def censys(domain, conf):
config = ConfigParser()
config.read(conf)
censys_ip = []
print(que +
'Enumerating historical data from: %s using Censys.io' % domain)
if PYVERSION.startswith('3'):
ID = input(tab + info + 'Please enter your censys ID: ') if config.get(
'CENSYS', 'API_ID') == '' else config.get('CENSYS', 'API_ID')
SECRET = input(tab + info +
'Now, please enter your censys SECRET: ') if config.get(
'CENSYS', 'SECRET') == '' else config.get(
'CENSYS', 'SECRET')
else:
ID = raw_input(tab + info +
'Please enter your censys ID: ') if config.get(
'CENSYS', 'API_ID') == '' else config.get(
'CENSYS', 'API_ID')
SECRET = raw_input(
tab + info +
'Now, please enter your censys SECRET: ') if config.get(
'CENSYS', 'SECRET') == '' else config.get('CENSYS', 'SECRET')
if config.get('CENSYS', 'API_ID') == '' or config.get('CENSYS',
'SECRET') == '':
question = input(
tab + info +
'Do you want to save your censys.io credentials? y/n: '
) if PYVERSION.startswith('3') else raw_input(
que + 'Do you want to save your censys.io credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('CENSYS', 'API_ID', ID)
config.set('CENSYS', 'SECRET', SECRET)
with open('data/APIs/api.conf', 'w') as configfile:
config.write(configfile)
try:
ip = ['ip']
c = thirdparty.censys.ipv4.CensysIPv4(api_id=ID, api_secret=SECRET)
query = list(c.search('{0}'.format((domain)), ip, max_records=10))
ip_data = [query[i]['ip'] for i in range(len(query))]
print(tab + info + "Total Associated IPs Found:")
if ip_data:
ip = [(print(tab * 2 + good + ip), censys_ip.append(ip)) if
(ISPCheck(ip) == None) else print(tab * 2 + bad + ip +
ISPCheck(ip))
for ip in ip_data]
return censys_ip
except Exception as e:
print(tab * 2 + bad + str(e))
def shodan(domain, conf):
config = ConfigParser()
config.read(conf)
res = []
getAPI = config.get('SHODAN', 'API_KEY')
print(que + 'Enumerating data from: %s using Shodan.io' % domain)
if PYVERSION.startswith('3'):
api_key = input(
tab + info +
'Please enter your shodan API: ') if getAPI == '' else getAPI
else:
api_key = raw_input(
tab + info +
'Please enter your shodan API: ') if getAPI == '' else getAPI
if getAPI == '':
question = input(
tab + info +
'Do you want to save your shodan.io credentials? y/n: '
) if PYVERSION.startswith('3') else raw_input(
que + 'Do you want to save your shodan.io credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('SHODAN', 'API_KEY', api_key)
with open(conf, 'w+') as configfile:
config.write(configfile)
configfile.close()
try:
shodan = Shodan(api_key)
counts = shodan.count(query=domain, facets=['ip'])
print(tab + info + "Total Associated IPs Found:")
ip = [(print(tab * 2 + good + ip['value']), res.append(ip['value'])) if
(ISPCheck(ip['value']) == None) else print(tab * 2 + bad +
ip['value'] +
ISPCheck(ip['value']))
for ip in counts['facets']['ip']]
return res
except ShodanException.APITimeout as e:
print(bad + "API timeout:" + str(e))
except ShodanException.APIError as e:
print(tab + bad + "Error with your shodan credentials: %s" % e)
ans = input(tab + info +
"Do you want to delete your credentials? y/n: "
) if PYVERSION.startswith('3') else raw_input(
tab + info +
"Do you want to delete your credentials? y/n: ")
if ans in ["yes", "y", "Y", "ye"]:
config.set('SHODAN', 'API_KEY', '')
with open(conf, 'w+') as configfile:
config.write(configfile)
print(tab + good + "Your credentials have been deleted")
print(tab + run + "Please re-run the script again")
sys.exit()
def shodan(domain, conf):
