Пример #1
0
    def init(self):
        if self.options["FILE"]:
            full_path = os.path.join(os.getcwd(), self.options["FILE"])
            with open(full_path) as file:
                self.options["TARGET"] = list(
                    filter(None,
                           file.read().split('\n')))
        else:
            self.options["TARGET"] = list(
                filter(None, self.options["TARGET"].split(",")))
        # Clean up targets
        for i in range(len(self.options["TARGET"])):
            url = self.options["TARGET"][i]
            # Inject protocol if not there
            if not re.match(r'http(s?):', url):
                url = 'http://' + url

            parsed = urlsplit(url)
            host = parsed.netloc

            self.options["TARGET"][i] = host

            try:
                domain_str = socket.gethostbyname(host)
                ColorPrint.green(
                    f"Searching for subdomains for {domain_str} ({host})")
            except Exception as e:
                self.handle_exception(
                    e,
                    "Error connecting to target! Make sure you spelled it correctly and it is a resolvable address"
                )
                raise e
Пример #2
0
    def init(self):
        self.options["TARGET"] = self.options["TARGET"].split(",")
        for i in range(len(self.options["TARGET"])):
            url = self.options["TARGET"][i]

            if not re.match(r'http(s?):', url):
                url = 'http://' + url

            parsed = urlsplit(url)
            host = parsed.netloc

            if host.startswith('www.'):
                host = host[4:]

            self.options["TARGET"][i] = host

            try:
                ColorPrint.green(
                    "Searching for subdomains for " +
                    socket.gethostbyname(self.options["TARGET"][i]) + " (" +
                    self.options["TARGET"][i] + ")")
            except Exception as e:
                self.handle_exception(
                    e,
                    "Error connecting to target! Make sure you spelled it correctly and it is a resolvable address"
                )
                raise e
        print("")
Пример #3
0
 def test_color_print(self):
     ColorPrint.red("red")
     self.assertIn("91m", sys.stdout.getvalue())
     ColorPrint.green("green")
     self.assertIn("92m", sys.stdout.getvalue())
     ColorPrint.light_purple("light_purple")
     self.assertIn("94m", sys.stdout.getvalue())
     ColorPrint.purple("purple")
     self.assertIn("95m", sys.stdout.getvalue())
     ColorPrint.yellow("yellow")
     self.assertIn("93m", sys.stdout.getvalue())
Пример #4
0
 def resolve_ips(self):
     unique_ips = set()
     for domain in self.dedupe:
         try:
             resolved_ip = socket.gethostbyname(domain)
             # TODO - Align domains and ips in stdout
             ColorPrint.green(domain + ": " + resolved_ip)
             unique_ips.add(resolved_ip)
         except Exception as e:
             self.handle_exception(e)
     print("Found %s unique IPs" % len(unique_ips))
     for ip in unique_ips:
         ColorPrint.green(ip)
Пример #5
0
 def resolve_ips(self):
     unique_ips = set()
     for domain in self.dedupe:
         try:
             # Attempt to get IP
             resolved_ip = socket.gethostbyname(domain)
         except Exception as e:
             self.handle_exception(e)
             # If getting IP fails, fallback to empty string
             resolved_ip = ""
         # TODO - Align domains and ips in stdout
         ColorPrint.green(domain + ": " + resolved_ip)
         unique_ips.add(resolved_ip)
     print("Found %s unique IPs" % len(unique_ips))
     for ip in unique_ips:
         # String truthiness ignores empty strings
         if ip:
             ColorPrint.green(ip)
Пример #6
0
    def resolve_ips(self):
        unique_ips = set()
        for domain in self.dedupe:
            try:
                # Attempt to get IP
                resolved_ip = socket.gethostbyname(domain)
            except Exception as e:
                self.handle_exception(e)
                # If getting IP fails, fallback to empty string
                resolved_ip = ""
            # TODO - Align domains and ips in stdout
            ColorPrint.green(domain + ": " + resolved_ip)
            if self.options['--silent']:
                sys.stdout.write(domain + '\n', override=True)

