def censys(domain, conf):
config = ConfigParser()
config.read(conf)
censys_ip = []
print(que +
'Enumerating historical data from: %s using Censys.io' % domain)
if PYVERSION.startswith('3'):
ID = input(tab + info + 'Please enter your censys ID: ') if config.get(
'CENSYS', 'API_ID') == '' else config.get('CENSYS', 'API_ID')
SECRET = input(tab + info +
'Now, please enter your censys SECRET: ') if config.get(
'CENSYS', 'SECRET') == '' else config.get(
'CENSYS', 'SECRET')
else:
ID = raw_input(tab + info +
'Please enter your censys ID: ') if config.get(
'CENSYS', 'API_ID') == '' else config.get(
'CENSYS', 'API_ID')
SECRET = raw_input(
tab + info +
'Now, please enter your censys SECRET: ') if config.get(
'CENSYS', 'SECRET') == '' else config.get('CENSYS', 'SECRET')
if config.get('CENSYS', 'API_ID') == '' or config.get('CENSYS',
'SECRET') == '':
question = input(
tab + info +
'Do you want to save your censys.io credentials? y/n: '
) if PYVERSION.startswith('3') else raw_input(
que + 'Do you want to save your censys.io credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('CENSYS', 'API_ID', ID)
config.set('CENSYS', 'SECRET', SECRET)
with open('data/APIs/api.conf', 'w') as configfile:
config.write(configfile)
try:
ip = ['ip']
c = thirdparty.censys.ipv4.CensysIPv4(api_id=ID, api_secret=SECRET)
query = list(c.search('{0}'.format((domain)), ip, max_records=10))
ip_data = [query[i]['ip'] for i in range(len(query))]
print(tab + info + "Total Associated IPs Found:")
if ip_data:
ip = [(print(tab * 2 + good + ip), censys_ip.append(ip)) if
(ISPCheck(ip) == None) else print(tab * 2 + bad + ip +
ISPCheck(ip))
for ip in ip_data]
return censys_ip
except Exception as e:
print(tab * 2 + bad + str(e))
def shodan(domain, conf):
config = ConfigParser()
config.read(conf)
res = []
getAPI = config.get('SHODAN', 'API_KEY')
print(que + 'Enumerating data from: %s using Shodan.io' % domain)
if PYVERSION.startswith('3'):
api_key = input(
tab + info +
'Please enter your shodan API: ') if getAPI == '' else getAPI
else:
api_key = raw_input(
tab + info +
'Please enter your shodan API: ') if getAPI == '' else getAPI
if getAPI == '':
question = input(
tab + info +
'Do you want to save your shodan.io credentials? y/n: '
) if PYVERSION.startswith('3') else raw_input(
que + 'Do you want to save your shodan.io credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('SHODAN', 'API_KEY', api_key)
with open(conf, 'w+') as configfile:
config.write(configfile)
configfile.close()
try:
shodan = Shodan(api_key)
counts = shodan.count(query=domain, facets=['ip'])
print(tab + info + "Total Associated IPs Found:")
ip = [(print(tab * 2 + good + ip['value']), res.append(ip['value'])) if
(ISPCheck(ip['value']) == None) else print(tab * 2 + bad +
ip['value'] +
ISPCheck(ip['value']))
for ip in counts['facets']['ip']]
return res
except ShodanException.APITimeout as e:
print(bad + "API timeout:" + str(e))
except ShodanException.APIError as e:
print(tab + bad + "Error with your shodan credentials: %s" % e)
ans = input(tab + info +
"Do you want to delete your credentials? y/n: "
) if PYVERSION.startswith('3') else raw_input(
tab + info +
"Do you want to delete your credentials? y/n: ")
if ans in ["yes", "y", "Y", "ye"]:
config.set('SHODAN', 'API_KEY', '')
with open(conf, 'w+') as configfile:
config.write(configfile)
print(tab + good + "Your credentials have been deleted")
print(tab + run + "Please re-run the script again")
sys.exit()
def securitytrails(domain, conf):
st_ip = []
config = ConfigParser()
config.read(conf)
print(que + 'Enumerating historical data from: %s using SecurityTrails.com' % domain)
if PYVERSION.startswith('3'):
API_KEY = input(tab + info + 'Please enter your securitytrails API KEY: ') if config.get('SECURITYTRAILS', 'API_KEY') == '' else config.get('SECURITYTRAILS', 'API_KEY')
else:
API_KEY = raw_input(tab + info + 'Please enter your securitytrails API KEY: ') if config.get('SECURITYTRAILS', 'API_KEY') == '' else config.get('SECURITYTRAILS', 'API_KEY')
if config.get('SECURITYTRAILS', 'API_KEY') == '' or config.get('SECURITYTRAILS', 'API_KEY') == '':
question = input(tab + info + 'Do you want to save your securitytrails credentials? y/n: ') if PYVERSION.startswith('3') else raw_input(que + 'Do you want to save your securitytrails credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('SECURITYTRAILS', 'API_KEY', API_KEY)
with open('data/APIs/api.conf', 'w') as configfile:
config.write(configfile)
st = SecurityTrails(API_KEY)
try:
st.ping()
except SecurityTrailsError:
print(tab*2 + bad + 'Ping failed. Check your connection or Try later.')
