def test_all(self):
engines = None
domain = 'http0b100.com'
ports = None
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
ports,
silent=False,
verbose=self.verbose,
enable_bruteforce=self.enable_bruteforce,
engines=engines)
domain = 'taiwandestiny.com'
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
ports,
silent=False,
verbose=self.verbose,
enable_bruteforce=self.enable_bruteforce,
engines=engines)
print("test_all")
print("==============================")
print(subdomains)
print("==============================")
def get_domains(domain, delete_www) :
if os.path.isfile("{0}/dns/domains".format(domain)) :
os.system("rm {0}/dns/domains".format(domain))
if args.subrute is not None :
print("{0}[#] Launching Sublist3r with bruteforce module enabled.{1}".format(white, end))
text_trap = io.StringIO()
sys.stdout = text_trap
sublist3r.main(domain, 100, "{0}/dns/domains".format(domain), ports = None, silent = True, verbose = False, enable_bruteforce = True, engines = None)
sys.stdout = sys.__stdout__
if args.sublist is not None :
print("{0}[#] Launching Sublist3r with bruteforce module disabled.{1}".format(white, end))
text_trap = io.StringIO()
sys.stdout = text_trap
sublist3r.main(domain, 100, "{0}/dns/domains".format(domain), ports = None, silent = True, verbose = False, enable_bruteforce = False, engines = None)
sys.stdout = sys.__stdout__
domain_file = open("{0}/dns/domains".format(domain), "r")
domains = domain_file.readlines()
domains.insert(0, domain + "\n")
domain_file.close()
if delete_www == "True" :
domain_file = open("{0}/dns/domains".format(domain), "w")
for line in domains :
if line.startswith("www.") :
wwwless = line.split("www.")[1]
domains.remove(line)
domains.append(wwwless)
domains = set(domains)
domain_file.writelines(domains)
domain_file.close()
print("{0}\tFound {1} domains : \n\t{2}{3}".format(green, len(domains), "\t".join(map(str, domains)), end))
print("\t{0}[!] List of {1} domains written in {2}/dns/domains{3}\n".format(red, len(domains), domain, end))
return
def enum_sub_domains(self, domain, report_path):
sublist3r.main('{0}'.format(domain),
None,
'{0}.txt'.format(report_path),
ports=None,
silent=False,
verbose=True,
enable_bruteforce=False,
engines=None)
def recon(domainFile):
domainFileDir = os.path.dirname(domainFile)
subDomainDir = domainFileDir + "/subdomains"
try:
os.mkdir(subDomainDir)
except OSError as e:
if e.errno != errno.EEXIST:
raise
else:
print(subDomainDir + '已存在')
print(subDomainDir)
with open(domainFile) as f:
domains = f.read().splitlines()
for domain in domains:
no_threads = 5
savefile = subDomainDir + '/' + domain + '.sublist3r.txt'
ports = None
silent = False
verbose = True
enable_bruteforce = False # subbrute 貌似有问题,会卡住不动
engines = None
subdomains = sublist3r.main(domain, no_threads, savefile, ports,
silent, verbose, enable_bruteforce,
engines)
print(subdomains)
def sublister(self, domain, engine):
try:
doms = sublist3r.main( domain , \
40 , \
savefile=None , \
ports= None, \
silent=True, \
verbose=False, \
enable_bruteforce=False, \
engines=engine )
except Exception as e:
self.log.error(e)
if not doms:
self.log.error(f'No findings with {engine}')
else:
cleanDoms = list(
set([
d.replace('0-', '') for dom in doms
for d in dom.split('<BR>')
]))
[self.log.findings(f'{engine} found {d}') for d in cleanDoms]
present_subdomains = self.stash.get_column('subdomains',
'subdomain')
for s in [x for x in cleanDoms if x not in present_subdomains]:
sqlq = 'INSERT INTO subdomains( domain, subdomain ) VALUES(?, ?)'
sqlv = (domain, s)
self.stash.sql_execcc(sqlq, sqlv)
def run(self):
print("[*] Initiating whois lookup.")
