diff --git a/microsoft_results.txt b/microsoft_results.txt new file mode 100644 index 0000000..ddaf189 --- /dev/null +++ b/microsoft_results.txt @@ -0,0 +1,500 @@ +www.microsoft.com +3d-avatar-diffusion.microsoft.com +3dfe-holograms.microsoft.com +3papiprovider.microsoft.com +3pc.microsoft.com +3rdpartysource.microsoft.com +3sdash.microsoft.com +3sdebug.microsoft.com +abilitysummit.microsoft.com +account.microsoft.com +mucp.api.account.microsoft.com +privacynotice.account.microsoft.com +account-mgmt-exp.microsoft.com +accountguard.microsoft.com +activate.microsoft.com +adaptivecards.microsoft.com +adfshelp.microsoft.com +admin.microsoft.com +sites-author.adobeprod.microsoft.com +adoption.microsoft.com +ads.microsoft.com +about.ads.microsoft.com +adlibrary.ads.microsoft.com +help.ads.microsoft.com +internal.ads.microsoft.com +mmcapi.ads.microsoft.com +trinity.ads.microsoft.com +ucm.ads.microsoft.com +ui.ads.microsoft.com +beta.ads-int.microsoft.com +ai-edge.microsoft.com +aiotlabs.microsoft.com +airlift.microsoft.com +register.aiskillsfest.microsoft.com +aiskillsnavigator.microsoft.com +aitour.microsoft.com +register.aitour.microsoft.com +ajax.microsoft.com +answers.microsoft.com +social.answers.microsoft.com +apply.microsoft.com +apps.microsoft.com +appsource.microsoft.com +browser.pipe.aria.microsoft.com +mobile.pipe.aria.microsoft.com +askhrva.microsoft.com +assetsppe2.microsoft.com +assetsprod.microsoft.com +assist.microsoft.com +atlas.microsoft.com +mobileappcommunicator.auth.microsoft.com +azure.microsoft.com +azurelocalsolutions.azure.microsoft.com +azureforeducation.microsoft.com +azuremarketplace.microsoft.com +register.azuremigration.microsoft.com +api.bap.microsoft.com +bcweb.microsoft.com +api.bing.microsoft.com +help.bing.microsoft.com +academycourses.bingads.microsoft.com +adinquiry.bingads.microsoft.com +resources.azure.bingads.microsoft.com +bingapp.microsoft.com +bingfeedback.microsoft.com +bingwallpaper.microsoft.com +blogs.microsoft.com +brandcentral.microsoft.com +browserdefaults.microsoft.com +browserprotection.microsoft.com +build.microsoft.com +register.build.microsoft.com +register.buildinfo.microsoft.com +businessaccount.microsoft.com +uploadhub.capqa.microsoft.com +careers.microsoft.com +jobs.careers.microsoft.com +refer.careers.microsoft.com +cdn-dynmedia-1.microsoft.com +df.cfp.microsoft.com +clarity.microsoft.com +cloudaccelerator.microsoft.com +ftenomination.cloudaccelerator.microsoft.com +cloudblogs.microsoft.com +cloudbrowser.microsoft.com +coach.microsoft.com +westus.dev.cognitive.microsoft.com +compassone.microsoft.com +compliance.microsoft.com +copilot.microsoft.com +auth.copilot.microsoft.com +copilotdash-sdf.microsoft.com +copilotscenarios.microsoft.com +copilotstudio.microsoft.com +coreidentity.microsoft.com +paymentsredirectionservice.cp.microsoft.com +create.microsoft.com +cdn.create.microsoft.com +credentials.microsoft.com +customerfeedback.microsoft.com +customervoice.microsoft.com +cxpqualityhub.microsoft.com +browser.events.data.microsoft.com +eu-mobile.events.data.microsoft.com +mobile.events.data.microsoft.com +self.events.data.microsoft.com +v10.events.data.microsoft.com +watson.events.data.microsoft.com +settings-win.data.microsoft.com +datacenters.microsoft.com +dcg.microsoft.com +dcservicesgateway.microsoft.com +ti.defender.microsoft.com +definitionupdates.microsoft.com +2.dl.delivery.mp.microsoft.com.delivery.microsoft.com +4.dl.delivery.mp.microsoft.com.delivery.microsoft.com +2.tlu.dl.delivery.mp.microsoft.com.delivery.microsoft.com +designer.microsoft.com +apps.dev.microsoft.com +devblogs.microsoft.com +devbox.microsoft.com +developer.microsoft.com +devicepartner.microsoft.com +devportal.microsoft.com +fpt.dfp.microsoft.com +care.dlservice.microsoft.com +docs.microsoft.com +dotnet.microsoft.com +builds.dotnet.microsoft.com +download.microsoft.com +api.dtmnebula.microsoft.com +client.dtmnebula.microsoft.com +t135.e-mails.microsoft.com +eagreements.microsoft.com +images.ecomm.microsoft.com +edge.microsoft.com +edge-http.microsoft.com +edgemobileapp.microsoft.com +edunominate.microsoft.com +egrc.microsoft.com +emails.microsoft.com +usgovintake.embark.microsoft.com +employeeservicehub.microsoft.com +enablement.microsoft.com +endpoint.microsoft.com +engagehub.microsoft.com +entra.microsoft.com +esi.microsoft.com +esicxp.microsoft.com +esireg.microsoft.com +esisupport.microsoft.com +esxp.microsoft.com +euaaccessportal.microsoft.com +abilitysummit.event.microsoft.com +aiskillsfest.event.microsoft.com +azuremigration.event.microsoft.com +discoverday.event.microsoft.com +msbizappslaunchevent.event.microsoft.com +regcdn.event.microsoft.com +secure.event.microsoft.com +events.microsoft.com +internal.evergreen.microsoft.com +evl.microsoft.com +admin.exchange.microsoft.com +exp.microsoft.com +expertzone.microsoft.com +api.fabric.microsoft.com +app.fabric.microsoft.com +blog.fabric.microsoft.com +community.fabric.microsoft.com +ideas.fabric.microsoft.com +msit.fabric.microsoft.com +support.fabric.microsoft.com +fasttrack.microsoft.com +feedback360.microsoft.com +feedbackportal.microsoft.com +findtime.microsoft.com +forms.microsoft.com +fpc.microsoft.com +fpt.microsoft.com +fpt2.microsoft.com +get.microsoft.com +getconnected.microsoft.com +3palertingestion.globalsecureaccess.microsoft.com +go.microsoft.com +go2.microsoft.com +graph.microsoft.com +guidedtour.microsoft.com +hackbox.microsoft.com +holidays.microsoft.com +hrprofile.microsoft.com +occclientglobal.iconchannelserviceprod.microsoft.com +occclient.iconchannelservicesprod.microsoft.com +identitypass.microsoft.com +idweb.microsoft.com +idwebelements.microsoft.com +ie11fre.microsoft.com +ieonline.microsoft.com +ignite.microsoft.com +imaginecup.microsoft.com +info.microsoft.com +m.infomail.microsoft.com +t.infomail.microsoft.com +m2.infomails.microsoft.com +innovationstudio.microsoft.com +insightsexperience.microsoft.com +inststudio-proxy.microsoft.com +intune.microsoft.com +invitations.microsoft.com +iridias.microsoft.com +krs.microsoft.com +wopihost.l2o.microsoft.com +leap.microsoft.com +learn.microsoft.com +review.learn.microsoft.com +learn-attachment.microsoft.com +admin.int.learningcredentials.microsoft.com +learningdownloadcenter.microsoft.com +learningpath.microsoft.com +learningplayer.microsoft.com +learningroomdirectory.microsoft.com +leportal.microsoft.com +licensing.microsoft.com +partner.licensing.microsoft.com +licensingonlineservicesactivation.microsoft.com +lighthouse.microsoft.com +linux.microsoft.com +liquid.microsoft.com +lists.microsoft.com +livesend.microsoft.com +local.microsoft.com +login.microsoft.com +lookbook.microsoft.com +loop.microsoft.com +m365pulse.microsoft.com +emea.mail.microsoft.com +enrollment.manage.microsoft.com +portal.manage.microsoft.com +portal.manage-beta.microsoft.com +managerewards.microsoft.com +marketingassets.microsoft.com +math.microsoft.com +mathsolver.microsoft.com +mbs.microsoft.com +businesscenter.mbs.microsoft.com +mbs2.microsoft.com +hk2.consumerfulfillment.mcapi.microsoft.com +mcapshelp.microsoft.com +mcp.microsoft.com +mcr.microsoft.com +medius.microsoft.com +merge.microsoft.com +microsoftedge.microsoft.com +microsoftedgewelcome.microsoft.com +m136.microsoftstore.microsoft.com +military.microsoft.com +mint.microsoft.com +auth.prod.mlx.microsoft.com +dl.delivery.mp.microsoft.com +2.dl.delivery.mp.microsoft.com +3.dl.delivery.mp.microsoft.com +catalog.sf.dl.delivery.mp.microsoft.com +msedge.sf.dl.delivery.mp.microsoft.com +tlu.dl.delivery.mp.microsoft.com +13.tlu.dl.delivery.mp.microsoft.com +2.tlu.dl.delivery.mp.microsoft.com +3.tlu.dl.delivery.mp.microsoft.com +msedge.b.tlu.dl.delivery.mp.microsoft.com +msedgeextensions.f.tlu.dl.delivery.mp.microsoft.com +array608.prod.do.dsp.mp.microsoft.com +storeedgefd.dsx.mp.microsoft.com +paymentinstruments.mp.microsoft.com +msaitour.microsoft.com +register.msbizappslaunchevent.microsoft.com +msc.microsoft.com +msconnect.microsoft.com +v2.msconnect.microsoft.com +msdl.microsoft.com +msdn.microsoft.com +blogs.msdn.microsoft.com +visualstudiogallery.msdn.microsoft.com +msevents.microsoft.com +msft-oncall-tool.microsoft.com +msftguest.microsoft.com +msnapp.microsoft.com +msrc.microsoft.com +api.msrc.microsoft.com +portal.msrc.microsoft.com +msrecruit.microsoft.com +msrolelibrary.microsoft.com +msvacation.microsoft.com +msxinsights.microsoft.com +mvp.microsoft.com +myaccess.microsoft.com +myaccount.microsoft.com +myapplications.microsoft.com +myapps.microsoft.com +launcher.myapps.microsoft.com +mydefender.microsoft.com +myorder.microsoft.com +myprofile.microsoft.com +mysignins.microsoft.com +mystaff.microsoft.com +myworkaccount.microsoft.com +news.microsoft.com +nonprofit.microsoft.com +signup.nonprofit.microsoft.com +nuwa-infinity.microsoft.com +ocv.microsoft.com +office.microsoft.com +r.office.microsoft.com +support.office.microsoft.com +officecdn.microsoft.com +officecdnmac.microsoft.com +officeredir.microsoft.com +o15.officeredir.microsoft.com +oneask.microsoft.com +oneasset.microsoft.com +onedrivelti.microsoft.com +opensource.microsoft.com +docs.opensource.microsoft.com +operatorconnect.microsoft.com +outlook.microsoft.com +ov-df.microsoft.com +packages.microsoft.com +parking.microsoft.com +partner.microsoft.com +customerconsent.partner.microsoft.com +dmc.partner.microsoft.com +partners.microsoft.com +partneruniversity.microsoft.com +paymentcentral.microsoft.com +paymentcentralvnext.microsoft.com +pcmanager.microsoft.com +pctrax.microsoft.com +personnel.microsoft.com +pair.phonelink.microsoft.com +planetarycomputer.microsoft.com +planner.microsoft.com +plhvc.microsoft.com +taxprofile.pmp.microsoft.com +portal.microsoft.com +powerbi.microsoft.com +make.powerpages.microsoft.com +admin.powerplatform.microsoft.com +adminanalytics.powerplatform.microsoft.com +che.adminanalytics.powerplatform.microsoft.com +asia.prod.powerquery.microsoft.com +australia.prod.powerquery.microsoft.com +brazil.prod.powerquery.microsoft.com +europe.prod.powerquery.microsoft.com +india.prod.powerquery.microsoft.com +us.prod.powerquery.microsoft.com +us2.prod.powerquery.microsoft.com +powerup.microsoft.com +web.powerva.microsoft.com +copilotstudio.preview.microsoft.com +print.print.microsoft.com +privacy.microsoft.com +procureweb.microsoft.com +profitabilitybenchmark.microsoft.com +project.microsoft.com +myvs.download.prss.microsoft.com +software.download.prss.microsoft.com +software-static.download.prss.microsoft.com +vscode.download.prss.microsoft.com +windbg.download.prss.microsoft.com +next.pubcenter.microsoft.com +pulse.microsoft.com +purview.microsoft.com +quantum.microsoft.com +reactor.microsoft.com +redeem.microsoft.com +referencesource.microsoft.com +reflect.microsoft.com +releaseplans.microsoft.com +research.microsoft.com +cmt3.research.microsoft.com +researchforum.microsoft.com +rewards.microsoft.com +portal.rooms.microsoft.com +rs.microsoft.com +query.prod.cms.rt.microsoft.com +salesops.microsoft.com +schemas.microsoft.com +assets.sds.microsoft.com +sdx.microsoft.com +register.secure.microsoft.com +security.microsoft.com +mto.security.microsoft.com +sip.security.microsoft.com +api.securitycenter.microsoft.com +securitycopilot.microsoft.com +portal.gethelp.services.microsoft.com +partner.support.services.microsoft.com +prod.support.services.microsoft.com +eus.prod.support.services.microsoft.com +wus.prod.support.services.microsoft.com +remoteassistance.support.services.microsoft.com +survey.support.services.microsoft.com +vsa.services.microsoft.com +prod.client.wosc.services.microsoft.com +serviceshub.microsoft.com +support.serviceshub.microsoft.com +servicetrust.microsoft.com +al.mstic.signals.microsoft.com +signup.microsoft.com +cdn.signup.microsoft.com +apprep.smartscreen.microsoft.com +fb.smartscreen.microsoft.com +feedback.smartscreen.microsoft.com +software-download.microsoft.com +solutions.microsoft.com +speech.microsoft.com +centraluseuap.orchestration.speech.microsoft.com +sponsor.microsoft.com +stackoverflow.microsoft.com +startapp.microsoft.com +foundershub.startups.microsoft.com +msft.sts.microsoft.com +certauth.msft.sts.microsoft.com +supplier.microsoft.com +dev-portal.supplychain.microsoft.com +support.microsoft.com +filestore.community.support.microsoft.com +tar.microsoft.com +teams.microsoft.com +admin.teams.microsoft.com +ca-prod.asyncgw.teams.microsoft.com +eu-prod.asyncgw.teams.microsoft.com +fr-prod.asyncgw.teams.microsoft.com +in-prod.asyncgw.teams.microsoft.com +jp-prod.asyncgw.teams.microsoft.com +se-prod.asyncgw.teams.microsoft.com +cqd.teams.microsoft.com +dev.teams.microsoft.com +devicetest.teams.microsoft.com +dialin.teams.microsoft.com +events.teams.microsoft.com +msit.events.teams.microsoft.com +events.gcc.teams.microsoft.com +api.noam.hms-int.migrationservices.teams.microsoft.com +portal.sdg.teams.microsoft.com +visit.teams.microsoft.com +techcommunity.microsoft.com +cdn.techcommunity.microsoft.com +technet.microsoft.com +social.technet.microsoft.com +technet2.microsoft.com +testconnectivity.microsoft.com +titanweb.microsoft.com +totalrewards.microsoft.com +trainingsupport.microsoft.com +cdx.transform.microsoft.com +cloudpartners.transform.microsoft.com +dynamicspartners.transform.microsoft.com +readiness.transform.microsoft.com +securitypartners.transform.microsoft.com +translator.microsoft.com +trust.microsoft.com +nonprofits.tsi.microsoft.com +uatracker.microsoft.com +uhf.microsoft.com +ukstories.microsoft.com +unlocked.microsoft.com +update.microsoft.com +catalog.update.microsoft.com +www.catalog.update.microsoft.com +fe2.update.microsoft.com +ux.microsoft.com +verify.microsoft.com +vi.microsoft.com +videos.microsoft.com +visualstudio.microsoft.com +2download.visualstudio.microsoft.com +download.visualstudio.microsoft.com +visualsupport.microsoft.com +vivalearning-dev.microsoft.com +vlcentral.microsoft.com +waccess.microsoft.com +watsonportal.microsoft.com +demo.wd.microsoft.com +download-fds.webapps.microsoft.com +download-support.webapps.microsoft.com +webxtsvc.microsoft.com +app.whiteboard.microsoft.com +whoplus.microsoft.com +windows.microsoft.com +hs.windows.microsoft.com +rssgov.windows.microsoft.com +windows365.microsoft.com +cdn.winget.microsoft.com +winqual.microsoft.com +workshopsurvey.microsoft.com +client.wvd.microsoft.com +cf32a972-c05b-4b71-a4b8-2eeaf3a5d10a.rdbroker-g-us-r1.wvd.microsoft.com +rdweb.wvd.microsoft.com +wwcarchive.microsoft.com +wwps.microsoft.com +unistore.www.microsoft.com diff --git a/results.txt b/results.txt new file mode 100644 index 0000000..d51ef73 --- /dev/null +++ b/results.txt @@ -0,0 +1,7 @@ +AS207960 Test Intermediate - example.com +www.example.com +dev.example.com +m.example.com +products.example.com +support.example.com +m.testexample.com diff --git a/sublist3r.py b/sublist3r.py index 760e5ce..b6c0fbd 100755 --- a/sublist3r.py +++ b/sublist3r.py @@ -16,26 +16,25 @@ import threading import socket import json from collections import Counter +from urllib.parse import urlparse +from urllib.parse import unquote # external modules from subbrute import subbrute import dns.resolver import requests - -# Python 2.x and 3.x compatiablity -if sys.version > '3': - import urllib.parse as urlparse - import urllib.parse as urllib -else: - import urlparse - import urllib +import urllib3 +urllib3.disable_warnings() +# In case you cannot install some of the required development packages +# there's also an option to disable the SSL warning: # In case you cannot install some of the required development packages # there's also an option to disable the SSL warning: try: - import requests.packages.urllib3 - requests.packages.urllib3.disable_warnings() + import urllib3 + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) except: + pass # Check if we are running this on windows platform @@ -143,7 +142,7 @@ def subdomain_sorting_key(hostname): class enumratorBase(object): def __init__(self, base_url, engine_name, domain, subdomains=None, silent=False, verbose=True): subdomains = subdomains or [] - self.domain = urlparse.urlparse(domain).netloc + self.domain = urlparse(domain).netloc self.session = requests.Session() self.subdomains = [] self.timeout = 25 @@ -273,12 +272,22 @@ class enumratorBaseThreaded(multiprocessing.Process, enumratorBase): class GoogleEnum(enumratorBaseThreaded): def __init__(self, domain, subdomains=None, q=None, silent=False, verbose=True): subdomains = subdomains or [] - base_url = "https://google.com/search?q={query}&btnG=Search&hl=en-US&biw=&bih=&gbv=1&start={page_no}&filter=0" + base_url = "https://www.google.com/search?q={query}&num=100&start={page_no}&filter=0" self.engine_name = "Google" self.MAX_DOMAINS = 11 self.MAX_PAGES = 200 super(GoogleEnum, self).__init__(base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) self.q = q + # Enhanced headers to avoid blocking + self.headers.update({ + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', + 'Accept-Language': 'en-US,en;q=0.5', + 'Accept-Encoding': 'gzip, deflate', + 'DNT': '1', + 'Connection': 'keep-alive', + 'Upgrade-Insecure-Requests': '1' + }) return def extract_domains(self, resp): @@ -287,10 +296,11 @@ class GoogleEnum(enumratorBaseThreaded): try: links_list = link_regx.findall(resp) for link in links_list: - link = re.sub('', '', link) + link = re.sub('', '', link) + link = re.sub('', '', link) if not link.startswith('http'): link = "http://" + link - subdomain = urlparse.urlparse(link).netloc + subdomain = urlparse(link).netloc if subdomain and subdomain not in self.subdomains and subdomain != self.domain: if self.verbose: self.print_("%s%s: %s%s" % (R, self.engine_name, W, subdomain)) @@ -300,14 +310,19 @@ class GoogleEnum(enumratorBaseThreaded): return links_list def check_response_errors(self, resp): - if (type(resp) is str or type(resp) is unicode) and 'Our systems have detected unusual traffic' in resp: - self.print_(R + "[!] Error: Google probably now is blocking our requests" + W) - self.print_(R + "[~] Finished now the Google Enumeration ..." + W) - return False + if isinstance(resp, str): + if 'unusual traffic' in resp.lower() or 'detected unusual' in resp.lower(): + self.print_(R + "[!] Error: Google is blocking our requests (rate limited)" + W) + self.print_(R + "[~] Finished now the Google Enumeration ..." + W) + return False + if 'captcha' in resp.lower(): + self.print_(R + "[!] Error: Google CAPTCHA detected" + W) + self.print_(R + "[~] Finished now the Google Enumeration ..." + W) + return False return True def should_sleep(self): - time.sleep(5) + time.sleep(random.randint(5, 10)) # Increased delay to avoid blocking return def generate_query(self): @@ -319,7 +334,6 @@ class GoogleEnum(enumratorBaseThreaded): query = "site:{domain} -www.