title = searchTitle(domain)
config = ConfigParser()
config.read(conf)
getAPI = config.get('SHODAN', 'API_KEY')
if PYVERSION.startswith('3'):
api_key = input(tab + info + 'Please enter your shodan API: ') if getAPI == '' else getAPI
else:
api_key = raw_input(tab + info + 'Please enter your shodan API: ') if getAPI == '' else getAPI
if getAPI == '' or getAPI == '':
question = input(tab + info + 'Do you want to save your shodan.io credentials? y/n: ') if PYVERSION.startswith('3') else raw_input(que + 'Do you want to save your shodan.io credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('SHODAN', 'API_KEY', api_key)
with open('data/APIs/api.conf', 'w') as configfile:
config.write(configfile)
print(que + 'Enumerating historical data from: %s using Shodan.io' % domain)
try:
shodan = Shodan(api_key)
banner = shodan.search_cursor('http.title:"%s"' % title)
title_results = set([ip['ip_str'] for ip in banner])
if title_results:
return title_results
except ShodanException.APITimeout as e:
print(bad + "API timeout:" + str(e))
except ShodanException.APIError as e:
print(tab + bad + "Error with your shodan credentials: %s" % e)
def securitytrails(domain, conf):
st_ip = []
config = ConfigParser()
config.read(conf)
print(que + 'Enumerating historical data from: %s using SecurityTrails.com' % domain)
if PYVERSION.startswith('3'):
API_KEY = input(tab + info + 'Please enter your securitytrails API KEY: ') if config.get('SECURITYTRAILS', 'API_KEY') == '' else config.get('SECURITYTRAILS', 'API_KEY')
else:
API_KEY = raw_input(tab + info + 'Please enter your securitytrails API KEY: ') if config.get('SECURITYTRAILS', 'API_KEY') == '' else config.get('SECURITYTRAILS', 'API_KEY')
if config.get('SECURITYTRAILS', 'API_KEY') == '' or config.get('SECURITYTRAILS', 'API_KEY') == '':
question = input(tab + info + 'Do you want to save your securitytrails credentials? y/n: ') if PYVERSION.startswith('3') else raw_input(que + 'Do you want to save your securitytrails credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('SECURITYTRAILS', 'API_KEY', API_KEY)
with open('data/APIs/api.conf', 'w') as configfile:
config.write(configfile)
st = SecurityTrails(API_KEY)
try:
st.ping()
except SecurityTrailsError:
print(tab*2 + bad + 'Ping failed. Check your connection or Try later.')
sys.exit(1)
try:
print(tab + info + "Total Historical DNS Found:")
history_dns = [record["values"] for record in st.domain_history_dns(domain)["records"] if record["values"]]
history_dns = [[(print(tab*2 + good + ip["ip"]), st_ip.append(ip["ip"])) if (ISPCheck(ip["ip"]) == None) else print(tab*2 + bad + ip["ip"] + ISPCheck(ip["ip"])) for ip in ip] for ip in history_dns]
except Exception as e:
print(tab*2 + bad + str(e))
return st_ip
def netcat(domain, host, ignoreRedir, userAgent, randomAgent, header, count):
headers = dict(x.replace(' ', '').split(':')
for x in header.split(',')) if header != None else {}
headers.update({
'User-agent':
random.choice(
open("data/txt/random_agents.txt").readlines()).rstrip("\n"),
}) if randomAgent == True else ''
headers.update({'User-agent': userAgent}) if userAgent != None else ''
A = DNSLookup(domain, host)
ip = socket.gethostbyname(str(host)) if count == 0 else str(A)
if not A:
print(que + 'Using DIG to get the real IP')
print(' ' + bad + 'IP not found using DNS Lookup')
url = 'http://' + domain
try:
isCloud = ISPCheck(ip)
if isCloud != None:
print(tab + info + ip + isCloud + '. Closing connection.')
