def check_azure_vms(names, nameserver, threads): """ Checks for Azure Virtual Machines """ print("[+] Checking for Azure Virtual Machines") # Start a counter to report on elapsed time start_time = utils.start_timer() # Pull the regions from a config file regions = azure_regions.REGIONS print("[*] Testing across {} regions defined in the config file".format( len(regions))) for region in regions: # Initialize the list of domain names to look up candidates = [name + '.' + region + '.' + VM_URL for name in names] # Azure VMs use DNS sub-domains. If it resolves, it is registered. utils.fast_dns_lookup(candidates, nameserver, callback=print_vm_response, threads=threads) # Stop the timer utils.stop_timer(start_time)
def check_awsapps(names, threads, nameserver, cverbose=True): """ Checks for existence of AWS Apps (ie. WorkDocs, WorkMail, Connect, etc.) """ if cverbose: print("[+] Checking for AWS Apps") pname = ['AWS Apps ', 2] # Start a counter to report on elapsed time start_time = utils.start_timer() # Initialize the list of domain names to look up candidates = [] # Initialize the list of valid hostnames valid_names = [] # Take each mutated keyword craft a domain name to lookup. for name in names: candidates.append('{}.{}'.format(name, APPS_URL)) # AWS Apps use DNS sub-domains. First, see which are valid. valid_names = utils.fast_dns_lookup(candidates, nameserver, pname, cverbose, threads=threads) for name in valid_names: if cverbose: utils.printc(" App Found: https://{}\n".format(name), 'orange') # Stop the timer utils.stop_timer(start_time, cverbose)
def check_azure_databases(names, nameserver): """ Checks for Azure Databases """ print("[+] Checking for Azure Databases") # Start a counter to report on elapsed time start_time = utils.start_timer() # Initialize the list of domain names to look up candidates = [name + '.' + DATABASE_URL for name in names] # Azure databases use DNS sub-domains. If it resolves, it is registered. utils.fast_dns_lookup(candidates, nameserver, callback=print_database_response) # Stop the timer utils.stop_timer(start_time)
def check_azure_websites(names, nameserver, threads): """ Checks for Azure Websites (PaaS) """ print("[+] Checking for Azure Websites") # Start a counter to report on elapsed time start_time = utils.start_timer() # Initialize the list of domain names to look up candidates = [name + '.' + WEBAPP_URL for name in names] # Azure Websites use DNS sub-domains. If it resolves, it is registered. utils.fast_dns_lookup(candidates, nameserver, callback=print_website_response, threads=threads) # Stop the timer utils.stop_timer(start_time)
def check_storage_accounts(names, threads, nameserver, cverbose=True): """ Checks storage account names """ if cverbose: print("[+] Checking for Azure Storage Accounts") pname = ['Azure Valid Names ', 3] # Start a counter to report on elapsed time start_time = utils.start_timer() # Initialize the list of domain names to look up candidates = [] # Initialize the list of valid hostnames valid_names = [] # Take each mutated keyword craft a domain name to lookup. # As Azure Storage Accounts can contain only letters and numbers, # discard those not matching to save time on the DNS lookups. regex = re.compile('[^a-zA-Z0-9]') names = list( set([ name.replace('www.', '').replace('www-', '').replace('.com', '').replace( '.net', '').replace('.gov', '') for name in names ])) for name in names: if not re.search(regex, name): candidates.append('{}.{}'.format(name, BLOB_URL)) if candidates: # Azure Storage Accounts use DNS sub-domains. First, see which are valid. valid_names = utils.fast_dns_lookup(candidates, nameserver, pname, cverbose, threads=threads) if valid_names: pname[0] = 'Azure Storage Acts' # Send the valid names to the batch HTTP processor utils.get_url_batch(valid_names, pname, cverbose, use_ssl=False, callback=print_account_response, threads=threads) # Stop the timer utils.stop_timer(start_time, cverbose) # de-dupe the results and return return list(set(valid_names))
def check_awsapps(names, threads, nameserver): """ Checks for existence of AWS Apps (ie. WorkDocs, WorkMail, Connect, etc.) """ data = { 'platform': 'aws', 'msg': 'AWS App Found:', 'target': '', 'access': '' } print("[+] Checking for AWS Apps") # Start a counter to report on elapsed time start_time = utils.start_timer() # Initialize the list of domain names to look up candidates = [] # Initialize the list of valid hostnames valid_names = [] # Take each mutated keyword craft a domain name to lookup. for name in names: candidates.append(f'{name}.{APPS_URL}') # AWS Apps use DNS sub-domains. First, see which are valid. valid_names = utils.fast_dns_lookup(candidates, nameserver, threads=threads) for name in valid_names: data['target'] = f'https://{name}' data['access'] = 'protected' utils.fmt_output(data) # Stop the timer utils.stop_timer(start_time)
def check_storage_accounts(names, threads, nameserver): """ Checks storage account names """ print("[+] Checking for Azure Storage Accounts") # Start a counter to report on elapsed time start_time = utils.start_timer() # Initialize the list of domain names to look up candidates = [] # Initialize the list of valid hostnames valid_names = [] # Take each mutated keyword craft a domain name to lookup. # As Azure Storage Accounts can contain only letters and numbers, # discard those not matching to save time on the DNS lookups. regex = re.compile('[^a-zA-Z0-9]') for name in names: if not re.search(regex, name): candidates.append(f'{name}.{BLOB_URL}') # Azure Storage Accounts use DNS sub-domains. First, see which are valid. valid_names = utils.fast_dns_lookup(candidates, nameserver, threads=threads) # Send the valid names to the batch HTTP processor utils.get_url_batch(valid_names, use_ssl=False, callback=print_account_response, threads=threads) # Stop the timer utils.stop_timer(start_time) # de-dupe the results and return return list(set(valid_names))
def check_awsapps(names, threads, nameserver): """ Checks for existence of AWS Apps (ie. WorkDocs, WorkMail, Connect, etc.) """ print("[+] Checking for AWS Apps") # Start a counter to report on elapsed time start_time = utils.start_timer() # Initialize the list of domain names to look up candidates = [] # Initialize the list of valid hostnames valid_names = [] # Take each mutated keyword craft a domain name to lookup. for name in names: candidates.append('{}.{}'.format(name, APPS_URL)) # AWS Apps use DNS sub-domains. First, see which are valid. valid_names = utils.fast_dns_lookup(candidates, nameserver, threads=threads) # Send the valid names to the batch HTTP processor utils.get_url_batch(valid_names, use_ssl=False, callback=print_awsapps_response, threads=threads) # Stop the timer utils.stop_timer(start_time) # de-dupe the results and return return list(set(valid_names))