def get_subdomains_bruteforcer(self, subdomain):
"""
Try to discover subdomains using bruteforce. This function is
prepared to run in parallel.
To try to make as less as possible connections, discovered_domains
contains a list with already discovered domains.
:param base_domain: string with de domain to make the test.
:type base_domain: str
:param updater_func: function to update the state of the process.
:type updater_func: update_status
:param subdomain: string with the domain to process.
:type subdomain: str
"""
m_domain = "%s.%s" % (subdomain, self.base_domain)
completed = self.completed.inc()
progress = (float(completed) / float(self.total)) * 100.0
self.update_status(progress=progress)
Logger.log_more_verbose("Looking for subdomain: %s" % m_domain)
l_oks = DNS.get_a(m_domain, also_CNAME=True)
l_oks.extend(DNS.get_aaaa(m_domain, also_CNAME=True))
return l_oks
def get_subdomains_bruteforcer(self, subdomain):
"""
Try to discover subdomains using bruteforce. This function is
prepared to run in parallel.
To try to make as less as possible connections, discovered_domains
contains a list with already discovered domains.
:param base_domain: string with de domain to make the test.
:type base_domain: str
:param updater_func: function to update the state of the process.
:type updater_func: update_status
:param subdomain: string with the domain to process.
:type subdomain: str
"""
m_domain = "%s.%s" % (subdomain, self.base_domain)
completed = self.completed.inc()
progress = (float(completed) / float(self.total)) * 100.0
self.update_status(progress=progress)
Logger.log_more_verbose("Looking for subdomain: %s" % m_domain)
l_oks = DNS.get_a(m_domain, also_CNAME=True)
l_oks.extend(DNS.get_aaaa(m_domain, also_CNAME=True))
return l_oks
def test_scope_example():
print "Testing scope with: www.example.com"
main_config = OrchestratorConfig()
main_config.ui_mode = "disabled"
main_config.use_colors = False
audit_config = AuditConfig()
audit_config.targets = ["http://www.example.com"]
audit_config.include_subdomains = True
with PluginTester(main_config, audit_config) as t:
print Config.audit_scope
for token, flag in (
(None, False),
("", False),
("www.example.com", True),
("example.com", True),
("com", False),
("subdomain.example.com", True),
("subdomain.www.example.com", True),
("www.example.org", False),
("wwwexample.com", False),
("www.wrong.com", False),
("127.0.0.1", False),
("::1", False),
("[::1]", False),
("http://www.example.com", True),
("https://example.com", True),
("ftp://ftp.example.com", True),
("mailto://[email protected]", True),
##("*****@*****.**", True),
):
assert ((token in Config.audit_scope) == flag), repr(token)
assert gethostbyname("www.example.com") in Config.audit_scope
for address in gethostbyname_ex("www.example.com")[2]:
assert address in Config.audit_scope
for register in DNS.get_a("www.example.com"):
assert register.address in Config.audit_scope
for register in DNS.get_aaaa("www.example.com"):
assert register.address in Config.audit_scope
assert "[%s]" % register.address in Config.audit_scope
for register in DNS.get_a("www.google.com"):
assert register.address not in Config.audit_scope
for register in DNS.get_aaaa("www.google.com"):
assert register.address not in Config.audit_scope
assert "[%s]" % register.address not in Config.audit_scope
def test_scope_example():
print "Testing scope with: www.example.com"
main_config = OrchestratorConfig()
main_config.ui_mode = "disabled"
main_config.use_colors = False
audit_config = AuditConfig()
audit_config.targets = ["www.example.com"]
audit_config.include_subdomains = True
with PluginTester(main_config, audit_config) as t:
assert None not in Config.audit_scope
assert "" not in Config.audit_scope
assert "www.example.com" in Config.audit_scope
assert "example.com" in Config.audit_scope
assert "com" not in Config.audit_scope
assert "subdomain.example.com" in Config.audit_scope
