class Module(ToolTemplate):
'''
This module uses Gobuster in the DNS brute forcing mode. Gobuster can be installed from:
https://github.com/OJ/gobuster
'''
name = "GobusterDNS"
binary_name = "gobuster"
def __init__(self, db):
self.db = db
self.BaseDomain = BaseDomainRepository(db, self.name)
self.Domain = DomainRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("-d",
"--domain",
help="Domain to brute force")
self.options.add_argument("-f",
"--file",
help="Import domains from file")
self.options.add_argument(
"-i",
"--import_database",
help="Import domains from database",
action="store_true",
)
self.options.add_argument(
"-s",
"--rescan",
help="Rescan domains that have already been brute forced",
action="store_true",
)
self.options.set_defaults(
timeout=600) # Kick the default timeout to 10 minutes
def get_targets(self, args):
targets = []
if args.domain:
targets.append(args.domain)
if args.file:
domains = open(args.file).read().split("\n")
for d in domains:
if d:
targets.append(d)
if args.import_database:
if args.rescan:
targets += [
b.domain for b in self.BaseDomain.all(scope_type="passive")
]
else:
targets += [
b.domain for b in self.BaseDomain.all(scope_type="passive",
tool=self.name)
]
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
res = []
for t in targets:
res.append({
"target":
t,
"output":
os.path.join(output_path,
t.replace("/", "_") + "-dns.txt"),
})
return res
def build_cmd(self, args):
cmd = self.binary + " dns "
cmd += " -o {output} -d {target} "
if args.tool_args:
cmd += args.tool_args
return cmd
def process_output(self, cmds):
for c in cmds:
output_path = c["output"]
if os.path.isfile(output_path):
data = open(output_path).read().split("\n")
for d in data:
if "Found: " in d:
new_domain = d.split(" ")[1].lower()
created, subdomain = self.Domain.find_or_create(
domain=new_domain)
else:
display_error("{} not found.".format(output_path))
created, bd = self.BaseDomain.find_or_create(domain=c['target'])
bd.set_tool(self.name)
self.Domain.commit()
class Module(ToolTemplate):
name = "DNSRecon"
binary_name = "dnsrecon"
"""
This module runs DNSRecon on a domain or set of domains. This will extract found DNS entries.
It can also run over IP ranges, looking for additional domains in the PTR records.
DNSRecon can be installed from https://github.com/darkoperator/dnsrecon
"""
def __init__(self, db):
self.db = db
self.BaseDomain = BaseDomainRepository(db, self.name)
self.Domain = DomainRepository(db, self.name)
self.ScopeCIDR = ScopeCIDRRepository(db, self.name)
self.IPAddress = IPRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("-d",
"--domain",
help="Target domain for dnsRecon")
self.options.add_argument("-f",
"--file",
help="Import domains from file")
self.options.add_argument(
"-i",
"--import_database",
help="Import domains from database",
action="store_true",
)
self.options.add_argument("-r",
"--range",
help="Range to scan for PTR records")
self.options.add_argument(
"-R",
"--import_range",
help="Import CIDRs from in-scope ranges in database",
action="store_true",
)
self.options.add_argument("--rescan",
help="Rescan domains already scanned",
action="store_true")
# self.options.add_argument('--import_output_xml', help="Import XML file")
# self.options.add_argument('--import_output_json', help="Import json file")
def get_targets(self, args):
targets = []
if args.domain:
created, domain = self.BaseDomain.find_or_create(
domain=args.domain, passive_scope=True)
targets.append(domain.domain)
elif args.file:
domains = open(args.file).read().split("\n")
for d in domains:
if d:
created, domain = self.BaseDomain.find_or_create(
domain=d, passive_scope=True)
targets.append(domain.domain)
elif args.import_database:
if args.rescan:
domains = self.BaseDomain.all(scope_type="passive")
else:
domains = self.BaseDomain.all(scope_type="passive",
tool=self.name)
for domain in domains:
targets.append(domain.domain)
elif args.range:
targets.append(args.range)
elif args.import_range:
if args.rescan:
cidrs = self.ScopeCIDR.all()
else:
cidrs = self.ScopeCIDR.all(tool=self.name)
for cidr in cidrs:
targets.append(cidr.cidr)
if args.output_path[0] == "/":
self.path = os.path.join(self.base_config["PROJECT"]["base_path"],
args.output_path[1:])
else:
self.path = os.path.join(self.base_config["PROJECT"]["base_path"],
args.output_path)
if not os.path.exists(self.path):
os.makedirs(self.path)
res = []
for t in targets:
res.append({
"target":
t,
"output":
os.path.join(self.path,
t.replace("/", "_") + ".json"),
})
return res
def build_cmd(self, args):
command = self.binary
if args.domain or args.file or args.import_database:
command += " -d {target} -j {output} "
else:
command += " -s -r {target} -j {output} "
if args.tool_args:
command += args.tool_args
return command
def process_output(self, cmds):
for c in cmds:
target = c["target"]
output_path = c["output"]
try:
res = json.loads(open(output_path).read())
except IOError:
display_error("DnsRecon failed for {}".format(target))
continue
if " -d " in res[0]["arguments"]:
created, dbrec = self.Domain.find_or_create(domain=target)
dbrec.dns = res
dbrec.save()
for record in res:
domain = None
ip = None
if record.get("type") == "A" or record.get("type") == "PTR":
domain = record.get("name").lower().replace("www.", "")
ip = record.get("address")
elif record.get("type") == "MX":
domain = record.get("exchange").lower().replace("www.", "")
elif record.get("type") == "SRV" or record.get("type" == "NS"):
domain = record.get("target").lower().replace("www.", "")
elif record.get("type") == "SOA":
domain = record.get("mname").lower().replace("www.", "")
if domain:
created, domain_obj = self.Domain.find_or_create(
domain=domain)
if ip:
created, ip_obj = self.IPAddress.find_or_create(
ip_address=ip)
domain_obj.ip_addresses.append(ip_obj)
domain_obj.save()
if '/' in target:
created, bd = self.ScopeCIDR.find_or_create(cidr=target)
else:
created, bd = self.BaseDomain.find_or_create(domain=target)
bd.set_tool(self.name)
self.Domain.commit()
class Module(ToolTemplate):
"""
This tool will check various subdomains for domain takeover vulnerabilities.
"""
name = "Tko-subs"
binary_name = "tko-subs"
def __init__(self, db):
self.db = db
self.Domain = DomainRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("--data",
help="Path to the providers_data.csv file")
self.options.add_argument("-d",
"--domain",
help="Domain to run the tool against.")
self.options.add_argument(
"-i",
"--importdb",
help="Import subdomains from the database.",
action="store_true",
)
self.options.add_argument("--rescan",
help="Rescan already processed entries",
action="store_true")
def get_targets(self, args):
"""
This module is used to build out a target list and output file list, depending on the arguments. Should return a
list in the format [{'target':target, 'output':output}, {'target':target, 'output':output}, etc, etc]
"""
# Create an empty list to add targets to
domains = []
# Check if a domain has been explicitly passed, and if so add it to targets
if args.domain:
domains.append(args.domain)
# Check if the --import option was passed and if so get data from the domain.
# The scoping is set to "active" since the tool could potentially make a
# request from the server.
if args.importdb:
if args.rescan:
all_domains = self.Domain.all(scope_type="active")
else:
all_domains = self.Domain.all(scope_type="active",
tool=self.name)
for d in all_domains:
domains.append(d.domain)
# Set the output_path base, as a junction of the base_path and the path name supplied
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path)
# Create the path if it doesn't already exist
if not os.path.exists(output_path):
os.makedirs(output_path)
res = []
# Create the final targets list, with output paths added.
for d in domains:
res.append({"target": d, "output": os.path.join(output_path, d)})
return res
def build_cmd(self, args):
"""
Create the actual command that will be executed. Use {target} and {output} as placeholders.