            if resolved_ip:
                unique_ips.add(resolved_ip)
        print("Found %s unique IPs" % len(unique_ips))
        for ip in unique_ips:
            # Ignore empty strings, final sanity check
            if ip:
                ColorPrint.green(ip)
Пример #7
0
    def run(self):
        # Retrieve IP of target and run initial configurations
        self.init()
        # If multiple targets, create scans for each
        for i in range(len(self.options["TARGET"])):
            # Default scans that run every time
            target = self.options["TARGET"][i]
            ColorPrint.green(f"Working on target: {target}")
            threads = [
                threading.Thread(target=dns_zonetransfer, args=(self, target)),
                threading.Thread(target=subdomain_hackertarget,
                                 args=(self, target)),
                threading.Thread(target=search_subject_alt_name,
                                 args=(self, target)),
                threading.Thread(target=search_netcraft, args=(self, target)),
                threading.Thread(target=search_crtsh, args=(self, target)),
                threading.Thread(target=search_dnsdumpster,
                                 args=(self, target)),
                threading.Thread(target=search_anubisdb, args=(self, target))
            ]

            # Additional options - shodan.io scan
            if self.options["--additional-info"]:
                threads.append(
                    threading.Thread(target=search_shodan, args=(self, )))

            # Additional options - nmap scan of dnssec script and a host/port scan
            if self.options["--with-nmap"]:
                threads.append(
                    threading.Thread(target=dnssecc_subdomain_enum,
                                     args=(self, target)))
                threads.append(
                    threading.Thread(target=scan_host, args=(self, )))

            # Start all threads and wait for them to finish
            for x in threads:
                x.start()

            for x in threads:
                x.join()

            # Run a recursive search on each subdomain - rarely useful, but nice to have
            # just in case
            if self.options["--recursive"]:
                recursive_search(self)

            # remove duplicates and clean up
            self.domains = self.clean_domains(self.domains)
            self.dedupe = set(self.domains)

            print("Found", len(self.dedupe), "subdomains")
            print("----------------")

            if self.options["--ip"]:
                self.resolve_ips()
            else:
                for domain in self.dedupe:
                    cleaned_domain = domain.strip()
                    ColorPrint.green(cleaned_domain)
                    if self.options['--silent']:
                        sys.stdout.write(cleaned_domain, override=True)

            if self.options["--send-to-anubis-db"]:
                send_to_anubisdb(self, [target])
            # reset per domain
            self.domains = list()
Пример #8
0
    def run(self):
        # Retrieve IP of target and run initial configurations
        self.init()

        ColorPrint.green("Searching for subdomains for " + self.ip + " (" +
                         self.options["TARGET"] + ")\n")

        # Default scans that run every time
        threads = [
            Thread(target=dns_zonetransfer(self, self.options["TARGET"])),
            Thread(
                target=search_subject_alt_name(self, self.options["TARGET"])),
            Thread(
                target=subdomain_hackertarget(self, self.options["TARGET"])),
            Thread(target=search_virustotal(self, self.options["TARGET"])),
            Thread(target=search_pkey(self, self.options["TARGET"])),
            Thread(target=search_netcraft(self, self.options["TARGET"])),
            Thread(target=search_crtsh(self, self.options["TARGET"])),
            Thread(target=search_dnsdumpster(self, self.options["TARGET"])),
            Thread(target=search_anubisdb(self, self.options["TARGET"]))
        ]
        # Additional options - ssl cert scan
        if self.options["--ssl"]:
            threads.append(
                Thread(target=ssl_scan(self, self.options["TARGET"])))

        # Additional options - shodan.io scan
        if self.options["--additional-info"]:
            threads.append(Thread(target=search_shodan(self)))

