def get_subdomains_bruteforcer(self, subdomain): """ Try to discover subdomains using bruteforce. This function is prepared to run in parallel. To try to make as less as possible connections, discovered_domains contains a list with already discovered domains. :param base_domain: string with de domain to make the test. :type base_domain: str :param updater_func: function to update the state of the process. :type updater_func: update_status :param subdomain: string with the domain to process. :type subdomain: str """ m_domain = "%s.%s" % (subdomain, self.base_domain) completed = self.completed.inc() progress = (float(completed) / float(self.total)) * 100.0 self.update_status(progress=progress) Logger.log_more_verbose("Looking for subdomain: %s" % m_domain) l_oks = DNS.get_a(m_domain, also_CNAME=True) l_oks.extend(DNS.get_aaaa(m_domain, also_CNAME=True)) return l_oks
def test_scope_example(): print "Testing scope with: www.example.com" main_config = OrchestratorConfig() main_config.ui_mode = "disabled" main_config.use_colors = False audit_config = AuditConfig() audit_config.targets = ["http://www.example.com"] audit_config.include_subdomains = True with PluginTester(main_config, audit_config) as t: print Config.audit_scope for token, flag in ( (None, False), ("", False), ("www.example.com", True), ("example.com", True), ("com", False), ("subdomain.example.com", True), ("subdomain.www.example.com", True), ("www.example.org", False), ("wwwexample.com", False), ("www.wrong.com", False), ("127.0.0.1", False), ("::1", False), ("[::1]", False), ("http://www.example.com", True), ("https://example.com", True), ("ftp://ftp.example.com", True), ("mailto://[email protected]", True), ##("*****@*****.**", True), ): assert ((token in Config.audit_scope) == flag), repr(token) assert gethostbyname("www.example.com") in Config.audit_scope for address in gethostbyname_ex("www.example.com")[2]: assert address in Config.audit_scope for register in DNS.get_a("www.example.com"): assert register.address in Config.audit_scope for register in DNS.get_aaaa("www.example.com"): assert register.address in Config.audit_scope assert "[%s]" % register.address in Config.audit_scope for register in DNS.get_a("www.google.com"): assert register.address not in Config.audit_scope for register in DNS.get_aaaa("www.google.com"): assert register.address not in Config.audit_scope assert "[%s]" % register.address not in Config.audit_scope
def test_scope_example(): print "Testing scope with: www.example.com" main_config = OrchestratorConfig() main_config.ui_mode = "disabled" main_config.use_colors = False audit_config = AuditConfig() audit_config.targets = ["www.example.com"] audit_config.include_subdomains = True with PluginTester(main_config, audit_config) as t: assert None not in Config.audit_scope assert "" not in Config.audit_scope assert "www.example.com" in Config.audit_scope assert "example.com" in Config.audit_scope assert "com" not in Config.audit_scope assert "subdomain.example.com" in Config.audit_scope assert "subdomain.www.example.com" in Config.audit_scope assert "www.example.org" not in Config.audit_scope assert "wwwexample.com" not in Config.audit_scope assert "www.wrong.com" not in Config.audit_scope assert "127.0.0.1" not in Config.audit_scope assert "::1" not in Config.audit_scope assert "[::1]" not in Config.audit_scope assert "http://www.example.com" in Config.audit_scope assert "https://example.com" in Config.audit_scope assert "ftp://ftp.example.com" in Config.audit_scope assert "mailto://[email protected]" in Config.audit_scope ## assert "*****@*****.**" in Config.audit_scope assert gethostbyname("www.example.com") in Config.audit_scope for address in gethostbyname_ex("www.example.com")[2]: assert address in Config.audit_scope for register in DNS.get_a("www.example.com"): assert register.address in Config.audit_scope for register in DNS.get_aaaa("www.example.com"): assert register.address in Config.audit_scope assert "[%s]" % register.address in Config.audit_scope for register in DNS.get_a("www.google.com"): assert register.address not in Config.audit_scope for register in DNS.get_aaaa("www.google.com"): assert register.address not in Config.audit_scope assert "[%s]" % register.address not in Config.audit_scope