"""
cmd = self.binary + " -domain {target} -output {output} "
# Add in any extra arguments passed in the extra_args parameter
if args.tool_args:
cmd += args.tool_args
# Add that data parameter in there
if not args.data:
args.data = os.path.join(os.path.dirname(self.binary),
'providers-data.csv')
cmd += " -data " + args.data
return cmd
def process_output(self, cmds):
"""
Process the output generated by the earlier commands.
"""
# Cycle through all of the targets we ran earlier
for c in cmds:
output_file = c["output"]
target = c["target"]
# Read file
data = open(output_file).read().split("\n")
# Quick and dirty way to filter out headers and blank lines, as well
# as duplicates
res = list(
set([
d for d in data if "Domain,Cname,Provider" not in d and d
]))
if res:
# Load up the DB entry.
created, subdomain = self.Domain.find_or_create(domain=target)
# Process results
for d in res:
results = d.split(",")
if results[3] == "false":
display_warning(
"Hosting found at {} for {}, not vulnerable.".
format(target, results[2]))
elif results[3] == "true":
display_new("{} vulnerable to {}!".format(
target, results[2]))
if not subdomain.meta[self.name].get(
"vulnerable", False):
subdomain.meta[self.name]["vulnerable"] = []
subdomain.meta[self.name]["vulnerable"].append(d)
else:
display_warning("Not sure of result: {}".format(data))
# This is a little hackish, but needed to get data to save
t = dict(subdomain.meta)
self.Domain.commit()
subdomain.meta = t
self.Domain.commit()
class Module(ModuleTemplate):
'''
Uses DomLink from:
https://github.com/vysec/DomLink
By: Vincent Yu
'''
name = "DomLink"
binary_name = "domLink.py"
def __init__(self, db):
self.db = db
self.Domains = DomainRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("--binary", help="Path to binary")
self.options.add_argument(
"-o",
"--output_path",
help=
"Path which will contain program output (relative to base_path in config",
default=self.name,
)
self.options.add_argument(
"--tool_args",
help="Additional arguments to be passed to the tool",
nargs=argparse.REMAINDER,
)
self.options.add_argument("-d", "--domain", help="Domain to search.")
self.options.add_argument(
'-s',
'--scope',
help="How to scope results (Default passive)",
choices=["active", "passive", "none"],
default="passive")
self.options.add_argument(
"--no_binary",
help=
"Runs through without actually running the binary. Useful for if you already ran the tool and just want to process the output.",
action="store_true",
)
def run(self, args):
if not args.domain:
display_error("You need to supply a domain to search for.")
return
if not args.binary:
self.binary = which.run(self.binary_name)
else:
self.binary = args.binary
if not self.binary:
display_error(
"{} binary not found. Please explicitly provide path with --binary"
.format(self.binary_name))
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], 'output',
args.output_path[1:])
else:
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], 'output',
args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
output_path = os.path.join(output_path, "{}.txt".format(args.domain))
command_args = " {} -o {} ".format(args.domain, output_path)
if args.tool_args:
command_args += ' '.join(args.tool_args)
if not args.no_binary:
current_dir = os.getcwd()
new_dir = "/".join(self.binary.split("/")[:-1])
os.chdir(new_dir)
cmd = shlex.split("python2 " + self.binary + command_args)
print("Executing: %s" % " ".join(cmd))
subprocess.Popen(cmd).wait()
os.chdir(current_dir)
results = open(output_path).read().split('\n')
cur_type = None
for r in results:
if r:
if '### Company Names' in r:
cur_type = "company"
elif '### Domain Names' in r:
cur_type = "domain"
elif '### Email Addresses' in r:
cur_type = "email"
else:
if cur_type == "domain":
if args.scope == "active":
created, d = self.Domains.find_or_create(
domain=r, in_scope=True, passive_scope=True)
elif args.scope == "passive":
created, d = self.Domains.find_or_create(
domain=r, in_scope=False, passive_scope=True)