        # Additional options - nmap scan of dnssec script and a host/port scan
        if self.options["--with-nmap"]:
            threads.append(
                Thread(target=dnssecc_subdomain_enum(self,
                                                     self.options["TARGET"])))
            threads.append(Thread(target=scan_host(self)))

        # Additional options - brute force common subdomains
        if self.options["--brute-force"]:
            threads.append(
                Thread(target=brute_force(self, self.options["TARGET"])))

        # Start all threads
        for x in threads:
            x.start()

        # Wait for all of them to finish
        for x in threads:
            x.join()

        # remove duplicates and clean up

        if self.options["--recursive"]:
            self.recursive_search()

        self.domains = self.clean_domains(self.domains)
        self.dedupe = set(self.domains)

        print("Found", len(self.dedupe), "subdomains")
        print("----------------")

        if self.options["--ip"]:
            self.resolve_ips()
        else:
            for domain in self.dedupe:
                ColorPrint.green(domain.strip())

        if not self.options["--no-anubis-db"]:
            send_to_anubisdb(self, self.options["TARGET"])
Пример #9
0
    def run(self):
        # Retrieve IP of target and run initial configurations
        self.init()
        # If multiple targets, create scans for each
        for i in range(len(self.options["TARGET"])):
            # Default scans that run every time
            target = self.options["TARGET"][i]
            threads = [
                threading.Thread(target=dns_zonetransfer, args=(self, target)),
                threading.Thread(target=subdomain_hackertarget,
                                 args=(self, target)),
                threading.Thread(target=search_subject_alt_name,
                                 args=(self, target)),
                threading.Thread(target=search_virustotal,
                                 args=(self, target)),
                # threading.Thread(target=search_pkey, args=(self, target)),
                # Removed pkey as of June 18 2018 due to issues on their end (not connecting)
                threading.Thread(target=search_netcraft, args=(self, target)),
                threading.Thread(target=search_crtsh, args=(self, target)),
                threading.Thread(target=search_dnsdumpster,
                                 args=(self, target)),
                threading.Thread(target=search_anubisdb, args=(self, target))
            ]

            # Additional options - shodan.io scan
            if self.options["--additional-info"]:
                threads.append(
                    threading.Thread(target=search_shodan, args=(self, )))

            # Additional options - ssl
            if self.options["--ssl"]:
                threads.append(
                    threading.Thread(target=ssl_scan, args=(self, target)))

            # Additional options - nmap scan of dnssec script and a host/port scan
            if self.options["--with-nmap"]:
                threads.append(
                    threading.Thread(target=dnssecc_subdomain_enum,
                                     args=(self, target)))
                threads.append(
                    threading.Thread(target=scan_host, args=(self, )))

        # Start all threads and wait for them to finish
        for x in threads:
            x.start()

        for x in threads:
            x.join()

        # Run a recursive search on each subdomain - rarely useful, but nice to have
        # just in case
        if self.options["--recursive"]:
            recursive_search(self)

        # remove duplicates and clean up
        self.domains = self.clean_domains(self.domains)
        self.dedupe = set(self.domains)

        print("Found", len(self.dedupe), "subdomains")
        print("----------------")

        if self.options["--ip"]:
            self.resolve_ips()
        else:
            for domain in self.dedupe:
                ColorPrint.green(domain.strip())

        if self.options["--send-to-anubis-db"]:
            send_to_anubisdb(self, self.options["TARGET"])
Пример #10
0
    def run(self):
        # Retrieve IP of target and run initial configurations
        self.init()
        ColorPrint.green("Searching for subdomains for " + self.ip + " (" +
                         self.options["TARGET"] + ")\n")

        # Multithreaded scans
        threads = [
            Thread(target=self.scan_subject_alt_name()),
            Thread(target=self.dns_zonetransfer()),
            Thread(target=self.subdomain_hackertarget()),
            Thread(target=self.search_virustotal()),
            Thread(target=self.search_pkey()),
            Thread(target=self.search_netcraft()),
            Thread(target=self.search_dnsdumpster())
        ]