whoisexec = pwhois.Main(self.verbose, False, self.pool, self.updatelacnicdb, self.ripe, self.lacnic, self.afrinic, self.apnic, self.arin)
self.whoisdata, domain = whoisexec.run()
clientname = domain.split('.')[0]
print("[+] Completed whois lookup for %s." % clientname.title())
if self.updatelacnicdb:
sys.exit()
print("[*] Initiating subdomain lookup with sublist3r.")
silent = not self.verbose
subdomains = sublist3r.main(domain, self.threads, None, False, silent=silent, verbose=self.verbose, enable_bruteforce=False,
engines=None)
print("[+] Completed subdomain lookup with sublist3r.")
print("[*] Performing DNS lookup on subdomains discovered.")
subdnslookup = pdnslookup.DNSLookup(subdomains, self.verbose, self.pool)
self.dnslookups = subdnslookup.execute()
print("[+] Completed DNS lookups.")
print("[*] Discovering whois data for subdomains and correlating with previously obtained whois data.")
for host in self.dnslookups.keys():
for cidr in self.whoisdata.keys():
if IPAddress(self.dnslookups[host]["ip"]) in IPNetwork(cidr):
self.dnslookups[host]["inranges"] = "Yes - " + cidr
self.dnslookups[host]["rir"] = self.whoisdata[cidr]["rir"]
self.pool.map(self.pullwhoisdb, self.dnslookups.keys())
print("[+] Completed data correlation and additional whois lookups.")
output = excelwriter(self.whoisdata, self.dnslookups, clientname)
output.create()
def parse_domain(domain_name, savefile):
return sublist3r.main(domain_name,
40,
savefile,
ports=None,
silent=False,
verbose=False,
enable_bruteforce=False,
engines=None)
def get_subs(domain, threads):
return sublist3r.main(domain,
threads,
None,
ports=None,
silent=False,
verbose=False,
enable_bruteforce=False,
engines=None)
def get_sub_domains(domain, threads):
return [domain] + sublist3r.main(domain,
threads,
savefile='./' + domain + '/dns',
ports=None,
silent=False,
verbose=False,
enable_bruteforce=False,
engines='Bing,Baidu,Yahoo,Virustotal')
def scan_sub_domain(domain):
return sublist3r.main(
domain,
100,
None,
ports=None,
silent=False,
verbose=False,
enable_bruteforce=False,
engines='baidu,yahoo,bing,ask,virustotal,threatcrowd,ssl,passivedns')
def find_subdomains(domain):
print "[+] Running sublist3r to find subdomains of %s..." % domain
return sublist3r.main(domain,
40,
'',
ports=None,
silent=True,
verbose=True,
enable_bruteforce=True,
engines=None)
def getsubdomines(domine):
subdomains = sublist3r.main(domine,
40,
"temp2.txt",
ports=None,
silent=False,
verbose=True,
enable_bruteforce=False,
engines=None)
return subdomains
def test_google_com(self):
engines = 'Google,Yahoo,Ask,SSL,Bing,Baidu,PassiveDNS,Virustotal,ThreatCrowd,DNSdumpster,Netcraft,Error'
domain = 'google.com'
ports = None
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
ports,
silent=False,
verbose=True,
enable_bruteforce=self.enable_bruteforce,
engines=engines)
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
ports,
silent=False,
verbose=False,
enable_bruteforce=self.enable_bruteforce,
engines=engines)
def subdomain_search(self, target):
print("[~] Scanning for subdomains. This may take a moment...")
