options["--with-nmap"]:
threads.append(
threading.Thread(target=dnssecc_subdomain_enum, args=(self, target)))
threads.append(threading.Thread(target=scan_host, args=(self, target)))
# Start all threads and wait for them to finish
for x in threads:
x.start()
for x in threads:
x.join()
# Run a recursive search on each subdomain - rarely useful, but nice to have
# just in case
if self.options["--recursive"]:
recursive_search(self)
# remove duplicates and clean up
self.domains = self.clean_domains(self.domains)
self.dedupe = set(self.domains)
print("Found", len(self.dedupe), "subdomains")
print("----------------")
if self.options["--ip"]:
self.resolve_ips()
else:
for domain in self.dedupe:
cleaned_domain = domain.strip()
ColorPrint.green(cleaned_domain)
if self.options['--silent']:
sys.stdout.write(cleaned_domain + '\n', override=True)
if not self.options["--dont-send-to-anubis-db"]:
send_to_anubisdb(self, [target])
# reset per domain
self.domains = list()
def handle_exception(self, e, message=""):
if self.options["--verbose"]:
print(e)
if message:
ColorPrint.red(message)