        # Default scans that run every time

        # If they want to send and receive results from Anubis DB
        if not self.options["--no-anubis-db"]:
            threads.append(Thread(target=self.scan_anubisdb()))

        # Additional options - ssl cert scan
        if self.options["--ssl"]:
            threads.append(Thread(target=self.ssl_scan()))

        # Additional options - shodan.io scan
        if self.options["--additional-info"]:
            threads.append(Thread(target=self.search_shodan()))

        # Additional options - nmap scan of dnssec script and a host/port scan
        if self.options["--with-nmap"]:
            threads.append(Thread(target=self.dnssecc_subdomain_enum()))
            threads.append(Thread(target=self.scan_host()))

        # Additional options - brute force common subdomains
        if self.options["--brute-force"]:
            threads.append(Thread(target=self.brute_force()))

        # Not sure what data we can get from censys yet, but might be useful in the future
        # self.search_censys()

        # Start all threads
        for x in threads:
            x.start()

        # Wait for all of them to finish
        for x in threads:
            x.join()

        # remove duplicates and clean up

        self.domains = self.clean_domains()
        self.dedupe = set(self.domains)

        print("Found", len(self.dedupe), "domains")
        print("----------------")
        if self.options["--ip"]:
            self.resolve_ips()
        else:
            for domain in self.dedupe:
                ColorPrint.green(domain.strip())

        if not self.options["--no-anubis-db"]:
            self.send_to_anubisdb()
Пример #11
0
    def run(self):
        # Retrieve IP of target and run initial configurations
        self.init()
        for i in range(len(self.options["TARGET"])):
            # Default scans that run every time
            target = self.options["TARGET"][i]
            threads = [
                threading.Thread(target=dns_zonetransfer, args=(self, target)),
                threading.Thread(target=search_subject_alt_name,
                                 args=(self, target)),
                threading.Thread(target=subdomain_hackertarget,
                                 args=(self, target)),
                threading.Thread(target=search_virustotal,
                                 args=(self, target)),
                threading.Thread(target=search_pkey, args=(self, target)),
                threading.Thread(target=search_netcraft, args=(self, target)),
                threading.Thread(target=search_crtsh, args=(self, target)),
                threading.Thread(target=search_dnsdumpster,
                                 args=(self, target)),
                threading.Thread(target=search_anubisdb, args=(self, target))
            ]
            print('test')
            # Additional options - ssl cert scan
            if self.options["--ssl"]:
                threads.append(
                    threading.Thread(target=ssl_scan, args=(self, target)))

            # Additional options - shodan.io scan
            if self.options["--additional-info"]:
                threads.append(
                    threading.Thread(target=search_shodan, args=(self, )))

            # Additional options - nmap scan of dnssec script and a host/port scan
            if self.options["--with-nmap"]:
                threads.append(
                    threading.Thread(target=dnssecc_subdomain_enum,
                                     args=(self, target)))
                threads.append(
                    threading.Thread(target=scan_host, args=(self, )))

            # Additional options - brute force common subdomains
            if self.options["--brute-force"]:
                threads.append(
                    threading.Thread(target=brute_force, args=(self, target)))

            # Start all threads
        for x in threads:
            x.start()

        # Wait for all of them to finish
        for x in threads:
            x.join()

        # remove duplicates and clean up

        if self.options["--recursive"]:
            recursive_search(self)

        self.domains = self.clean_domains(self.domains)
        self.dedupe = set(self.domains)

        print("Found", len(self.dedupe), "subdomains")
        print("----------------")

        if self.options["--ip"]:
            self.resolve_ips()
        else:
            for domain in self.dedupe:
                ColorPrint.green(domain.strip())

        if self.options["--send-to-anubis-db"]:
            send_to_anubisdb(self, self.options["TARGET"])