def zone_transfer(basename):
out = get_nameservers(basename)
for ns_line in out.split("\n"):
if not ns_line:
continue
ns_line = ns_line.split()
ns = ns_line[-1]
print ns
try:
print "Trying %s"% ns
sh.host("-l", ns)
except sh.ErrorReturnCode_1:
sys.stderr.write("Zone transfer failed on %s\n" % ns)
def zone_transfer(basename):
out = get_nameservers(basename)
for ns_line in out.split("\n"):
if not ns_line:
continue
ns_line = ns_line.split()
ns = ns_line[-1]
print ns
try:
print "Trying %s" % ns
sh.host("-l", ns)
except sh.ErrorReturnCode_1:
sys.stderr.write("Zone transfer failed on %s\n" % ns)
def brute_force_a_records(base_domain, record_type):
SUBDOMAINS = """
www
ftp
mail
owa
proxy
router
admin
www2
firewall
mx
pop3
mobile
m
"""
ips = []
for subdomain in SUBDOMAINS.split():
full_domain = subdomain.strip() + "." + base_domain
print "Trying full_domain %s: " % full_domain
try:
host_out = sh.host("-t", record_type, full_domain)
print host_out
ips_new = re.findall( r'[0-9]+(?:\.[0-9]+){3}', str(host_out) )
ips += ips_new
#was going to parse output, too unpredictable so f**k it
except sh.ErrorReturnCode_1:
continue
return ips
def sh_host(ip):
call = sh.host(ip, _ok_code=[0,1])
if call.exit_code != 0:
return None
else:
host = str(call).split(' pointer ')[1:]
return host[0] if host else None
def brute_force_a_records(base_domain, record_type):
SUBDOMAINS = """
www
ftp
mail
owa
proxy
router
admin
www2
firewall
mx
pop3
mobile
m
"""
ips = []
for subdomain in SUBDOMAINS.split():
full_domain = subdomain.strip() + "." + base_domain
print "Trying full_domain %s: " % full_domain
try:
host_out = sh.host("-t", record_type, full_domain)
print host_out
ips_new = re.findall(r'[0-9]+(?:\.[0-9]+){3}', str(host_out))
ips += ips_new
#was going to parse output, too unpredictable so f**k it
except sh.ErrorReturnCode_1:
continue
return ips
def get_soa_record(basename):
out = None
try:
out = sh.host("-t", "soa", basename)
# print str(out)
except sh.ErrorReturnCode_1:
sys.stderr.write("No soa records found")
return out
def get_nameservers(basename):
out = None
try:
out = sh.host("-t", "ns", basename)
# print str(out)
except sh.ErrorReturnCode_1:
sys.stderr.write("No name servers found")
return out
def reverse_dns_discovery(ips):
for ip in ips:
ip = str(ip)
ip = ip.split(".")
for i in range(0, 255):
ip[-1] = str(i)
try:
out = sh.host(".".join(ip))
print out
except sh.ErrorReturnCode_1:
sys.stderr.write("Nothing found at %s\n" % ip)
def get_soa_record(basename):
out = None
try:
out = sh.host("-t", "soa", basename)
# print str(out)
except sh.ErrorReturnCode_1:
sys.stderr.write("No soa records found")
return out
def get_nameservers(basename):
out = None
try:
out = sh.host("-t", "ns", basename)
# print str(out)
except sh.ErrorReturnCode_1:
sys.stderr.write("No name servers found")
return out
def reverse_dns_discovery(ips):
for ip in ips:
ip = str(ip)
ip = ip.split(".")
for i in range(0, 255):
ip[-1] = str(i)
try:
out = sh.host(".".join(ip))
print out
except sh.ErrorReturnCode_1:
sys.stderr.write("Nothing found at %s\n" % ip)
def convert_to_IP(domains):
list_of_IPs = []
count = 0
for i in domains:
ip = str(sh.host(i))
ip = re.findall(r'[0-9]+(?:\.[0-9]+){3}', ip)
if len(ip) == 1:
list_of_IPs.append(ip)
else:
for x in ip:
list_of_IPs.append(x)
return list_of_IPs
#************************************************************************************
#* *
#* Code below show cases host function via SH repository *
#* *
#* *
#************************************************************************************
import sh
#Website being probed must be online
#Inorder to get the output the result must be stored in variable
var = sh.host('google.com')
print(var)