assert "subdomain.www.example.com" in Config.audit_scope
assert "www.example.org" not in Config.audit_scope
assert "wwwexample.com" not in Config.audit_scope
assert "www.wrong.com" not in Config.audit_scope
assert "127.0.0.1" not in Config.audit_scope
assert "::1" not in Config.audit_scope
assert "[::1]" not in Config.audit_scope
assert "http://www.example.com" in Config.audit_scope
assert "https://example.com" in Config.audit_scope
assert "ftp://ftp.example.com" in Config.audit_scope
assert "mailto://[email protected]" in Config.audit_scope
## assert "*****@*****.**" in Config.audit_scope
assert gethostbyname("www.example.com") in Config.audit_scope
for address in gethostbyname_ex("www.example.com")[2]:
assert address in Config.audit_scope
for register in DNS.get_a("www.example.com"):
assert register.address in Config.audit_scope
for register in DNS.get_aaaa("www.example.com"):
assert register.address in Config.audit_scope
assert "[%s]" % register.address in Config.audit_scope
for register in DNS.get_a("www.google.com"):
assert register.address not in Config.audit_scope
for register in DNS.get_aaaa("www.google.com"):
assert register.address not in Config.audit_scope
assert "[%s]" % register.address not in Config.audit_scope
def recv_info(self, info):
# Get the root domain only.
root = info.root
# Skip localhost.
if root == "localhost":
return
# Skip root domains we've already processed.
if self.state.put(root, True):
return
# Load the subdomains wordlist.
try:
wordlist = WordListLoader.get_advanced_wordlist_as_list(Config.plugin_args["wordlist"])
except WordlistNotFound:
Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_args["wordlist"])
return
except TypeError:
Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_args["wordlist"])
return
# Load the subdomains whitelist.
try:
whitelist = WordListLoader.get_advanced_wordlist_as_list(Config.plugin_config["wordlist"])
except WordlistNotFound:
Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_config["wordlist"])
return
except TypeError:
Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_config["wordlist"])
return
#
# Set a base line for dinamyc sub-domains
#
m_virtual_domains = []
for v in (generate_random_string(40) for x in xrange(3)):
l_subdomain = ".".join((v, root))
records = DNS.get_a(l_subdomain, also_CNAME=True)
for rec in records:
if rec.type == "CNAME":
m_virtual_domains.append(rec.target)
# If 3 subdomains are the same, set the base domain
m_base_domain = None
if len(set(m_virtual_domains)) == 1:
m_base_domain = m_virtual_domains[0]
# Configure the progress notifier.
self.progress.set_total(len(wordlist))
self.progress.min_delta = 1 # notify every 1%
# For each subdomain in the wordlist...
found = 0
results = []
visited = set()
for prefix in wordlist:
# Mark as completed before actually trying.
# We can't put this at the end of the loop where it belongs,
# because the "continue" statements would skip over this too.
self.progress.add_completed()
# Build the domain name.
name = ".".join((prefix, root))
# Skip if out of scope.
if name not in Config.audit_scope:
continue
# Resolve the subdomain.
records = DNS.get_a(name, also_CNAME=True)
records.extend( DNS.get_aaaa(name, also_CNAME=True) )
# If no DNS records were found, skip.
if not records:
continue
# If CNAME is the base domain, skip
chk = [True for x in records if x.type == "CNAME" and x.target == m_base_domain]
if len(chk) > 0 and all(chk):
continue
# We found a subdomain!
found += 1
Logger.log_more_verbose(
"Subdomain found: %s" % name)
# Create the Domain object for the subdomain.
domain = Domain(name)
results.append(domain)
#
# Check for Domain disclosure
#
if prefix not in whitelist:
d = DomainDisclosure(name,
risk = 0,
level = "low",
title = "Possible subdomain leak",
description = "A subdomain was discovered which may be an unwanted information disclosure."