def recv_info(self, info): # Get the root domain only. root = info.root # Skip localhost. if root == "localhost": return # Skip root domains we've already processed. if self.state.put(root, True): return # Load the subdomains wordlist. try: wordlist = WordListLoader.get_advanced_wordlist_as_list(Config.plugin_args["wordlist"]) except WordlistNotFound: Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_args["wordlist"]) return except TypeError: Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_args["wordlist"]) return # Load the subdomains whitelist. try: whitelist = WordListLoader.get_advanced_wordlist_as_list(Config.plugin_config["wordlist"]) except WordlistNotFound: Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_config["wordlist"]) return except TypeError: Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_config["wordlist"]) return # # Set a base line for dinamyc sub-domains # m_virtual_domains = [] for v in (generate_random_string(40) for x in xrange(3)): l_subdomain = ".".join((v, root)) records = DNS.get_a(l_subdomain, also_CNAME=True) for rec in records: if rec.type == "CNAME": m_virtual_domains.append(rec.target) # If 3 subdomains are the same, set the base domain m_base_domain = None if len(set(m_virtual_domains)) == 1: m_base_domain = m_virtual_domains[0] # Configure the progress notifier. self.progress.set_total(len(wordlist)) self.progress.min_delta = 1 # notify every 1% # For each subdomain in the wordlist... found = 0 results = [] visited = set() for prefix in wordlist: # Mark as completed before actually trying. # We can't put this at the end of the loop where it belongs, # because the "continue" statements would skip over this too. self.progress.add_completed() # Build the domain name. name = ".".join((prefix, root)) # Skip if out of scope. if name not in Config.audit_scope: continue # Resolve the subdomain. records = DNS.get_a(name, also_CNAME=True) records.extend( DNS.get_aaaa(name, also_CNAME=True) ) # If no DNS records were found, skip. if not records: continue # If CNAME is the base domain, skip chk = [True for x in records if x.type == "CNAME" and x.target == m_base_domain] if len(chk) > 0 and all(chk): continue # We found a subdomain! found += 1 Logger.log_more_verbose( "Subdomain found: %s" % name) # Create the Domain object for the subdomain. domain = Domain(name) results.append(domain) # # Check for Domain disclosure # if prefix not in whitelist: d = DomainDisclosure(name, risk = 0, level = "low", title = "Possible subdomain leak", description = "A subdomain was discovered which may be an unwanted information disclosure." ) d.add_resource(domain) results.append(d) # For each DNs record, grab the address or name. # Skip duplicated records. for rec in records: if rec.type == "CNAME": location = rec.target elif rec.type in ("A", "AAAA"): location = rec.address else: # should not happen... results.append(rec) domain.add_information(rec) continue if location not in visited: visited.add(location) results.append(rec) domain.add_information(rec) # Log the results. if found: Logger.log( "Found %d subdomains for root domain: %s" % (found, root)) else: Logger.log_verbose( "No subdomains found for root domain: %s" % root) # Return the results. return results
def recv_info(self, info): # Get the root domain only. root = info.root # Skip localhost. if root == "localhost": return # Skip root domains we've already processed. if self.state.put(root, True): return # Load the subdomains wordlist. try: wordlist = WordListLoader.get_advanced_wordlist_as_list(Config.plugin_args["wordlist"]) except WordlistNotFound: Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_args["wordlist"]) return except TypeError: Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_args["wordlist"]) return # Configure the progress notifier. self.progress.set_total(len(wordlist)) self.progress.min_delta = 1 # notify every 1% # For each subdomain in the wordlist... found = 0 results = [] visited = set() for prefix in wordlist: # Mark as completed before actually trying. # We can't put this at the end of the loop where it belongs, # because the "continue" statements would skip over this too. self.progress.add_completed() # Build the domain name. name = ".".join((prefix, root)) # Skip if out of scope. if name not in Config.audit_scope: continue # Resolve the subdomain. records = DNS.get_a(name, also_CNAME=True) records.extend( DNS.get_aaaa(name, also_CNAME=True) ) # If no DNS records were found, skip. if not records: continue # We found a subdomain! found += 1 Logger.log_more_verbose( "Subdomain found: %s" % name) # Create the Domain object for the subdomain. domain = Domain(name) results.append(domain) # For each DNs record, grab the address or name. # Skip duplicated records. for rec in records: if rec.type == "CNAME": location = rec.target elif rec.type in ("A", "AAAA"): location = rec.address else: # should not happen... results.append(rec) domain.add_information(rec) continue if location not in visited: visited.add(location) results.append(rec) domain.add_information(rec) # Log the results. if found: Logger.log( "Found %d subdomains for root domain: %s" % (found, root)) else: Logger.log_verbose( "No subdomains found for root domain: %s" % root) # Return the results. return results