subdomains = sublist3r.main(
target,
40,
'Workspaces/{0}/Recon/subdomain-scan.txt'.format(self.TARGET),
ports=None,
silent=True,
verbose=False,
enable_bruteforce=False,
engines=None)
def check_sub_req():
if args.bruteforce:
bruteforce = True
else:
bruteforce = False
if args.verbose:
verbose = True
else:
verbose = False
if args.threads:
threads = args.threads
else:
print("Number of threads not specified,Setting threads to 2")
threads = 2
if args.output:
output = True
else:
output = False
if args.savefile:
savefile = args.savefile
else:
#ap.print_help()
None
if args.silent:
silent = True
else:
silent = False
if args.ports is None:
ports = 80
else:
ports = args.ports
print("Using specified ports-%d",ports)
if args.engines is None:
engines = None
elif args.engines is not None:
engines = args.engines
print("Using specified engines-%s",engines)
else:
None
if args.csvfields is None:
csvfields = []
else:
csvfields = args.csvfields
print("Using specified csvfields-%s",csvfields)
subdomains = sublist3r.main(domain, threads, output, ports, silent, verbose, bruteforce, engines)
def subdomGather(domain):
domains=[]
ports=None
silent=True
verbose= False
enable_bruteforce= False
no_threads=40
engines=None
print(Fore.YELLOW+"\n[-] Fetching Subdomains for "+domain+" using sublister, this will take time\n\n")
print(Fore.WHITE+"[...] Ignore the following error! [...]"+Style.RESET_ALL)
subdomain = sublist3r.main(domain, no_threads,"save.txt", ports, silent, verbose, enable_bruteforce,engines)
return subdomain
def verticalEnum(): for domain in finalDomains: print "Performing vertical enumeration for: " + domain + " using Sublist3r." subdomains = sublist3r.main(domain, 40, 'vertDoms.txt',ports= None, silent=False, verbose= False, enable_bruteforce= False, engines=None) time.sleep(30) global completeDomains for dom in subdomains: completeDomains.append(dom) print "Sublist3r done, port scan will start next." print (completeDomains)
def test_error_domains(self):
engines = 'ThreatCrowd,Netcraft,Error'
domain = '\\\\\\'
ports = None
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
ports,
silent=True,
verbose=self.verbose,
enable_bruteforce=True,
engines=engines)
def sublister(self, url):
global urls
subdomains = sublist3r.main(url,
40,
savefile=False,
ports=None,
silent=True,
verbose=False,
enable_bruteforce=False,
engines=None)
for x in subdomains:
urls.append(x)
urls = list(set(urls))
def test_bruteforce(self):
engines = 'ThreatCrowd'
domain = 'taiwandestiny.com'
ports = None
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
ports,
silent=False,
verbose=False,
enable_bruteforce=True,
engines=engines)
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
ports,
silent=True,
verbose=False,
enable_bruteforce=True,
engines=engines)
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
ports,
silent=False,
verbose=True,
enable_bruteforce=True,
engines=engines)
subdomains = sublist3r.main(domain,
self.no_threads,
self.savefile,
None,
silent=True,
verbose=True,
enable_bruteforce=True,
engines=engines)
def getDataFromSublist3r(url):
#Get domain name
tsd, td, tsu = extract(url)
url = td + '.' + tsu
subdomains = sublist3r.main(url,
10,
'',
ports=None,
silent=True,
verbose=False,
enable_bruteforce=False,
engines=None)
return subdomains
def get_subs(domain):
"""
Uses sublist3r to search for subdomains on several engines
-- Example --
get_subs('nequi.com') >> www.nequi.com ; api.nequi.com ; etc...
"""
subdomains = sublist3r.main(domain,
40,
savefile=False,
ports=None,
silent=True,
verbose=False,
enable_bruteforce=False,
engines='google,bing,yahoo,passivedns')
return subdomains
def http_subdomains(domain, exhaustive=False):
subdomains = sublist3r.main(domain, 40, 'some_subdomains.txt', ports=None, silent=True, verbose=False,
enable_bruteforce=False, engines=None)
insecure = []
for website in subdomains:
#print('checking http://' + website)
try:
r = requests.get('http://'+website, timeout=5)
except:
continue
if not 'https' in r.url:
insecure.append(website)
print(website)
if not exhaustive and len(insecure) > 4:
break
return insecure
def run(self, domains):
if domains:
scopelist = []
nonwild = []
for domain in domains:
if '*' in domain:
scopelist.append(domain.strip('*.'))