else:
page = requests.get(url, timeout=config['http_timeout_seconds'])
http = 'http://' if 'http://' in page.url else 'https://'
hncat = page.url.replace(http, '').split('/')[0]
headers.update(host=hncat)
home = page.url.replace(http, '').split(hncat)[1]
print(que + 'Connecting %s using as Host Header: %s' %
(ip, domain))
data = requests.get('http://' + ip + home,
headers=headers,
timeout=config['http_timeout_seconds'],
allow_redirects=False)
count = +1
if data.status_code in [301, 302]:
print(tab + info +
"Connection Rirect to: %s" % data.headers['Location'])
question = ignoreRedir if ignoreRedir != True else input(
tab + info +
'Do yo want to redirect? y/n: ') if PYVERSION.startswith(
'3') else raw_input(tab + info +
'Do yo want to redirect? y/n: ')
redir = True if question in [
'y', 'yes', 'ye'
] else ignoreRedir if ignoreRedir != True else False
try:
data = requests.get('http://' + ip + home,
headers=headers,
timeout=config['http_timeout_seconds'],
allow_redirects=redir)
except:
if question in ['y', 'yes', 'ye']:
print(tab + bad + 'Error while connecting to: %s' %
data.headers['Location'])
if data.status_code == 200:
count = +1
sim = similarity(data.text, page.text)
if sim > config['response_similarity_threshold']:
print(tab + good +
'The connect has %d%% similarity to: %s' %
(round(100 * sim, 2), url))
print(tab + good + '%s is the real IP' % ip)
try:
quest(question='\n' + info +
'IP found. Do yo want to stop tests? y/n: ',
doY='sys.exit()',
doN="pass")
except KeyboardInterrupt:
sys.exit()
else:
print(tab + bad +
'The connect has %d%% similarity to: %s' %
(round(100 * sim, 2), url))
print(tab + bad + "%s is not the IP" % ip)
else:
print(tab + bad +
'Unexpected status code occurred: %s' % data.status_code)
except requests.exceptions.SSLError:
print(tab + bad + 'Error handshaking with SSL')
except requests.exceptions.ReadTimeout:
print(tab + bad + "Connection ReadTimeout to: %s" % ip)
except requests.ConnectTimeout:
print(tab + bad + "Connection Timeout to: %s" % ip)
except requests.exceptions.ConnectionError:
print(tab + bad + "Connection Error to: %s" % ip)
except requests.exceptions.InvalidHeader as e:
print(tab + bad + "Error using header: %s" % str(e))
except Exception as e:
print(tab + bad + "An unexpected error occurred: %s" % str(e))
def parser_cmd(argv=None):
logotype()
formatter = lambda prog: argparse.HelpFormatter(prog,max_help_position=100)
parser = ArgumentParser(usage="Example: python " + Y + sys.argv[0] + W + " -u site.com", formatter_class=formatter)
try:
parser.add_argument("--hh", "--help-hack", dest="advancedHelp", action="store_true",
help="Show advanced help message and exit")
parser.add_argument("--version", action='version', version=NAME + VERSION + ' | '+ COPYRIGHT,
help="Show program's version number and exit")
parser.add_argument("-v", dest="verbose", action="store_true",
help="Verbosity for sublist3r: True/False (default: False)")
# Target options
target = parser.add_argument_group("Target", "At least one of these options has to be provided to define the target(s)")
target.add_argument("-u", "--url", metavar="target", dest="domain",
help="Target URL as first argument (e.g. python Cloudmare.py site.com)")
target.add_argument("--disable-sublister", dest="disableSub", action="store_true",
help="Disable subdomain listing for testing")
target.add_argument("--bruter", dest="brute", action="store_true",
help="Bruteforcing target to find associated domains")
target.add_argument("--subbruter", dest="subbrute", action="store_true",
help="Bruteforcing target's subdomains using subbrute module")