)
d.add_resource(domain)
results.append(d)
# For each DNs record, grab the address or name.
# Skip duplicated records.
for rec in records:
if rec.type == "CNAME":
location = rec.target
elif rec.type in ("A", "AAAA"):
location = rec.address
else: # should not happen...
results.append(rec)
domain.add_information(rec)
continue
if location not in visited:
visited.add(location)
results.append(rec)
domain.add_information(rec)
# Log the results.
if found:
Logger.log(
"Found %d subdomains for root domain: %s"
% (found, root))
else:
Logger.log_verbose(
"No subdomains found for root domain: %s" % root)
# Return the results.
return results
def recv_info(self, info):
# Get the root domain only.
root = info.root
# Skip localhost.
if root == "localhost":
return
# Skip root domains we've already processed.
if self.state.put(root, True):
return
# Load the subdomains wordlist.
try:
wordlist = WordListLoader.get_advanced_wordlist_as_list(Config.plugin_args["wordlist"])
except WordlistNotFound:
Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_args["wordlist"])
return
except TypeError:
Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_args["wordlist"])
return
# Configure the progress notifier.
self.progress.set_total(len(wordlist))
self.progress.min_delta = 1 # notify every 1%
# For each subdomain in the wordlist...
found = 0
results = []
visited = set()
for prefix in wordlist:
# Mark as completed before actually trying.
# We can't put this at the end of the loop where it belongs,
# because the "continue" statements would skip over this too.
self.progress.add_completed()
# Build the domain name.
name = ".".join((prefix, root))
# Skip if out of scope.
if name not in Config.audit_scope:
continue
# Resolve the subdomain.
records = DNS.get_a(name, also_CNAME=True)
records.extend( DNS.get_aaaa(name, also_CNAME=True) )
# If no DNS records were found, skip.
if not records:
continue
# We found a subdomain!
found += 1
Logger.log_more_verbose(
"Subdomain found: %s" % name)
# Create the Domain object for the subdomain.
domain = Domain(name)
results.append(domain)
# For each DNs record, grab the address or name.
# Skip duplicated records.
for rec in records:
if rec.type == "CNAME":
location = rec.target
elif rec.type in ("A", "AAAA"):
location = rec.address
else: # should not happen...
results.append(rec)
domain.add_information(rec)
continue
if location not in visited:
visited.add(location)
results.append(rec)
domain.add_information(rec)
# Log the results.
if found:
Logger.log(
"Found %d subdomains for root domain: %s"
% (found, root))
else:
Logger.log_verbose(
"No subdomains found for root domain: %s" % root)
# Return the results.
return results
def run(self, info):
# Get the root domain only.
root = info.root
# Skip localhost.
if root == "localhost":
return
# Skip root domains we've already processed.
if self.state.put(root, True):
return
# Load the subdomains wordlist.
try:
wordlist = WordListLoader.get_wordlist_as_list(Config.plugin_args["wordlist"])
except WordlistNotFound:
Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_args["wordlist"])
return
except TypeError:
Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_args["wordlist"])
return
# Load the subdomains whitelist.
try:
whitelist = WordListLoader.get_wordlist_as_list(Config.plugin_config["wordlist"])
except WordlistNotFound:
Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_config["wordlist"])
return
except TypeError:
Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_config["wordlist"])
return
#
# Set a base line for dinamyc sub-domains
#
m_virtual_domains = []
for v in (generate_random_string(40) for x in xrange(3)):
l_subdomain = ".".join((v, root))
records = DNS.get_a(l_subdomain, also_CNAME=True)
for rec in records:
if rec.type == "CNAME":
m_virtual_domains.append(rec.target)
# If 3 subdomains are the same, set the base domain
m_base_domain = None
if len(set(m_virtual_domains)) == 1:
m_base_domain = m_virtual_domains[0]
# Configure the progress notifier.
self.progress.set_total(len(wordlist))
self.progress.min_delta = 1 # notify every 1%
# For each subdomain in the wordlist...
found = 0
results = []
visited = set()
for prefix in wordlist:
# Mark as completed before actually trying.
# We can't put this at the end of the loop where it belongs,
# because the "continue" statements would skip over this too.
self.progress.add_completed()
# Build the domain name.
name = ".".join((prefix, root))
# Skip if out of scope.
if name not in Config.audit_scope:
continue
# Resolve the subdomain.
records = DNS.get_a(name, also_CNAME=True)
records.extend( DNS.get_aaaa(name, also_CNAME=True) )
# If no DNS records were found, skip.
if not records:
continue
# If CNAME is the base domain, skip
chk = [True for x in records if x.type == "CNAME" and x.target == m_base_domain]
if len(chk) > 0 and all(chk):
continue
# We found a subdomain!
found += 1
Logger.log_more_verbose(
"Subdomain found: %s" % name)
# Create the Domain object for the subdomain.
domain = Domain(name)
results.append(domain)
#
# Check for Domain disclosure
#
if prefix not in whitelist:
d = DomainDisclosure(domain,
risk = 0,
level = "low",
title = "Possible subdomain leak",
description = "A subdomain was discovered which may be an unwanted information disclosure."
)
results.append(d)
# For each DNs record, grab the address or name.
# Skip duplicated records.
for rec in records:
if rec.type == "CNAME":
location = rec.target
elif rec.type in ("A", "AAAA"):
location = rec.address
else: # should not happen...
results.append(rec)
domain.add_information(rec)
continue
if location not in visited:
visited.add(location)
results.append(rec)
domain.add_information(rec)
# Log the results.
if found:
Logger.log(
"Found %d subdomains for root domain: %s"
% (found, root))
else:
Logger.log_verbose(
"No subdomains found for root domain: %s" % root)
# Return the results.
return results
def recv_info(self, info):
# Get the root domain only.
root = info.root
# Skip localhost.
if root == "localhost":
return
# Skip root domains we've already processed.
if self.state.put(root, True):
return
# Load the subdomains wordlist.
try:
wordlist = WordListLoader.get_advanced_wordlist_as_list(
Config.plugin_args["wordlist"])
except WordlistNotFound:
Logger.log_error_verbose("Wordlist '%s' not found.." %
Config.plugin_args["wordlist"])
return
except TypeError:
Logger.log_error_verbose("Wordlist '%s' is not a file." %
Config.plugin_args["wordlist"])
return
# Configure the progress notifier.
self.progress.set_total(len(wordlist))
self.progress.min_delta = 1 # notify every 1%
# For each subdomain in the wordlist...
found = 0
results = []
visited = set()
for prefix in wordlist:
# Mark as completed before actually trying.
# We can't put this at the end of the loop where it belongs,
# because the "continue" statements would skip over this too.
self.progress.add_completed()
# Build the domain name.
name = ".".join((prefix, root))
# Skip if out of scope.
if name not in Config.audit_scope:
continue
# Resolve the subdomain.
records = DNS.get_a(name, also_CNAME=True)
records.extend(DNS.get_aaaa(name, also_CNAME=True))
# If no DNS records were found, skip.
if not records:
continue
# We found a subdomain!
found += 1
Logger.log_more_verbose("Subdomain found: %s" % name)
# Create the Domain object for the subdomain.
domain = Domain(name)
results.append(domain)
# For each DNs record, grab the address or name.
# Skip duplicated records.
for rec in records:
if rec.type == "CNAME":
location = rec.target
elif rec.type in ("A", "AAAA"):
location = rec.address
else: # should not happen...
results.append(rec)
domain.add_information(rec)
continue
if location not in visited:
visited.add(location)
results.append(rec)
domain.add_information(rec)
# Log the results.
if found:
Logger.log("Found %d subdomains for root domain: %s" %
(found, root))
else:
Logger.log_verbose("No subdomains found for root domain: %s" %
root)
# Return the results.
return results
