forked from devsecboy/DomainRecon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
EnumSubDomain.py
executable file
·235 lines (201 loc) · 7.68 KB
/
EnumSubDomain.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
#!/usr/bin/python
#Files used to get subdomains using recon-ng and sublist3r
import sys
import datetime
import os
from Sublist3r import sublist3r
import csv
import string
import glob
import socket
import argparse
from GlobalVariables import *
import subprocess
import dns.resolver
import logging
import coloredlogs
seBucketScanner = "./S3Scanner/"
sys.path.insert(0,seBucketScanner)
import s3utils as s3
reconPath = "./recon-ng/"
sys.path.insert(0,reconPath)
from recon.core import base
from recon.core.framework import Colors
class EnumSubDomain(object):
def __init__(self):
self.globalVariables=GlobalVariables()
#subdomain bruteforcing
def RunBruteForce(self, reconb, domain):
module = reconb.do_load("recon/domains-hosts/brute_hosts")
module.do_set("WORDLIST " + self.globalVariables.wordList)
module.do_set("SOURCE " + domain)
module.do_run(None)
def RunModule(self, reconBase, module, domain):
module = reconBase.do_load(module)
module.do_set("SOURCE " + domain)
module.do_run(None)
def RunRecon(self, domain, subDomains, bruteForce):
stamp = datetime.datetime.now().strftime('%M:%H-%m_%d_%Y')
wspace = domain+stamp
reconb = base.Recon(base.Mode.CLI)
reconb.init_workspace(wspace)
reconb.onecmd("TIMEOUT=100")
module_list = ["recon/domains-hosts/bing_domain_web", "recon/domains-hosts/google_site_web", "recon/domains-hosts/netcraft", "recon/domains-hosts/shodan_hostname", "recon/netblocks-companies/whois_orgs", "recon/hosts-hosts/resolve"]
for module in module_list:
self.RunModule(reconb, module, domain)
if bruteForce:
self.RunBruteForce(reconb, domain)
#reporting output
outFile = "FILENAME "+os.getcwd()+"/"+domain
module = reconb.do_load("reporting/csv")
module.do_set(outFile+".csv")
module.do_run(None)
reconNgOutput=domain+'.csv'
with open(reconNgOutput, 'r') as csvfile:
for row in csv.reader(csvfile, delimiter=','):
subDomains.append(row[0])
os.remove(reconNgOutput)
def runSublist3r(self, domain, subDomains):
#Sublister enumeration
sublisterOutput = sublist3r.main(domain, 30, None, None, False, False, False, None)
for strDomain in sublisterOutput:
subDomains.append(strDomain)
def EnumCNAMEOfDomain(self):
files = glob.glob(self.globalVariables.outputDir + "*.txt")
for file in files:
cnameFileName=self.globalVariables.cnameEnumDir+(file[file.rfind("/")-len(file)+1:])
cnameEnumFile = open(cnameFileName, 'w')
with open(file, "r") as f:
for line in f:
isPrint=True
domain = line.split('\n')
try:
# Basic query
for rdata in dns.resolver.query(domain[0], 'CNAME') :
if isPrint:
cnameEnumFile.write("\n" + domain[0] + " ==> ")
isPrint=False
cnameEnumFile.write(str(rdata.target));
except:
try:
resolver = dns.resolver.Resolver()
resolver.nameservers = ['8.8.8.8']
for rdata in resolver.query(domain, 'CNAME') :
if isPrint:
cnameEnumFile.write("\n" + domain[0] + " ==> ")
isPrint=False
cnameEnumFile.write(str(rdata.target));
except:
isPrint=False
cnameEnumFile.close()
def ScanS3Bucket(self):
files = glob.glob(self.globalVariables.outputDir + "*.txt")
if not s3.checkAwsCreds():
s3.awsCredsConfigured = False
slog.error("Warning: AWS credentials not configured. Open buckets will be shown as closed. Run: `aws configure` to fix this.\n")
else:
for file in files:
s3Bucket=self.globalVariables.s3Bucket+(file[file.rfind("/")-len(file)+1:])
# Create file logger
flog = logging.getLogger('s3scanner-file')
flog.setLevel(logging.DEBUG) # Set log level for logger object
# Create file handler which logs even debug messages
fh = logging.FileHandler(s3Bucket)
fh.setLevel(logging.DEBUG)
# Add the handler to logger
flog.addHandler(fh)
# Create secondary logger for logging to screen
slog = logging.getLogger('s3scanner-screen')
slog.setLevel(logging.INFO)