# Request options
request = parser.add_argument_group("Request", "These options can be used to specify how to connect to the target URL")
request.add_argument("--user-agent", dest="uagent",
help="Set HTTP User-Agent header value")
request.add_argument("--random-agent", dest="randomAgent", action="store_true",
help="Set randomly selected HTTP User-Agent header value")
request.add_argument("--host", dest="host",
help="HTTP Host header value")
request.add_argument("--headers", dest="headers",
help="Set custom headers (e.g. \"Origin: originwebsite.com, ETag: 123\")")
request.add_argument("--ignore-redirects", dest="ignoreRedirects", action="store_false",
help="Ignore Rirection attempts")
request.add_argument("--threads", dest="threads", nargs="?", const=defaults.threads, type=int,
help="Max number of concurrent HTTP(s) requests (default %d)" % defaults.threads)
# Search options
search = parser.add_argument_group("Search", "These options can be used to perform advanced searches")
search.add_argument("-sC", "--search-censys", dest="censys", nargs="?", const="data/APIs/api.conf", type=str,
help="Perform search using Censys API")
search.add_argument("-sSh", "--search-shodan", dest="shodan", nargs="?", const="data/APIs/api.conf", type=str,
help="Perform search using Shodan API")
search.add_argument("-sSt", "--search-st", dest="securitytrails", nargs="?", const="data/APIs/api.conf", type=str,
help="Perform search using Securitytrails API")
# Output options
output = parser.add_argument_group("Output", "These options can be used to save the subdomains results")
output.add_argument("-o", "--output", dest="outSub", action="store_true",
help="Save the subdomains into: \"data/output/subdomains-from-[domain].txt\"")
output.add_argument("--oG","--output-good", dest="outSubG", action="store_true",
help="Save [good response] subdomains into: \"data/output/good-subdomains-from-[domain].txt\"")
output.add_argument("--oI", "--output-ip", dest="outSubIP", action="store_true",
help="Save subdomains IP into: \"data/output/good-subdomains-from-[domain].txt\"")
advancedHelp = True
argv = sys.argv[1:]
checkOldOptions(argv)
xrange = range if PYVERSION.startswith("3") else xrange
for i in xrange(len(argv)):
if argv[i] in ("-h", "--help"):
advancedHelp = False
for group in get_groups(parser)[:]:
found = False
for option in get_actions(group):
if option.dest not in BASIC_HELP:
option.help = SUPPRESS
else:
found = True
if not found:
get_groups(parser).remove(group)
try:
(args, _) = parser.parse_known_args(argv) if hasattr(parser, "parse_known_args") else parser.parse_args(argv)
except UnicodeEncodeError as ex:
print("\n %s%s\n" % bad, ex)
raise SystemExit
except SystemExit:
if "-h" in argv and not advancedHelp or "--help" in argv and not advancedHelp:
print("\n" + info + "to see full list of options run with '-hh' or '--help-hack'\n")
raise
if not args.domain:
errMsg = "missing a mandatory option (-u, --url). Use -h for basic and -hh for advanced help\n"
parser.error(errMsg)
return parser.parse_args(), parser.error
except (ArgumentError, TypeError) as ex:
parser.error(str(ex))
debugMsg = "parsing command line"
logging.debug(debugMsg)
try:
from configparser import ConfigParser
except:
from ConfigParser import ConfigParser
config = ConfigParser()
try:
import argparse
from argparse import ArgumentError
from argparse import ArgumentParser
from argparse import SUPPRESS
except ImportError as im:
err = im.name if PYVERSION.startswith('3') else str(im).split('named')[1]
checkImports(err).downloadLib()
finally:
def get_actions(instance):
for attr in ("option_list", "_group_actions", "_actions"):
if hasattr(instance, attr):