sys.exit(1)
try:
print(tab + info + "Total Historical DNS Found:")
history_dns = [record["values"] for record in st.domain_history_dns(domain)["records"] if record["values"]]
history_dns = [[(print(tab*2 + good + ip["ip"]), st_ip.append(ip["ip"])) if (ISPCheck(ip["ip"]) == None) else print(tab*2 + bad + ip["ip"] + ISPCheck(ip["ip"])) for ip in ip] for ip in history_dns]
except Exception as e:
print(tab*2 + bad + str(e))
return st_ip
def nameserver(domain):
checking = bruter(domain)
good_dns = []
print(que + 'Bruteforcing domain extensions and getting DNS records')
for item in checking:
try:
nameservers = thirdparty.dns.resolver.query(item, 'NS')
MX = thirdparty.dns.resolver.query(item, 'MX')
for data in nameservers:
data = str(data).rstrip('.')
for record in MX:
record = str(record).split(' ')[1].rstrip('.')
DataisCloud = ISPCheck(data)
RecordisCloud = ISPCheck(record)
if DataisCloud == None:
if data not in good_dns:
good_dns.append(data)
print(tab + good + 'NS Record: ' + str(data) +
' from: ' + item)
else:
print(tab + bad + 'NS Record: ' + str(data) +
' from: ' + item + DataisCloud)
if RecordisCloud == None:
if record not in good_dns:
good_dns.append(record)
print(tab + good + 'MX Record: ' + str(record) +
' from: ' + item)
else:
print(tab + bad + 'MX Record: ' + str(record) +
' from: ' + item + RecordisCloud)
except thirdparty.dns.resolver.NXDOMAIN as e:
print(tab + bad + '%s' % e)
except thirdparty.dns.resolver.Timeout as e:
pass
except thirdparty.dns.exception.DNSException as e:
pass
return good_dns
def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce,
engines):
bruteforce_list = set()
search_list = set()
if is_windows:
subdomains_queue = list()
else:
subdomains_queue = multiprocessing.Manager().list()
# Check Bruteforce Status
if enable_bruteforce or enable_bruteforce is None:
enable_bruteforce = True
# Validate domain
domain_check = re.compile(
"^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$")
if not domain_check.match(domain):
if not silent:
print(bad + " Error: Please enter a valid domain" + W)
return []
if not domain.startswith('http://') or not domain.startswith('https://'):
domain = 'http://' + domain
parsed_domain = urlparse.urlparse(domain)
if not silent:
print(que +
"Enumerating subdomains now for %s" % parsed_domain.netloc + W)
if verbose and not silent:
print(
tab + info +
"verbosity is enabled, will show the subdomains results in realtime"
+ W)
supported_engines = {
'baidu': BaiduEnum,
'yahoo': YahooEnum,
'google': GoogleEnum,
'bing': BingEnum,
'ask': AskEnum,
'netcraft': NetcraftEnum,
'dnsdumpster': DNSdumpster,
'virustotal': Virustotal,
'threatcrowd': ThreatCrowd,
'ssl': CrtSearch,
'passivedns': PassiveDNS
}
chosenEnums = []
if engines is None:
chosenEnums = [
BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, NetcraftEnum,
