def test_crt(self):
search_crtsh(self, "jonlu.ca")
if 'TRAVIS' in os.environ:
self.assertTrue(True) # crt.sh times out on Travis
return
self.assertIn("secure.jonlu.ca", self.domains)
def run(self):
while not self.stopper.is_set():
try:
target = self.domain_queue.get_nowait()
except queue.Empty:
break
else:
sys.__stdout__.write("Starting recursive search on " + target + "\n")
self.parent.stdout.flush()
# Default scans that run every time
threads = [Thread(target=dns_zonetransfer(self.parent, target)),
Thread(target=search_sublist3r(self.parent, target)),
Thread(target=subdomain_hackertarget(self.parent, target)),
Thread(target=search_pkey(self.parent, target)),
Thread(target=search_netcraft(self.parent, target)),
Thread(target=search_crtsh(self.parent, target)),
Thread(target=search_dnsdumpster(self.parent, target))]
# Start all threads
for x in threads:
x.start()
# Wait for all of them to finish
for x in threads:
x.join()
self.domains = self.parent.clean_domains(self.domains)
for domain in self.domains:
if domain not in self.master_domains:
sys.__stdout__.write("Found new domain: " + domain)
self.master_domains.append(domain)
self.domain_queue.put(domain)
self.domain_queue.task_done()
def test_crt(self):
search_crtsh(self, "jonlu.ca")
self.assertIn("secure.jonlu.ca", self.domains)
def run(self):
# Retrieve IP of target and run initial configurations
self.init()
ColorPrint.green("Searching for subdomains for " + self.ip + " (" +
self.options["TARGET"] + ")\n")
# Default scans that run every time
threads = [
Thread(target=dns_zonetransfer(self, self.options["TARGET"])),
Thread(
target=search_subject_alt_name(self, self.options["TARGET"])),
Thread(
target=subdomain_hackertarget(self, self.options["TARGET"])),
Thread(target=search_virustotal(self, self.options["TARGET"])),
Thread(target=search_pkey(self, self.options["TARGET"])),
Thread(target=search_netcraft(self, self.options["TARGET"])),
Thread(target=search_crtsh(self, self.options["TARGET"])),
Thread(target=search_dnsdumpster(self, self.options["TARGET"])),
Thread(target=search_anubisdb(self, self.options["TARGET"]))
]
# Additional options - ssl cert scan
if self.options["--ssl"]:
threads.append(
Thread(target=ssl_scan(self, self.options["TARGET"])))
# Additional options - shodan.io scan
if self.options["--additional-info"]:
threads.append(Thread(target=search_shodan(self)))
# Additional options - nmap scan of dnssec script and a host/port scan
if self.options["--with-nmap"]:
threads.append(
Thread(target=dnssecc_subdomain_enum(self,
self.options["TARGET"])))
threads.append(Thread(target=scan_host(self)))
# Additional options - brute force common subdomains
if self.options["--brute-force"]:
threads.append(
Thread(target=brute_force(self, self.options["TARGET"])))
# Start all threads
for x in threads:
x.start()
# Wait for all of them to finish
for x in threads:
x.join()
# remove duplicates and clean up
if self.options["--recursive"]:
self.recursive_search()
self.domains = self.clean_domains(self.domains)
self.dedupe = set(self.domains)
print("Found", len(self.dedupe), "subdomains")
print("----------------")
if self.options["--ip"]:
self.resolve_ips()
else:
for domain in self.dedupe:
ColorPrint.green(domain.strip())
if not self.options["--no-anubis-db"]:
send_to_anubisdb(self, self.options["TARGET"])