def Sublist3rScan(target): subdomains = sublist3r.main(target, 40, savefile=None, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None) print("{} Sublist3rScan Scan End ~".format(target)) for temp_sub in subdomains: config.sub_queue.put(temp_sub) print("{} Sublist3r Save queue End ~".format(target)) return
def main(): parser = argparse.ArgumentParser() parser.add_argument('-f', '--file', type=str, required=False) parser.add_argument('-t', '--threads', type=int, required=False, default=10) parser.add_argument('-a', '--alexa', type=int, required=False) parser.add_argument('-d', '--domain', type=str, required=False) args = parser.parse_args() threads = args.threads top = args.alexa file = args.file domain = args.domain my_queue = queue.Queue() if file: with open(file, 'r') as f: for d in f: d = d.rstrip() if d: my_queue.put(d) elif domain: subdomains = [] subdomains = sublist3r.main(domain, threads, savefile=None, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None) for i in subdomains: print(i) my_queue.put(i) elif alexa: results = alexa.top_list(top) for i in results: for r in i: r = str(r) if not r.isdigit(): my_queue.put(r) else: print("No Input Detected!") sys.exit() print("---------------------------------------------------------") print("Starting search for frontable domains...") # spawn a pool of threads and pass them queue instance for i in range(threads): t = ThreadLookup(my_queue) t.setDaemon(True) t.start() my_queue.join() print("") print("Search complete!")
def get_subdomains(self): subdomains = sublist3r.main(self.asset_path, 40, '/tmp/sublister_{}'.format( self.scan_object.date), ports=None, silent=True, verbose=True, enable_bruteforce=False, engines=None) self.subdomains = subdomains return subdomains
def find_domains(args): """Use Sublist3r to scan and find as many subdomains as possible. @param: ags Arguments object from argparse. @return: List of domains found by Sublist3r. """ domains = [args.domain] domains.extend(sublist3r.main(args.domain, 30, False, None, \ not args.verbose, args.verbose, False, \ 'Baidu,Yahoo,Google,Bing,Ask,Netcraft,Virustotal,SSL')) return domains
def subdomain(subdomains): print "search subdomains:\n" sub_file = "sublist/" + subdomains + ".txt" sub = sublist3r.main(subdomains, 40, sub_file, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None) print LINE time.sleep(2)
def main(): parser = argparse.ArgumentParser() parser.add_argument('-f', '--file', type=str, required=False) parser.add_argument('-t', '--threads', type=int, required=False, default=10) parser.add_argument('-d', '--domain', type=str, required=False) parser.add_argument('-c', '--check', type=str, required=False) args = parser.parse_args() threads = args.threads check = args.check file = args.file domain = args.domain queue = Queue.Queue() if file: with open(file, 'r') as f: for d in f: d = d.rstrip() if d: queue.put(d) elif check: queue.put(check) elif domain: subdomains = [] subdomains = sublist3r.main(domain, threads, savefile=None, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None) for i in subdomains: print i queue.put(i) else: print "No Input Detected!" sys.exit() print "---------------------------------------------------------" print "Starting search for frontable domains..." # spawn a pool of threads and pass them queue instance for i in range(threads): t = ThreadLookup(queue) t.setDaemon(True) t.start() queue.join() print "" print "Search complete!"
def main(): parser = argparse.ArgumentParser() parser.add_argument('-f', '--file', type=str, required=False) parser.add_argument('-t', '--threads', type=int, required=False, default=10) parser.add_argument('-d', '--domain', type=str, required=False) parser.add_argument('-c', '--check', type=str, required=False) args = parser.parse_args() threads = args.threads check=args.check file = args.file domain = args.domain from colorama import init init(strip=not sys.stdout.isatty()) # strip colors if stdout is redirected from termcolor import cprint from pyfiglet import figlet_format cprint(figlet_format('Find')) cprint(figlet_format('Frontable')) cprint(figlet_format('Domains')) q = queue.Queue() if file: with open(file, 'r') as f: for d in f: d = d.rstrip() if d: q.put(d) elif check: q.put(check) elif domain: subdomains = [] subdomains = sublist3r.main(domain, threads, savefile=None, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None) for i in subdomains: print(i) q.put(i) else: print("No Input Detected!") sys.exit() print("---------------------------------------------------------") print("Starting search for frontable domains...") # spawn a pool of threads and pass them queue instance for i in range(threads): t = ThreadLookup(q) t.setDaemon(True) t.start() q.join() print("") print("Search complete!")