else:
created, d = self.Domains.find_or_create(
domain=r, in_scope=False, passive_scope=False)
self.Domains.commit()
class Module(ToolTemplate):
name = "Sublist3r"
binary_name = "sublist3r"
def __init__(self, db):
self.db = db
self.BaseDomain = BaseDomainRepository(db, self.name)
self.Domain = DomainRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("-d",
"--domain",
help="Domain to brute force")
self.options.add_argument("-f",
"--file",
help="Import domains from file")
self.options.add_argument(
"-i",
"--import_database",
help="Import domains from database",
action="store_true",
)
self.options.add_argument(
"-s",
"--rescan",
help="Rescan domains that have already been scanned",
action="store_true",
)
def get_targets(self, args):
targets = []
if args.domain:
targets.append(args.domain)
elif args.file:
domains = open(args.file).read().split("\n")
for d in domains:
if d:
targets.append(d)
elif args.import_database:
if args.rescan:
domains = self.BaseDomain.all(scope_type="passive")
else:
domains = self.BaseDomain.all(tool=self.name,
scope_type="passive")
for d in domains:
targets.append(d.domain)
res = []
if args.output_path[0] == "/":
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path[1:])
else:
output_path = os.path.join(
self.base_config["PROJECT"]["base_path"], args.output_path)
if not os.path.exists(output_path):
os.makedirs(output_path)
for t in targets:
output = os.path.join(output_path, "%s-sublist3r.txt" % t)
res.append({"target": t, "output": output})
return res
def build_cmd(self, args):
cmd = self.binary + " -o {output} -d {target} "
if args.tool_args:
cmd += args.tool_args
return cmd
def process_output(self, cmds):
for cmd in cmds:
output_path = cmd["output"]
if os.path.isfile(output_path):
data = open(output_path).read().split("\n")
for d in data:
new_domain = d.split(":")[0].lower()
if new_domain:
created, subdomain = self.Domain.find_or_create(
domain=new_domain)
else:
display_error("{} not found.".format(output_path))
next
self.Domain.commit()
class Module(ToolTemplate):
'''
This module uses the Ruby version of Aquatone. You can usually install it with "gem install aquatone"
'''
name = "aquatone-discover"
binary_name = "aquatone-discover"
def __init__(self, db):
self.db = db
self.Domain = DomainRepository(db, self.name)
self.BaseDomain = BaseDomainRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument("-d",
"--domain",
help="Target domain for aquatone")
self.options.add_argument("-f",
"--file",
help="Import domains from file")
self.options.add_argument(
"-i",
"--import_database",
help="Import domains from database",
action="store_true",
)
self.options.add_argument(
"-r",
"--rescan",
help="Run aquatone on hosts that have already been processed.",
action="store_true",
)
self.options.set_defaults(timeout=None)
def get_targets(self, args):
"""
This module is used to build out a target list and output file list, depending on the arguments. Should return a
list in the format [(target, output), (target, output), etc, etc]
"""
targets = []
if args.domain:
created, domain = self.BaseDomain.find_or_create(
domain=args.domain)
targets.append(domain.domain)
elif args.file:
domainsFile = open(args.file).read().split("\n")
for d in domainsFile:
if d:
created, domain = self.BaseDomain.find_or_create(domain=d)
targets.append(domain.domain)
elif args.import_database:
if args.rescan:
all_domains = self.BaseDomain.all(scope_type="passive")
else:
all_domains = self.BaseDomain.all(tool=self.name,
scope_type="passive")
for d in all_domains:
targets.append(d.domain)
else:
print("You need to supply domain(s).")
output_path = os.path.join(self.base_config["PROJECT"]["base_path"],
"output", "aquatone")
if not os.path.exists(output_path):
os.makedirs(output_path)
res = []
for t in targets:
res.append({
"target": t,
"output": "{}/{}/hosts.json".format(output_path, t)
})
return res
def build_cmd(self, args):
"""
Create the actual command that will be executed. Use {target} and {output} as placeholders.