DNSdumpster, Virustotal, ThreatCrowd, CrtSearch, PassiveDNS
]
else:
engines = engines.split(',')
for engine in engines:
if engine.lower() in supported_engines:
chosenEnums.append(supported_engines[engine.lower()])
# Start the engines enumeration
enums = [
enum(domain, [], q=subdomains_queue, silent=silent, verbose=verbose)
for enum in chosenEnums
]
for enum in enums:
enum.start()
for enum in enums:
enum.join()
subdomains = set(subdomains_queue)
for subdomain in subdomains:
search_list.add(subdomain)
if enable_bruteforce:
if not silent:
print(tab + info +
"Starting bruteforce module now using subbrute.." + W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt')
process_count = threads
output = False
json_output = False
bruteforce_list = subbrute.print_target(parsed_domain.netloc,
record_type, subs, resolvers,
process_count, output,
json_output, search_list,
verbose)
subdomains = search_list.union(bruteforce_list)
if subdomains:
subdomains = sorted(subdomains, key=subdomain_sorting_key)
if savefile:
write_file(savefile, subdomains)
if not silent:
print(tab + info + "Total Unique Subdomains Found: %s%s" %
(Y, len(subdomains)) + W)
if ports:
if not silent:
print(tab + info +
"Start port scan now for the following ports: %s%s" %
(Y, ports) + W)
ports = ports.split(',')
pscan = portscan(subdomains, ports)
pscan.run()
elif not silent:
for subdomain in subdomains:
try:
isCloud = ISPCheck(subdomain)
ipsub = socket.gethostbyname(str(subdomain))
resultPrint = (tab * 2 + good + subdomain +
f" ({G + ipsub + W})")
if isCloud == None:
print(resultPrint)
else:
print(resultPrint + isCloud)
#subdomains.remove(subdomain)
except:
print(tab * 2 + bad + subdomain +
f" ({R}error getting ip{W})")
#subdomains.remove(subdomain)
print(que + 'Enumerating misconfigured subdomains')
subdomains = [
misconfigured for misconfigured in subdomains
if ISPCheck(misconfigured) == None
]
print(tab + info +
'Total Misconfigured Subdomains Found: %s' % len(subdomains))
if len(subdomains) == 0:
print(tab * 2 + bad + 'misconfigured subdomains not found')
else:
for subdomain in subdomains:
print(tab * 2 + good + subdomain)
return subdomains
def netcat(domain, host, ignoreRedir, userAgent, randomAgent, header, count):
headers = dict(x.replace(' ', '').split(':')
for x in header.split(',')) if header != None else {}
headers.update({
'User-agent':
random.choice(
open("data/txt/random_agents.txt").readlines()).rstrip("\n"),
}) if randomAgent == True else ''
headers.update({'User-agent': userAgent}) if userAgent != None else ''
A = DNSLookup(domain, host)
ip = socket.gethostbyname(str(host)) if count == 0 else str(A)
if not A:
print(que + 'Using DIG to get the real IP')
print(' ' + bad + 'IP not found using DNS Lookup')
url = 'http://' + domain
try:
isCloud = ISPCheck(ip)
if isCloud != None:
print(tab + info + ip + isCloud + '. Closing connection.')
