def parse_ldap_domain(): if os.path.exists(c.getPath("ldap", "ldapEnum4linux")): ig = helper_lists.ignoreDomains() ignore_extensions = ig.ignore lf = open(c.getPath("ldap", "ldapEnum4linux"), 'r') domain = [] dns = [ re.findall( r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3,6}", d) for d in sorted(set(line.rstrip() for line in lf)) ] for x in dns: if x not in domain: for dn in x: if not any(s in dn for s in ignore_extensions): dn_lower = dn.lower() if dn_lower not in domain and ( not dn_lower.startswith("ldap") ) and (not dn_lower.endswith("portcu")): num_dots = int(dn_lower.count(".")) if num_dots <= 1: domain.append(dn_lower) lf.close() # print(domain) return domain
def getRedirect(self): """Extra Function for enumWeb HTTP hosts so as not to run Scan() twice.""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() dnsPort = np.dns_ports c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) ig = helper_lists.ignoreDomains() ignore = ig.ignore try: with open(c.getPath("nmap", "nmap_top_ports_nmap"), "r") as nm: for line in nm: new = (line.replace("=", " ").replace("/", " ").replace( "commonName=", "").replace("/organizationName=", " ").replace(",", " ").replace("_", " ")) matches = re.findall( r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3,6}", new) for x in matches: if not any(s in x for s in ignore): self.redirect_hostname.append(x) if "|_http-title: Did not follow redirect to http:" in line: print(line) split_line2 = line.split() last_word2 = split_line2[-1] redirect_domainName = (last_word2.replace( "http://", "").replace("/", "").replace("'", "")) self.redirect_hostname.append(redirect_domainName) except FileNotFoundError as fnf_error: print(fnf_error) if len(dnsPort) != 0: if not os.path.exists(c.getPath("dns", "dnsDir")): os.makedirs(c.getPath("dns", "dnsDir")) dig_cmd = c.getCmd("dns", "dnsDig") dp = dig_parser.digParse(self.target, dig_cmd) dp.parseDig() dig_hosts = dp.hosts sub_hosts = dp.subdomains if len(dig_hosts) != 0: for x in dig_hosts: self.redirect_hostname.append(x) if len(sub_hosts) != 0: for x in sub_hosts: self.redirect_hostname.append(x) if len(self.redirect_hostname) != 0: alldns = " ".join(map(str, self.redirect_hostname)) zonexferDns = [] dig_command = c.getCmd("dns", "dnsDigAxfr", alldns=alldns) dp2 = dig_parser.digParse(self.target, dig_command) dp2.parseDigAxfr() subdomains = dp2.subdomains for x in subdomains: zonexferDns.append(x) sortedAllDomains = sorted(set(zonexferDns)) for x in sortedAllDomains: self.redirect_hostname.append(x)
def parseDigAxfr(self): """parseDigAxfr will perform a zone transer and append the results to self.subdomains list.""" def flatten(lis): for item in lis: if isinstance(item, Iterable) and not isinstance(item, str): for x in flatten(item): yield x else: yield item dig_output = [ i.strip() for i in self.cmdline(self.command).decode("utf-8").split("\n") ] dig_filtered = [i.split() for i in dig_output if len(i) >= 9] domains = [ i[0] and i[4::] for i in dig_filtered if i[-2] or i[-3] in ["PTR", "MX", "NS", "CNAME", "TXT", "SOA", "A"] ] unsorted_hosts = [] domains = list(flatten(domains)) for d in domains: unsorted_hosts.append(d.rstrip(".")) sorted_hosts = sorted(set(unsorted_hosts)) matches = [ re.findall( r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3,6}", x) for x in sorted_hosts ] _sorted_hosts = [] ig = helper_lists.ignoreDomains() ignore = ig.ignore matches = list(flatten(matches)) for x in matches: if not any(s in x for s in ignore): _sorted_hosts.append(x) for d in _sorted_hosts: if d not in self.subdomains: self.subdomains.append(d)