"""
cmd = self.binary + " -d {target} "
if args.tool_args:
cmd += args.tool_args
return cmd
def pre_run(self, args):
output_path = os.path.join(self.base_config["PROJECT"]["base_path"],
"output")
self.orig_home = os.environ["HOME"]
os.environ["HOME"] = output_path
def process_output(self, cmds):
"""
Process the output generated by the earlier commands.
"""
for cmd in cmds:
try:
data2 = json.loads(open(cmd["output"]).read())
for sub, ip in data2.items():
created = False
new_domain = sub.lower()
if new_domain:
created, subdomain = self.Domain.find_or_create(
domain=new_domain)
except Exception as e:
display_error("Couldn't find file: {}".format(cmd["output"]))
self.Domain.commit()
def post_run(self, args):
os.environ["HOME"] = self.orig_home
class Module(ModuleTemplate):
"""
Ingests domains and IPs. Domains get ip info and cidr info, and IPs get
CIDR info.
"""
name = "Ingestor"
def __init__(self, db):
self.db = db
self.BaseDomain = BaseDomainRepository(db, self.name)
self.Domain = DomainRepository(db, self.name)
self.IPAddress = IPRepository(db, self.name)
self.CIDR = CIDRRepository(db, self.name)
self.ScopeCIDR = ScopeCIDRRepository(db, self.name)
def set_options(self):
super(Module, self).set_options()
self.options.add_argument(
"-d",
"--import_domains",
help="Either domain to import or file containing domains to import. One per line",
)
self.options.add_argument(
"-i",
"--import_ips",
help="Either IP/range to import or file containing IPs and ranges, one per line.",
)
self.options.add_argument(
"-a",
"--active",
help="Set scoping on imported data as active",
action="store_true",
)
self.options.add_argument(
"-p",
"--passive",
help="Set scoping on imported data as passive",
action="store_true",
)
self.options.add_argument(
"-sc",
"--scope_cidrs",
help="Cycle through out of scope networks and decide if you want to add them in scope",
action="store_true",
)
self.options.add_argument(
"-sb",
"--scope_base_domains",
help="Cycle through out of scope base domains and decide if you want to add them in scope",
action="store_true",
)
self.options.add_argument("--descope", help="Descope an IP, domain, or CIDR")
self.options.add_argument(
"-Ii",
"--import_database_ips",
help="Import IPs from database",
action="store_true",
)
self.options.add_argument(
"--force",
help="Force processing again, even if already processed",
action="store_true",
)
def run(self, args):
self.in_scope = args.active
self.passive_scope = args.passive
if args.descope:
if "/" in args.descope:
self.descope_cidr(args.descope)
elif check_string(args.descope):
pass
else:
self.descope_ip(args.descope)
# Check if in ScopeCIDR and remove if found
if args.import_ips:
try:
ips = open(args.import_ips)
for line in ips:
if line.strip():
if "/" in line or "-" in line:
self.process_cidr(line)
else:
self.process_ip(line.strip(), force_scope=True)
self.Domain.commit()
except IOError:
if "/" in args.import_ips or "-" in args.import_ips:
self.process_cidr(args.import_ips)
else:
self.process_ip(args.import_ips.strip(), force_scope=True)
self.Domain.commit()
if args.import_domains:
try:
domains = open(args.import_domains)
for line in domains:
if line.strip():
self.process_domain(line.strip())
self.Domain.commit()
except IOError:
self.process_domain(args.import_domains.strip())
self.Domain.commit()
if args.scope_base_domains:
base_domains = self.BaseDomain.all(in_scope=False, passive_scope=False)
for bd in base_domains:
self.reclassify_domain(bd)
self.BaseDomain.commit()
def get_domain_ips(self, domain):
ips = []
try:
answers = dns.resolver.query(domain, "A")
for a in answers:
ips.append(a.address)
return ips
except Exception:
return []
def process_domain(self, domain_str):
created, domain = self.Domain.find_or_create(
only_tool=True,
domain=domain_str,
in_scope=self.in_scope,
passive_scope=self.passive_scope,
)
if not created:
if (
domain.in_scope != self.in_scope
or domain.passive_scope != self.passive_scope # noqa: W503
):
display(
"Domain %s already exists with different scoping. Updating to Active Scope: %s Passive Scope: %s"
% (domain_str, self.in_scope, self.passive_scope)
)
domain.in_scope = self.in_scope
domain.passive_scope = self.passive_scope
domain.update()
if domain.base_domain.domain == domain.domain:
display("Name also matches a base domain. Updating that as well.")