def run(self, info): # Get the root domain only. root = info.root # Skip localhost. if root == "localhost": return # Skip root domains we've already processed. if self.state.put(root, True): return # Load the subdomains wordlist. try: wordlist = WordListLoader.get_wordlist_as_list(Config.plugin_args["wordlist"]) except WordlistNotFound: Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_args["wordlist"]) return except TypeError: Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_args["wordlist"]) return # Load the subdomains whitelist. try: whitelist = WordListLoader.get_wordlist_as_list(Config.plugin_config["wordlist"]) except WordlistNotFound: Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_config["wordlist"]) return except TypeError: Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_config["wordlist"]) return # # Set a base line for dinamyc sub-domains # m_virtual_domains = [] for v in (generate_random_string(40) for x in xrange(3)): l_subdomain = ".".join((v, root)) records = DNS.get_a(l_subdomain, also_CNAME=True) for rec in records: if rec.type == "CNAME": m_virtual_domains.append(rec.target) # If 3 subdomains are the same, set the base domain m_base_domain = None if len(set(m_virtual_domains)) == 1: m_base_domain = m_virtual_domains[0] # Configure the progress notifier. self.progress.set_total(len(wordlist)) self.progress.min_delta = 1 # notify every 1% # For each subdomain in the wordlist... found = 0 results = [] visited = set() for prefix in wordlist: # Mark as completed before actually trying. # We can't put this at the end of the loop where it belongs, # because the "continue" statements would skip over this too. self.progress.add_completed() # Build the domain name. name = ".".join((prefix, root)) # Skip if out of scope. if name not in Config.audit_scope: continue # Resolve the subdomain. records = DNS.get_a(name, also_CNAME=True) records.extend( DNS.get_aaaa(name, also_CNAME=True) ) # If no DNS records were found, skip. if not records: continue # If CNAME is the base domain, skip chk = [True for x in records if x.type == "CNAME" and x.target == m_base_domain] if len(chk) > 0 and all(chk): continue # We found a subdomain! found += 1 Logger.log_more_verbose( "Subdomain found: %s" % name) # Create the Domain object for the subdomain. domain = Domain(name) results.append(domain) # # Check for Domain disclosure # if prefix not in whitelist: d = DomainDisclosure(domain, risk = 0, level = "low", title = "Possible subdomain leak", description = "A subdomain was discovered which may be an unwanted information disclosure." ) results.append(d) # For each DNs record, grab the address or name. # Skip duplicated records. for rec in records: if rec.type == "CNAME": location = rec.target elif rec.type in ("A", "AAAA"): location = rec.address else: # should not happen... results.append(rec) domain.add_information(rec) continue if location not in visited: visited.add(location) results.append(rec) domain.add_information(rec) # Log the results. if found: Logger.log( "Found %d subdomains for root domain: %s" % (found, root)) else: Logger.log_verbose( "No subdomains found for root domain: %s" % root) # Return the results. return results
def recv_info(self, info): # Get the root domain only. root = info.root # Skip localhost. if root == "localhost": return # Skip root domains we've already processed. if self.state.put(root, True): return # Load the subdomains wordlist. try: wordlist = WordListLoader.get_advanced_wordlist_as_list( Config.plugin_args["wordlist"]) except WordlistNotFound: Logger.log_error_verbose("Wordlist '%s' not found.." % Config.plugin_args["wordlist"]) return except TypeError: Logger.log_error_verbose("Wordlist '%s' is not a file." % Config.plugin_args["wordlist"]) return # Configure the progress notifier. self.progress.set_total(len(wordlist)) self.progress.min_delta = 1 # notify every 1% # For each subdomain in the wordlist... found = 0 results = [] visited = set() for prefix in wordlist: # Mark as completed before actually trying. # We can't put this at the end of the loop where it belongs, # because the "continue" statements would skip over this too. self.progress.add_completed() # Build the domain name. name = ".".join((prefix, root)) # Skip if out of scope. if name not in Config.audit_scope: continue # Resolve the subdomain. records = DNS.get_a(name, also_CNAME=True) records.extend(DNS.get_aaaa(name, also_CNAME=True)) # If no DNS records were found, skip. if not records: continue # We found a subdomain! found += 1 Logger.log_more_verbose("Subdomain found: %s" % name) # Create the Domain object for the subdomain. domain = Domain(name) results.append(domain) # For each DNs record, grab the address or name. # Skip duplicated records. for rec in records: if rec.type == "CNAME": location = rec.target elif rec.type in ("A", "AAAA"): location = rec.address else: # should not happen... results.append(rec) domain.add_information(rec) continue if location not in visited: visited.add(location) results.append(rec) domain.add_information(rec) # Log the results. if found: Logger.log("Found %d subdomains for root domain: %s" % (found, root)) else: Logger.log_verbose("No subdomains found for root domain: %s" % root) # Return the results. return results