def GetHostNames(self): """This Function is for HTTPS/SSL enumWebSSL Class to enumerate found hostnames.""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() ssl_ports = np.ssl_ports dnsPort = np.dns_ports c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) ig = helper_lists.ignoreDomains() ignore = ig.ignore allsortedhostnameslist = [] dns = [] try: with open(c.getPath("nmap", "nmap_top_ports_nmap"), "r") as nm: for line in nm: new = (line.replace("=", " ").replace("/", " ").replace( "commonName=", "").replace("/organizationName=", " ").replace(",", " ").replace("_", " ")) matches = re.findall( r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3,6}", new) for x in matches: if not any(s in x for s in ignore): dns.append(x) sdns = sorted(set(dns)) tmpdns = [] for x in sdns: tmpdns.append(x) except FileNotFoundError as fnf_error: print(fnf_error) exit() ################# SSLSCAN ####################### if len(ssl_ports) == 0: tmpdns2 = [] for x in tmpdns: tmpdns2.append(x) unsortedhostnames = [] for x in tmpdns2: unsortedhostnames.append(x) allsortedhostnames = sorted(set(tmpdns2)) for x in allsortedhostnames: allsortedhostnameslist.append(x) else: for sslport in ssl_ports: if not os.path.exists( c.getPath( "webSSL", "webSSLScanTarget", sslport=sslport)): pass else: sslscanFile = c.getPath("webSSL", "webSSLScanTarget", sslport=sslport) domainName = [] altDomainNames = [] with open(sslscanFile, "rt") as f: for line in f: if "Subject:" in line: n = line.lstrip("Subject:").rstrip("\n") na = n.lstrip() if na not in ignore: domainName.append(na) if "Altnames:" in line: alnam = line.lstrip("Altnames:").rstrip("\n") alname = alnam.lstrip() alname1 = alname.lstrip("DNS:") alname2 = (alname1.replace("DNS:", "").replace( ",", "").split()) for x in alname2: if x not in ignore: altDomainNames.append(x) if (line.rstrip("\n") == "TLS 1.2 vulnerable to heartbleed" or (line.rstrip("\n") == "TLS 1.1 vulnerable to heartbleed") or (line.rstrip("\n") == "TLS 1.0 vulnerable to heartbleed")): self.heartbleed = True both = [] for x in domainName: both.append(x) for x in altDomainNames: both.append(x) tmpdns2 = [] ignore_chars_regex = re.compile(r"[@_!#$%^&*()<>?/\|}{~:]") for x in both: if ignore_chars_regex.search(x) is None: tmpdns2.append(x) for x in tmpdns: tmpdns2.append(x) unsortedhostnames = [] for x in tmpdns2: unsortedhostnames.append(x) allsortedhostnames = sorted(set(tmpdns2)) allsortedhostnameslist = [] for x in allsortedhostnames: allsortedhostnameslist.append(x) if len(dnsPort) == 0: if len(allsortedhostnameslist) != 0: for x in allsortedhostnameslist: self.hostnames.append(x) else: ######## Check For Zone Transfer ############### if not os.path.exists(c.getPath("dns", "dnsDir")): os.makedirs(c.getPath("dns", "dnsDir")) dig_cmd = f"""dig -x {self.target} @{self.target}""" dp = dig_parser.digParse(self.target, dig_cmd) dp.parseDig() dig_hosts = dp.hosts sub_hosts = dp.subdomains if len(dig_hosts) != 0: for x in dig_hosts: self.hostnames.append(x) if len(sub_hosts) != 0: for x in sub_hosts: self.hostnames.append(x) if len(self.hostnames) != 0: alldns = " ".join(map(str, self.hostnames)) zonexferDns = [] dig_command = f"""dig axfr @{self.target} {alldns}""" dp2 = dig_parser.digParse(self.target, dig_command) dp2.parseDigAxfr() subdomains = dp2.subdomains for x in subdomains: zonexferDns.append(x) sortedAllDomains = sorted(set(zonexferDns)) for x in sortedAllDomains: self.hostnames.append(x)
def Scan(self): """Parse nmap's output from the top open ports scan and use regex to find valid hostnames that are 3-6 chars in length. These domains will be filtered to ignore most .com and file extensions since this tool is currently designed for CTF machines like Hack the Box which usually have .htb extensions. The list of ignored domains is in utils/helper_lists.py""" np = nmapParser.NmapParserFunk(self.target) np.openPorts() ssl_ports = np.ssl_ports dnsPort = np.dns_ports cmd_info = "[" + fg.li_green + "+" + fg.rs + "]" c = config_parser.CommandParser(f"{os.getcwd()}/config/config.yaml", self.target) ig = helper_lists.ignoreDomains() ignore = ig.ignore dns = [] try: with open(c.getPath("nmap", "nmap_top_ports_nmap"), "r") as nm: for line in nm: new = (line.replace("=", " ").replace("/", " ").replace( "commonName=", "").replace("/organizationName=", " ").replace(",", " ").replace("_", " ")) matches = re.findall( r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]{,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{3,6}", new) for x in matches: if not any(s in x for s in ignore): dns.append(x) if "|_http-title: Did not follow redirect to http:" in line: split_line = line.split() last_word = split_line[-1] redirect_domain = (last_word.replace( "http://", "").replace("/", "").replace("'", "")) print( f"""{self.target} is redirecting to: {redirect_domain}, adding {redirect_domain} to /etc/hosts file""" ) dns.append(redirect_domain) self.redirect_hostname.append(redirect_domain) sdns = sorted(set(dns)) tmpdns = [] for x in sdns: tmpdns.append(x) _ips = re.findall(r"[0-9]+(?:\.