def Sublist3rScan(target): print( f"{Hx_config.yellow}{target} Sublist3rScan Scan Start ~{Hx_config.end}" ) subdomains = sublist3r.main(target, 40, savefile=None, ports=None, silent=False, verbose=False, enable_bruteforce=False, engines=None) print( f"{Hx_config.yellow}{target} Sublist3rScan Scan End ~{Hx_config.end}") for temp_sub in subdomains: Hx_config.sub_queue.put(temp_sub) print( f"{Hx_config.yellow}{target} Sublist3r Save queue End ~{Hx_config.end}" ) print( f"{Hx_config.green}Sublist3r 结束 !当前的url个数为{Hx_config.sub_queue.qsize()}{Hx_config.end}" ) return
def runSublist3r(self, domain, subDomains): #Sublister enumeration sublisterOutput = sublist3r.main(domain, 30, None, None, False, False, False, None) for strDomain in sublisterOutput: subDomains.append(strDomain)
def main(): """ Main function block that parses command line arguments. """ usage = "usage: %prog -d domain.com [-f keywords.txt -r region1,region2 -b" + \ "-t 30 -g keyword_file.txt -s [--subbrute]]" parser = OptionParser(usage) parser.add_option("-f", "--file", dest="filename", help="Read affixes from FILENAME.") parser.add_option( "-r", "--regions", dest="regions", default="all", help="Comma separated list " + "of regions to query for bucket names. Default is all. Must be one or more of:" + "{}".format(", ".join(S3_REGIONS))) parser.add_option("-b", "--brute", dest="brute", action="store_true", help="Use default brute force list in Buckets.txt") parser.add_option("-t", "--threads", dest="threads", type="int", default=6, help="Max number of threads, default is 6.") parser.add_option( "-g", "--grep", dest="grep", help= "Will recursively list files from buckets (when listable) and grep " + "for keywords FILENAME. Ex: -g sensitive_keywords.txt") parser.add_option( "--sublist3r", dest="sublister", action="store_true", default=False, help="Retrieve list of subdomains and use this to query against S3.") parser.add_option( "--subbrute", dest="subbrute", action="store_true", default=False, help="Enable sublist3r's subbrute module when querying for subdomains." ) parser.add_option("-d", "--domain", dest="domain", help="Base domain to be queried against.") parser.add_option("-v", "--verbose", dest="verbose", action="store_true", help="Enable debug messages in logs.") (options, args) = parser.parse_args() # Begin option parsing brick # Set logging if options.verbose: logging.getLogger().setLevel(level=logging.DEBUG) # Check regions passed are valid regions = check_region_choice(options.regions) # List of affixes to append to domain.com and domain in the form of # affix.domain.com and affix-domain affixes = [] # Subdomain var to keep track of sublist3r results. subdomains = [] if not options.domain: print( "No argument -d (--domain) given. Please give a domain name, such as -d google.com" ) exit(1) # Read default keyword list if bruteforcing if options.brute: with open("Buckets.txt", "r") as f: affixes += [x.strip() for x in f.readlines()] # Read filename of user-provided keywords if options.filename: with open(options.filename, "r") as f: affixes += [x.strip() for x in f.readlines()] if options.sublister: from Sublist3r import sublist3r subdomains = sublist3r.main(options.domain, 30, None, None, False, verbose=True, enable_bruteforce=options.subbrute, engines=None) buckets = create_bucket_list(options.domain, affixes=affixes) for subdomain in subdomains: subucks = create_bucket_list(subdomain, affixes=affixes) buckets = buckets.union(subucks) for region in regions: for bucket in buckets: bucket_q.put((region, bucket)) print( "Generated {} bucket permutations. Beginning search across {} regions." .format(len(buckets), len(regions))) print() global bucket_q_size bucket_q_size = bucket_q.qsize() for i in range(options.threads): t = Thread(target=bucket_worker, args=()) t.daemon = True t.start() bucket_q.join() print() print("[+] Results:") print("\t{}Number of Buckets that Exist: {}{}".format( Y, len(bucketlist['exists']), W)) print("\t{}Number of Buckets that are Listable: {}{}".format( G, len(bucketlist['listable']), W)) if options.grep and bucketlist['listable']: print("[.] Grepping for keywords in listable buckets from {}".format( options.grep)) with open(options.grep, 'r') as f: keywords = [x.strip().lower() for x in f.readlines() if x.strip()] for domain, region in bucketlist['listable']: cmd = "aws s3 ls s3://{}/ --region {} --recursive".format( domain, region) cmd = cmd.split(" ") with open(devnull, 'w') as FNULL: output = check_output(cmd, stderr=FNULL) output = output.lower() if any(x in output for x in keywords): print("[!] Found sensitive file on bucket {} in region {}". format(domain, region))
