def run(self):
if not self.args['API_ID']['Value'] or not self.args['API_SECRET'][
'Value']:
return False
try:
certs = CensysCertificates(
api_id=self.args['API_ID']['Value'],
api_secret=self.args['API_SECRET']['Value'])
resp = certs.search("parsed.names: {}".format(self.target),
fields=['parsed.names'])
for line in resp:
for sub in line['parsed.names']:
if sub.endswith(self.target):
self.handler.sub_handler({
'Name': sub,
'Source': self.name
})
except Exception as e:
if str(e).startswith('403 (unauthorized):'):
print(
highlight('[!]', 'yellow'),
highlight(
'Censys Authentication Failed: Verify API ID & Secret.',
'gray'))
elif '400 (max_results)' in str(e):
pass
else:
print(highlight('[!]', 'yellow'),
highlight('Censys.IO Error: {}.'.format(e), 'gray'))
def spinner(self):
stdout.write(
highlight(
"{} {} Subdomains Found.\n".format(next(self.status),
len(self.complete)),
'gray'))
stdout.write('\033[F' + '\033[K')
def banner():
version = '3.0.2'
banner = """
___ _ ___
/ __|_ _| |__/ __| __ _ _ __ _ _ __ ___ _ _
\__ \ || | '_ \__ \/ _| '_/ _` | '_ \/ -_) '_|
|___/\_,_|_.__/___/\__|_| \__,_| .__/\___|_| v{}
|_| @m8r0wn
""".format(version)
print(highlight(banner, 'gray'))
def cli_handler(self, sub):
src = '[{}]'.format(highlight(sub['Source'], 'blue'))
pad_src = 15 if self.windows else (15 + 12)
output = '{:<{}} {:<35} '.format(src, pad_src, sub['Name'])
output += '({:<3}/{:<3}) '.format(
sub['HTTP']['code'],
sub['HTTPS']['code']) if self.args.http else ''
output += '{:<35} '.format(
sub['Takeover']) if self.args.takeover else ''
output += '{} '.format(sub['DNS']) if self.args.dns else ''
print(output)
def list_modules(cls):
print(
highlight("\n {:15} {}\n".format('Module Name', 'Description'),
'gray'))
for module in listdir(cls.module_path):
if module[-3:] == '.py' and module[:-3] != '__init__':
mod_class = cls.get_moduleClass(module[:-3], gen_context(),
False, False)
print(" {:20} - {}".format(mod_class.name,
mod_class.description))
for k, v in mod_class.args.items():
print(' |_{:24} {:30} (Required:{})'.format(
k, v['Description'], v['Required']))
def main():
banner()
args = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter, usage=argparse.SUPPRESS)
options = args.add_argument_group("SubScraper Options")
options.add_argument('-T',
dest='max_threads',
type=int, default=55,
help='Max threads for enumeration (Default: 55).'
)
options.add_argument('-t',
dest='timeout',
type=int,
default=25,
help='Timeout [seconds] for search threads (Default: 25).'
)
options.add_argument('-r',
dest='report',
type=str,
default='./subscraper_report.txt',
help="Output to specific file {txt*, csv}."
)
options.add_argument(dest='target',
nargs='+',
help='Target domain.'
)
mod = args.add_argument_group("Module Options")
mod.add_argument('-L',
dest="list_modules",
action='store_true',
help='List SubScraper enumeration modules.'
)
mod.add_argument('-M',
dest="modules",
type=str,
default='all',
help="Execute module(s) by name or group (Default: all)."
)
mod.add_argument('-w',
dest='wordlist',
default=path.join(path.dirname(path.realpath(__file__)), 'resources', 'subdomains.txt'),
type=lambda x: file_exists(args, x), help='Custom wordlist for DNS brute force.'
)
mod.add_argument('--censys-id',
dest="censys_id",
type=str,
default=False,
help='Censys.io API ID.'
)
mod.add_argument('--censys-secret',
dest="censys_secret",
type=str,
default=False,
help='Censys.io API Secret.'
)
enum = args.add_argument_group("Enumeration Options")
enum.add_argument('--dns',
dest="dns",
action='store_true',
help='Resolve DNS address for each subdomain identified.'
)
enum.add_argument('--http',
dest="http",
action='store_true',
help='Probe for active HTTP:80 & HTTPS:443 services.'
)
enum.add_argument('--takeover',
dest="takeover",
action='store_true',
help='Perform CNAME lookup & probe for HTTP(s) response.'
)
enum.add_argument('--all',
dest="all",
action='store_true',
help='Perform all checks on enumerated subdomains.'
)
if len(argv) < 2: args.print_help(); exit(0)
if "-L" in argv: ModuleLoader.list_modules(); exit(0)
args = args.parse_args()
adjust_all(args)
start_timer = datetime.now()
count = subenum(args, target_parser(args.target))
stop_timer = datetime.now()
print(highlight("[*] Identified {} subdomain(s) in {}.".format(count, stop_timer - start_timer), 'gray'))
print(highlight("[*] Subdomains written to {}.".format(args.report), 'gray'))
def print_headers(args):
title_headers = '{:<15} {:<35} '.format('Source', 'Subdomain')
title_headers += '{:<10} '.format('HTTP/HTTPS') if args.http else ''
title_headers += '{:<35} '.format('Takeover (CNAME)') if args.takeover else ''
title_headers += '{:<20} '.format('DNS (A)') if args.dns else ''
print(highlight(title_headers, 'gray'))