return getattr(instance, attr)
def get_groups(parser):
return getattr(parser, "option_groups", None) or getattr(parser, "_action_groups")
def get_all_options(parser):
retVal = set()
for option in get_actions(parser):
from lib.parse.cmdline import parser_cmd
from lib.parse.settings import logotype, osclear, checkImports, PYVERSION
from lib.parse.colors import info, bad
while True:
try:
from lib.analyzer.ipscan import IPscan
from lib.analyzer.dnslookup import scan, DNSLookup
from lib.tools import sublist3r
from lib.tools.netcat import netcat
from lib.tools.bruter import nameserver
from lib.tools.censys import censys
from lib.tools.shodan import shodan
break
except Exception as e:
err = e.name if PYVERSION.startswith('3') else str(e).split('named')[1]
checkImports(err).downloadLib()
if __name__=="__main__":
try:
args, parsErr = parser_cmd()
output = "data/output/subdomains-from-" + (args.domain).split('.')[0] + ".txt" if args.outSub == None else False
if args.disableSub == False:
args.subbrute = False
subdomain = sublist3r.main(args.domain, args.threads, output, ports=None, silent=False, verbose=args.verbose, enable_bruteforce=args.subbrute, engines=None)
if len(subdomain) == 0 and not any((args.host, args.brute, args.subbrute, args.censys, args.shodan)):
logotype()
parsErr("cannot continue with tasks. Add another argument to task (e.g. \"--host\", \"--bruter\"")
else:
def censys(domain, conf):
config = ConfigParser()
config.read(conf)
censys_ip = []
print(que +
'Enumerating historical data from: %s using Censys.io' % domain)
req = requests.get('http://' + domain, allow_redirects=True)
soup = BeautifulSoup(req.text, 'html.parser')
title = soup.title.string if soup.title else None
if PYVERSION.startswith('3'):
ID = input(tab + info + 'Please enter your censys ID: ') if config.get(
'CENSYS', 'API_ID') == '' else config.get('CENSYS', 'API_ID')
SECRET = input(tab + info +
'Now, please enter your censys SECRET: ') if config.get(
'CENSYS', 'SECRET') == '' else config.get(
'CENSYS', 'SECRET')
else:
ID = raw_input(tab + info +
'Please enter your censys ID: ') if config.get(
'CENSYS', 'API_ID') == '' else config.get(
'CENSYS', 'API_ID')
SECRET = raw_input(
tab + info +
'Now, please enter your censys SECRET: ') if config.get(
'CENSYS', 'SECRET') == '' else config.get('CENSYS', 'SECRET')
if config.get('CENSYS', 'API_ID') == '' or config.get('CENSYS',
'SECRET') == '':
question = input(
tab + info +
'Do you want to save your censys.io credentials? y/n: '
) if PYVERSION.startswith('3') else raw_input(
que + 'Do you want to save your censys.io credentials? y/n: ')
if question in ["yes", "y", "Y", "ye"]:
config.set('CENSYS', 'API_ID', ID)
config.set('CENSYS', 'SECRET', SECRET)
with open('data/APIs/api.conf', 'w') as configfile:
config.write(configfile)
try:
ip = ['ip']
c = CensysHosts(ID, SECRET)
certificates = c.search(
"services.tls.certificates.leaf_data.subject.common_name: *.%s" %
domain,
sort="RELEVANCE")
print(tab + info +
"Total IPs found using certificates with common names:")
ip = [
(print(tab * 2 + good + ip['ip']), censys_ip.append(ip['ip'])) if
(ISPCheck(ip['ip']) == None) else print(tab * 2 + bad + ip['ip'] +
ISPCheck(ip['ip']))
for ip in certificates()
]
if title != None:
titles = c.search("services.http.response.html_title: '%s'" %
title,
sort="RELEVANCE")
print(tab + info + "Total IPs found using HTML title:")
title_ip = [
(print(tab * 2 + good + ip['ip']),
censys_ip.append(ip['ip'])) if
(ISPCheck(ip['ip']) == None) else print(tab * 2 + bad +
ip['ip'] +
ISPCheck(ip['ip']))
for ip in titles()
]
return censys_ip
except Exception as e:
print(tab * 2 + bad + str(e))