[0-9]+){3}", x) if len(_ips) > 0: tmpdns.remove(x) except FileNotFoundError as fnf_error: print(fnf_error) exit() ################# SSLSCAN ####################### if len(ssl_ports) == 0: tmpdns2 = [] for x in tmpdns: tmpdns2.append(x) unsortedhostnames = [] for x in tmpdns2: unsortedhostnames.append(x) allsortedhostnames = sorted(set(tmpdns2)) allsortedhostnameslist = [] for x in allsortedhostnames: allsortedhostnameslist.append(x) else: if not os.path.exists(c.getPath("webSSL", "webSSLDir")): os.makedirs(c.getPath("webSSL", "webSSLDir")) if not os.path.exists(c.getPath("web", "aquatoneDir")): os.makedirs(c.getPath("web", "aquatoneDir")) for sslport in ssl_ports: sslscanCMD = c.getCmd("webSSL", "sslscan", sslport=sslport) print(cmd_info, sslscanCMD) call(sslscanCMD, shell=True) if not os.path.exists( c.getPath( "webSSL", "webSSLScanTarget", sslport=sslport)): pass else: sslscanFile = c.getPath("webSSL", "webSSLScanTarget", sslport=sslport) domainName = [] altDomainNames = [] with open(sslscanFile, "rt") as f: for line in f: if "Subject:" in line: n = line.lstrip("Subject:").rstrip("\n") na = n.lstrip() if na not in ignore: domainName.append(na) if "Altnames:" in line: alnam = line.lstrip("Altnames:").rstrip("\n") alname = alnam.lstrip() alname1 = alname.lstrip("DNS:") alname2 = (alname1.replace("DNS:", "").replace( ",", "").split()) for x in alname2: if x not in ignore: altDomainNames.append(x) both = [] for x in domainName: both.append(x) for x in altDomainNames: both.append(x) tmpdns2 = [] ignore_chars_regex = re.compile(r"[@_!#$%^&*()<>?/\|}{~:]") for x in both: if ignore_chars_regex.search(x) is None: tmpdns2.append(x) for x in tmpdns: if x not in ignore: tmpdns2.append(x) unsortedhostnames = [] for x in tmpdns2: unsortedhostnames.append(x) allsortedhostnames = sorted(set(tmpdns2)) allsortedhostnameslist = [] for x in allsortedhostnames: if x not in ignore: allsortedhostnameslist.append(x) for x in allsortedhostnameslist: ips = re.findall(r"[0-9]+(?:\.[0-9]+){3}", x) if len(ips) > 0: allsortedhostnameslist.remove(x) if len(dnsPort) == 0: if len(allsortedhostnameslist) != 0: for x in allsortedhostnameslist: if x not in ignore: self.redirect_hostname.append(x) print( f"""{cmd_info} Adding {fg.li_cyan}{allsortedhostnameslist} {fg.rs}to /etc/hosts""" ) hosts = Hosts(path="/etc/hosts") new_entry = HostsEntry(entry_type="ipv4", address=self.target, names=allsortedhostnameslist) hosts.add([new_entry]) hosts.write() else: if not os.path.exists(c.getPath("dns", "dnsDir")): os.makedirs(c.getPath("dns", "dnsDir")) dig_cmd = c.getCmd("dns", "dnsDig") print(cmd_info, dig_cmd) dp = dig_parser.digParse(self.target, dig_cmd) dp.parseDig() dig_hosts = dp.hosts sub_hosts = dp.subdomains if len(dig_hosts) != 0: for x in dig_hosts: allsortedhostnameslist.append(x) self.fqdn_hostname.append(x) if len(sub_hosts) != 0: for x in sub_hosts: allsortedhostnameslist.append(x) ######## Check For Zone Transfer: Running dig ############### if len(allsortedhostnameslist) != 0: alldns = " ".join(map(str, allsortedhostnameslist)) zonexferDns = [] dig_command = c.getCmd("dns", "dnsDigAxfr", alldns=alldns) print(cmd_info, dig_command) dp2 = dig_parser.digParse(self.target, dig_command) dp2.parseDigAxfr() subdomains = dp2.subdomains for x in subdomains: zonexferDns.append(x) sortedAllDomains = sorted(set(zonexferDns)) sortedAllDomainsList = [] for x in sortedAllDomains: sortedAllDomainsList.append(x) self.redirect_hostname.append(x) if len(zonexferDns) != 0: print( f"""{cmd_info} Adding {fg.li_cyan}{sortedAllDomainsList} {fg.rs}to /etc/hosts""" ) hosts = Hosts(path="/etc/hosts") new_entry = HostsEntry( entry_type="ipv4", address=self.target, names=sortedAllDomainsList, ) hosts.add([new_entry]) hosts.write()