levelStyles = {
'info': {'color': 'blue'},
'warning': {'color': 'yellow'},
'error': {'color': 'red'}
}
fieldStyles = {
'asctime': {'color': 'white'}
}
# Use coloredlogs to add color to screen logger. Define format and styles.
coloredlogs.install(level='DEBUG', logger=slog, fmt='%(asctime)s %(message)s',
level_styles=levelStyles, field_styles=fieldStyles)
with open(file, "r") as f:
for line in f:
domain = line.split('\n')
s3.checkBucket(domain[0], slog, flog, True, True)
def GetSubDomains(self, domain, isRunSublist3r, isRunReconNG, isRunMassDNS, isBruteForce, isCnameEnum, isS3BucketScan):
subDomains=list()
outFile = self.globalVariables.outputDir + domain+'.txt'
try:
if isRunReconNG:
self.RunRecon(domain, subDomains, isBruteForce)
except:
print "Error in recon-ng"
try:
if isRunSublist3r:
self.runSublist3r(domain, subDomains)
except:
print "Error in Sublist3r"
try:
if isRunMassDNS:
cmd = './massdns/scripts/ct.py ' + domain +' | ./massdns/bin/massdns -r massdns/lists/resolvers.txt -t A -o S -w ' + outFile
subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read()
with open (outFile, 'r') as fp:
for line in fp:
line = line[0: line.find(" ") - 1]
if not line in subDomains:
subDomains.append(line)
except:
print "Error in MassDNS"
if isRunReconNG | isRunSublist3r | isRunMassDNS:
with open (outFile, 'w') as fp:
for subDomain in subDomains:
fp.write("%s\n" % subDomain)
try:
if isCnameEnum:
self.EnumCNAMEOfDomain()
except:
print "Error in CName Enumeration"
try:
if isS3BucketScan:
self.ScanS3Bucket()
except:
print "Error in s3 bucket scan"
def create_cli_parser(self):
self.parser = argparse.ArgumentParser(add_help=False, description="Domain recon is a tool to gather information about target")
self.parser.add_argument('-h', '-?', '--h', '-help', '--help', action="store_true", help=argparse.SUPPRESS)
input_options = self.parser.add_argument_group('Input Options')
input_options.add_argument('--domain', metavar='DomainName', default=None, help='Website domain name')
input_options.add_argument('--bruteforce', default=False, action='store_true', help='Is it require to do subdomain bruteforce using recon-ng')
input_options.add_argument('--sublist3r', default=False, action='store_true', help='Run sublist3r module')
input_options.add_argument('--reconng', default=False, action='store_true', help='Run recon-ng module')
input_options.add_argument('--massdns', default=False, action='store_true', help='Run MassDNS module')
input_options.add_argument('--filename', metavar='FilePath', default=None, help='Filepath contains a list of Subdomains')
input_options.add_argument('--cname_enum', default=False, action='store_true', help='CNAME Enumeration of domains')
input_options.add_argument('--s3_bucket_scan', default=False, action='store_true', help='amazon s3 bucket scan')
args = self.parser.parse_args()
return args
if __name__ == "__main__":
domainRecon=EnumSubDomain()
cli_parsed = domainRecon.create_cli_parser()
if cli_parsed.h:
domainRecon.parser.print_help()
sys.exit()
if cli_parsed.filename:
print cli_parsed.filename
with open(cli_parsed.filename, "r") as ins:
for line in ins:
domainRecon.GetSubDomains(line,
cli_parsed.sublist3r,
cli_parsed.reconng,
cli_parsed.massdns,
cli_parsed.bruteforce,
cli_parsed.cname_enum,
cli_parsed.s3_bucket_scan)
else:
domainRecon.GetSubDomains(cli_parsed.domain,
cli_parsed.sublist3r,
cli_parsed.reconng,
cli_parsed.massdns,
cli_parsed.bruteforce,
cli_parsed.cname_enum,
cli_parsed.s3_bucket_scan)