def find_domains(domain, verbose): hosts = [domain] hosts.extend( s3.main(domain, 30, False, None, not verbose, verbose, False, 'Baidu,Yahoo,Google,Bing,Ask,Netcraft,Virustotal,SSL')) return hosts
def subdomain_inspection(host, room): # hardcoding engine power for now engine_power = 'light' # engine power: light, medium and very slow if engine_power == str('light'): engine_list = 'google,yahoo,bing,ask,netcraft,virustotal,threatcrowd' bf = False elif engine_power == str('medium'): engine_list = 'google,yahoo,bing,ask,netcraft,dnsdumpster,virustotal,threatcrowd' bf = False elif engine_power == str('very_slow'): engine_list = 'google,yahoo,bing,ask,netcraft,dnsdumpster,virustotal,threatcrowd,baidu' bf = True # print that this is going to take forever else: return False # enumerate subdomain information try: domain_results = sublist3r.main(host, 200, None, ports=None, silent=True, verbose=False, enable_bruteforce=bf, engines=engine_list) print(domain_results) # return results except Exception as e: return str(e) port_results = [] ports_to_test = [80, 443] # try to do some basic port checking room.send_html( '<blockquote>Subdomain enumeration complete for {}. Port inspection initiated.</blockquote>' .format(host)) print('- performing subdomain port inspection for host {}'.format(host)) total_results = len(domain_results) current_iteration = 0 percent_flag = 0 for result in domain_results: port_result_holder = [] port = randint(27000, 28000) for port in ports_to_test: try: ps = IP(dst=result) / TCP(sport=port, dport=port) sr = sr1(ps, timeout=1, verbose=0) if sr: port_result_holder.append(str(port)) else: port_result_holder.append('0') except Exception as e: print('port check error: {}'.format(str(e))) port_result_holder.append('0') port_results.append(port_result_holder) current_percent = (current_iteration / total_results) * 100 rounded_percent = 5 * round(current_percent / 5) if (int(rounded_percent) == 25) and (percent_flag == 0): room.send_html( '<pre><code>{} percent complete: {}%.</pre></code>'.format( str(host), str(current_percent))) percent_flag += 1 elif (int(rounded_percent) == 50) and (percent_flag == 1): room.send_html( '<pre><code>{} percent complete {}%.</pre></code>'.format( str(host), str(current_percent))) percent_flag += 1 elif (int(rounded_percent) == 75) and (percent_flag == 2): room.send_html( '<pre><code>{} percent complete {}%.</pre></code>'.format( str(host), str(current_percent))) percent_flag += 1 print('Rounded {}, Current {}, % flag {}'.format( rounded_percent, current_percent, percent_flag)) current_iteration += 1 print('- subdomain port inspection completed for host {}'.format(host)) # combine the lists results = {} results['domains'] = domain_results results['port_results'] = port_results return results
for row in sorted(domain.OK, key=sublist3r.subdomain_sorting_key): print('\t<target host="{0}" />'.format(row)) print('</ruleset>\n') if __name__ == '__main__': tDomain = input('domain: ') print('Checking preloading...') preload = json.loads( urllib.request.urlopen('https://hstspreload.com/api/v1/status/' + tDomain).read().decode()) try: for browser in ('chrome', 'firefox', 'tor'): if preload[browser]['present'] and preload[browser][ 'include_subdomains']: exit('Domain preloaded.') except TypeError: pass subdomains = tuple( sublist3r.main(domain=tDomain, threads=30, savefile=None, ports=None, silent=False, verbose=True, enable_bruteforce=False, engines=None)) Check(subdomains).start()