domain.base_domain.in_scope = self.in_scope
domain.base_domain.passive_scope = self.passive_scope
domain.base_domain.update()
def process_ip(self, ip_str, force_scope=True):
created, ip = self.IPAddress.find_or_create(
only_tool=True,
ip_address=ip_str,
in_scope=self.in_scope,
passive_scope=self.passive_scope,
)
if not created:
if ip.in_scope != self.in_scope or ip.passive_scope != self.passive_scope:
display(
"IP %s already exists with different scoping. Updating to Active Scope: %s Passive Scope: %s"
% (ip_str, self.in_scope, self.passive_scope)
)
ip.in_scope = self.in_scope
ip.passive_scope = self.passive_scope
ip.update()
return ip
def process_cidr(self, line):
display("Processing %s" % line)
if "/" in line:
created, cidr = self.ScopeCIDR.find_or_create(cidr=line.strip())
if created:
display_new("Adding %s to scoped CIDRs in database" % line.strip())
cidr.in_scope = True
cidr.update()
elif "-" in line:
start_ip, end_ip = line.strip().replace(" ", "").split("-")
if "." not in end_ip:
end_ip = ".".join(start_ip.split(".")[:3] + [end_ip])
cidrs = iprange_to_cidrs(start_ip, end_ip)
for c in cidrs:
created, cidr = self.ScopeCIDR.find_or_create(cidr=str(c))
if created:
display_new("Adding %s to scoped CIDRs in database" % line.strip())
cidr.in_scope = True
cidr.update()
def reclassify_domain(self, bd):
if bd.meta.get("whois", False):
display_new("Whois data found for {}".format(bd.domain))
print(bd.meta["whois"])
res = six.input(
"Should this domain be scoped (A)ctive, (P)assive, or (N)ot? [a/p/N] "
)
if res.lower() == "a":
bd.in_scope = True
bd.passive_scope = True
elif res.lower() == "p":
bd.in_scope = False
bd.passive_scope = True
else:
bd.in_scope = False
bd.passive_scope = False
bd.save()
else:
display_error(
"Unfortunately, there is no whois information for {}. Please populate it using the Whois module".format(
bd.domain
)
)
def descope_ip(self, ip):
ip = self.IPAddress.all(ip_address=ip)
if ip:
for i in ip:
display("Removing IP {} from scope".format(i.ip_address))
i.in_scope = False
i.passive_scope = False
i.update()
for d in i.domains:
in_scope_ips = [
ipa
for ipa in d.ip_addresses
if ipa.in_scope or ipa.passive_scope
]
if not in_scope_ips:
display(
"Domain {} has no more scoped IPs. Removing from scope.".format(
d.domain
)
)
d.in_scope = False
d.passive_scope = False
self.IPAddress.commit()
def descope_cidr(self, cidr):
CIDR = self.ScopeCIDR.all(cidr=cidr)
if CIDR:
for c in CIDR:
display("Removing {} from ScopeCIDRs".format(c.cidr))
c.delete()
cnet = IPNetwork(cidr)
for ip in self.IPAddress.all():
if IPAddress(ip.ip_address) in cnet:
self.descope_ip(ip.ip_address)