else:
page = requests.get(url, timeout=config['http_timeout_seconds'])
http = 'http://' if 'http://' in page.url else 'https://'
hncat = page.url.replace(http, '').split('/')[0]
headers.update(host=hncat)
home = page.url.replace(http, '').split(hncat)[1]
print(que + 'Connecting %s using as Host Header: %s' %
(ip, domain))
data = requests.get('http://' + ip + home,
headers=headers,
timeout=config['http_timeout_seconds'],
allow_redirects=False)
count = +1
if data.status_code in [301, 302]:
print(tab + info +
"Connection Rirect to: %s" % data.headers['Location'])
question = ignoreRedir if ignoreRedir != True else input(
tab + info +
'Do yo want to redirect? y/n: ') if PYVERSION.startswith(
'3') else raw_input(tab + info +
'Do yo want to redirect? y/n: ')
redir = True if question in [
'y', 'yes', 'ye'
] else ignoreRedir if ignoreRedir != True else False
try:
data = requests.get('http://' + ip + home,
headers=headers,
timeout=config['http_timeout_seconds'],
allow_redirects=redir)
except:
if question in ['y', 'yes', 'ye']:
print(tab + bad + 'Error while connecting to: %s' %
data.headers['Location'])
if data.status_code == 200:
count = +1
sim = similarity(data.text, page.text)
if sim > config['response_similarity_threshold']:
print(tab + good +
'The connect has %d%% similarity to: %s' %
(round(100 * sim, 2), url))
print(tab + good + '%s is the real IP' % ip)
try:
quest(question='\n' + info +
'IP found. Do yo want to stop tests? y/n: ',
doY='sys.exit()',
doN="pass")
except KeyboardInterrupt:
sys.exit()
else:
print(tab + bad +
'The connect has %d%% similarity to: %s' %
(round(100 * sim, 2), url))
print(tab + bad + "%s is not the IP" % ip)
else:
print(tab + bad +
'Unexpected status code occurred: %s' % data.status_code)
except requests.exceptions.SSLError:
print(tab + bad + 'Error handshaking with SSL')
except requests.exceptions.ReadTimeout:
print(tab + bad + "Connection ReadTimeout to: %s" % ip)
except requests.ConnectTimeout:
print(tab + bad + "Connection Timeout to: %s" % ip)
except requests.exceptions.ConnectionError:
print(tab + bad + "Connection Error to: %s" % ip)
except requests.exceptions.InvalidHeader as e:
print(tab + bad + "Error using header: %s" % str(e))
except Exception as e:
print(tab + bad + "An unexpected error occurred: %s" % str(e))
def censys(domain, conf):
config = ConfigParser()
config.read(conf)
censys_ip = []
print(que +
'Enumerating historical data from: %s using Censys.io' % domain)
req = requests.get('http://' + domain, allow_redirects=True)
soup = BeautifulSoup(req.text, 'html.parser')
title = soup.title.string if soup.title else None
if PYVERSION.startswith('3'):
ID = input(tab + info + 'Please enter your censys ID: ') if config.get(
'CENSYS', 'API_ID') == '' else config.get('CENSYS', 'API_ID')
SECRET = input(tab + info +
'Now, please enter your censys SECRET: ') if config.get(
'CENSYS', 'SECRET') == '' else config.get(
'CENSYS', 'SECRET')
else:
ID = raw_input(tab + info +
'Please enter your censys ID: ') if config.get(
'CENSYS', 'API_ID') == '' else config.get(
'CENSYS', 'API_ID')
SECRET = raw_input(
tab + info +
'Now, please enter your censys SECRET: ') if config.get(
'CENSYS', 'SECRET') == '' else config.get('CENSYS', 'SECRET')
if config.get('CENSYS', 'API_ID') == '' or config.get('CENSYS',
'SECRET') == '':
question = input(
tab + info +
'Do you want to save your censys.io credentials? y/n: '
) if PYVERSION.startswith('3') else raw_input(
que + 'Do you want to save your censys.io credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('CENSYS', 'API_ID', ID)
config.set('CENSYS', 'SECRET', SECRET)
with open('data/APIs/api.conf', 'w') as configfile:
config.write(configfile)
try:
ip = ['ip']
c = CensysHosts(ID, SECRET)
certificates = c.search(
"services.tls.certificates.leaf_data.subject.common_name: *.%s" %
domain,
sort="RELEVANCE")
print(tab + info +
"Total IPs found using certificates with common names:")
ip = [
(print(tab * 2 + good + ip['ip']), censys_ip.append(ip['ip'])) if
(ISPCheck(ip['ip']) == None) else print(tab * 2 + bad + ip['ip'] +
ISPCheck(ip['ip']))
for ip in certificates()
]
if title != None:
titles = c.search("services.http.response.html_title: '%s'" %
title,
sort="RELEVANCE")
print(tab + info + "Total IPs found using HTML title:")
title_ip = [
(print(tab * 2 + good + ip['ip']),
censys_ip.append(ip['ip'])) if
(ISPCheck(ip['ip']) == None) else print(tab * 2 + bad +
ip['ip'] +
ISPCheck(ip['ip']))
for ip in titles()
]
return censys_ip
except Exception as e:
print(tab * 2 + bad + str(e))