for domain in scopelist:
print '[+]Currently Running sublist3r on: ' + domain
subdomains = sublist3r.main(domain, self.no_threads,
self.savefile, self.ports,
self.silent, self.verbose,
self.enable_bruteforce,
self.engines)
self.foundDomains += subdomains
self.foundDomains = set(self.foundDomains)
Domains(self.foundDomains).verify()
def get_subs(self):
output = self.domain.replace('https://', '') + '_subdomains.txt'
subdomains = sublist3r.main(self.domain.replace('https://', ''),
40,
output,
ports=None,
silent=False,
verbose=False,
enable_bruteforce=False,
engines=None)
self.subdomains = subdomains
self.subdomains.append(self.domain)
for sub in self.subdomains:
name = sub
name = name.replace('https://', '').replace('.com', ' ')
name = name.strip()
self.names[name] = sub
def get_subs(tld_list, sub_list, verbose_toggle, brute_toggle, ports_list=None):
for tld in tld_list:
sub_list.append(tld.strip())
savefile = "sd_discover_"+str(tld)+".txt"
subdomains = sublist3r.main(tld, 40, savefile, ports=ports_list, silent=False, verbose= verbose_toggle, enable_bruteforce=brute_toggle, engines=None)
for line in subdomains:
if line.strip() not in sub_list:
sub_list.append(line.strip())
print('\nTotal unique subdomains: '+str(len(sub_list)))
with open('sd_discover_results.txt', 'w') as output:
for k in sub_list:
output.write(str(k))
output.write('\n')
if verbose_toggle:
print(k)
print('\nResults saved to "sd_discover_results.txt"')
def run(self, domains, dbsfile):
if domains:
scopelist = []
nonwild = []
for domain in domains:
if '*' in domain:
scopelist.append(domain.strip('*.'))
for domain in scopelist:
print colored('[-] Running sublist3r on ' + domain + '...',
'blue')
subdomains = sublist3r.main(domain, self.no_threads,
self.savefile, self.ports,
self.silent, self.verbose,
self.enable_bruteforce,
self.takeover_check, self.engines)
self.foundDomains += subdomains
self.foundDomains = set(self.foundDomains)
Domains(self.foundDomains, dbsfile).verify()
def enumerate_subdomain(self,
target,
threads_no,
output_file,
ports=None,
silent_mode=False,
verbose=False,
bruteforce=False,
engines=None):
results = sublist3r.main(domain=target,
threads=threads_no,
savefile="results/" + output_file,
ports=ports,
silent=silent_mode,
verbose=verbose,
enable_bruteforce=bruteforce,
engines=engines)
self.subdomain_count = len(results)
def getSubdomains(domain):
try:
tld = getTldFromUrl(domain)
tldSplitted = tld.split(".")[0]
domain = domain.split(".")[domain.split(".").index(tldSplitted) -
1] + "." + tld
return sublist3r.main(domain,
5,
savefile=None,
ports=None,
silent=False,
verbose=False,
enable_bruteforce=False,
engines=Constants.sublist3rEngines)
except Exception as e:
logging.error("Error in getSubdomains(): " + str(e))
pass
return None
def parse_domain(domain, nameserver):
domain_list = []
ip_list = set()
if "*" in domain and domain[0:2] != "*.":
raise Exception("Invalid domain: {}".format(domain))
elif "*" in domain:
sub_domains = sublist3r.main(domain[2:],
40,
None,
ports=None,
silent=False,
verbose=False,
enable_bruteforce=False,
engines=None)
print(sub_domains)
domain_list.extend(sub_domains)
else:
domain_list.append(domain)
# Use DNSPYTHON to get info.
resolver = dns.resolver.Resolver()
resolver.lifetime = resolver.timeout = 20.0
for domain_name in domain_list:
print("Resolving: {}".format(domain_name))
try:
resolver.nameservers = [nameserver]
response = resolver.query(domain_name)
for answer in response.response.answer:
for ip in answer.items:
if ip.rdtype == 1:
ip_list.add(ip.address + "/32")
except:
pass
# try:
# response = dns.resolver.query(domain_name, "CNAME")
# for answer in response.response.answer:
# for ip in answer.items:
# if ip.rdtype == 1:
# ip_list.add(ip.address+"/32")
# except:
# pass
return ip_list