{domain}".format(domain=self.domain) return query - class YahooEnum(enumratorBaseThreaded): def __init__(self, domain, subdomains=None, q=None, silent=False, verbose=True): subdomains = subdomains or [] @@ -343,7 +357,7 @@ class YahooEnum(enumratorBaseThreaded): link = re.sub("<(\/)?b>", "", link) if not link.startswith('http'): link = "http://" + link - subdomain = urlparse.urlparse(link).netloc + subdomain = urlparse(link).netloc if not subdomain.endswith(self.domain): continue if subdomain and subdomain not in self.subdomains and subdomain != self.domain: @@ -390,7 +404,7 @@ class AskEnum(enumratorBaseThreaded): for link in links_list: if not link.startswith('http'): link = "http://" + link - subdomain = urlparse.urlparse(link).netloc + subdomain = urlparse(link).netloc if subdomain not in self.subdomains and subdomain != self.domain: if self.verbose: self.print_("%s%s: %s%s" % (R, self.engine_name, W, subdomain)) @@ -439,7 +453,7 @@ class BingEnum(enumratorBaseThreaded): link = re.sub('<(\/)?strong>||<|>', '', link) if not link.startswith('http'): link = "http://" + link - subdomain = urlparse.urlparse(link).netloc + subdomain = urlparse(link).netloc if subdomain not in self.subdomains and subdomain != self.domain: if self.verbose: self.print_("%s%s: %s%s" % (R, self.engine_name, W, subdomain)) @@ -482,7 +496,7 @@ class BaiduEnum(enumratorBaseThreaded): link = re.sub('<.*?>|>|<| ', '', link) if not link.startswith('http'): link = "http://" + link - subdomain = urlparse.urlparse(link).netloc + subdomain = urlparse(link).netloc if subdomain.endswith(self.domain): subdomain_list.append(subdomain) if subdomain not in self.subdomains and subdomain != self.domain: @@ -544,7 +558,7 @@ class NetcraftEnum(enumratorBaseThreaded): def get_next(self, resp): link_regx = re.compile('Next Page') link = link_regx.findall(resp) - url = 'http://searchdns.netcraft.com' + link[0] + url = 'http://searchdns.netcraft.com' + link[0] if link else '' return url def create_cookies(self, cookie): @@ -552,7 +566,7 @@ class NetcraftEnum(enumratorBaseThreaded): cookies_list = cookie[0:cookie.find(';')].split("=") cookies[cookies_list[0]] = cookies_list[1] # hashlib.sha1 requires utf-8 encoded str - cookies['netcraft_js_verification_response'] = hashlib.sha1(urllib.unquote(cookies_list[1]).encode('utf-8')).hexdigest() + cookies['netcraft_js_verification_response'] = hashlib.sha1(unquote(cookies_list[1]).encode('utf-8')).hexdigest() return cookies def get_cookies(self, headers): @@ -582,7 +596,7 @@ class NetcraftEnum(enumratorBaseThreaded): try: links_list = link_regx.findall(resp) for link in links_list: - subdomain = urlparse.urlparse(link).netloc + subdomain = urlparse(link).netloc if not subdomain.endswith(self.domain): continue if subdomain and subdomain not in self.subdomains and subdomain != self.domain: @@ -606,72 +620,137 @@ class DNSdumpster(enumratorBaseThreaded): return def check_host(self, host): - is_valid = False - Resolver = dns.resolver.Resolver() - Resolver.nameservers = ['8.8.8.8', '8.8.4.4'] - self.lock.acquire() - try: - ip = Resolver.query(host, 'A')[0].to_text() - if ip: - if self.verbose: - self.print_("%s%s: %s%s" % (R, self.engine_name, W, host)) - is_valid = True - self.live_subdomains.append(host) - except: - pass - self.lock.release() - return is_valid + if self.verbose: + self.print_("%s%s: %s%s" % (R, self.engine_name, W, host)) + self.live_subdomains.append(host) + return True def req(self, req_method, url, params=None): params = params or {} headers = dict(self.headers) - headers['Referer'] = 'https://dnsdumpster.com' + headers.update({ + 'Referer': 'https://dnsdumpster.com/', + 'Origin': 'https://dnsdumpster.com', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', + 'Content-Type': 'application/x-www-form-urlencoded', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36' + }) + try: if req_method == 'GET': - resp = self.session.get(url, headers=headers, timeout=self.timeout) + resp = self.session.get(url, headers=headers, timeout=self.timeout, verify=False) else: - resp = self.session.post(url, data=params, headers=headers, timeout=self.timeout) + # Add CSRF token to headers if available in cookies + if 'csrftoken' in self.session.cookies: + headers['X-CSRFToken'] = self.session.cookies['csrftoken'] + resp = self.session.post(url, data=params, headers=headers, timeout=self.timeout, verify=False) + + return resp if resp else None except Exception as e: - self.print_(e) - resp = None - return self.get_response(resp) + self.print_(R + "[!] DNSdumpster request error: " + str(e) + W) + return None def get_csrftoken(self, resp): - csrf_regex = re.compile('', re.S) - token = csrf_regex.findall(resp)[0] - return token.strip() + """Extract CSRF token from response - Updated for robustness""" + try: + if not resp or not hasattr(resp, 'text'): + return None + + # Look for the hidden input field named 'csrfmiddlewaretoken' + # (Note: Use a generic pattern to find the value of this input) + csrf_regex = re.compile(r"name=['\"]csrfmiddlewaretoken['\"]\s+value=['\"]([^'\"]+)['\"]") + match = csrf_regex.search(resp.text) + + if match: + token = match.group(1).strip() + if token and len(token) > 10: + return token + + # Fallback to check other known patterns + + return None + except Exception as e: + self.print_(R + "[!] Error parsing CSRF token: " + str(e) + W) + return None def enumerate(self): self.lock = threading.BoundedSemaphore(value=70) - resp = self.req('GET', self.base_url) - token = self.get_csrftoken(resp) - params = {'csrfmiddlewaretoken': token, 'targetip': self.domain} - post_resp = self.req('POST', self.base_url, params) - self.extract_domains(post_resp) - for subdomain in self.subdomains: - t = threading.Thread(target=self.check_host, args=(subdomain,)) - t.start() - t.join() - return self.live_subdomains + + try: + # 1. Initial GET request to get the session cookie and CSRF token + resp = self.req('GET', self.base_url) + + if not resp or not hasattr(resp, 'text'): + self.print_(R + "[!] DNSdumpster: Could not connect or get initial page." + W) + return [] + + # 2. Extract CSRF token (uses the updated get_csrftoken) + token = self.get_csrftoken(resp) + + if not token: + self.print_(R + "[!] DNSdumpster: Could not get CSRF token. Site layout may have changed again." + W) + return [] + + # 3. Prepare POST data with the required token and domain + params = { + 'csrfmiddlewaretoken': token, + 'targetip': self.domain, + } + + # 4. POST request + post_resp = self.req('POST', self.base_url, params) + + if not post_resp or not hasattr(post_resp, 'text'): + self.print_(R + "[!] DNSdumpster: No valid response after POST request." + W) + return [] + + # 5. Extract domains from response + self.extract_domains(post_resp.text) + + for subdomain in self.subdomains: + self.check_host(subdomain) + + return self.live_subdomains + + except Exception as e: + self.print_(R + "[!] DNSdumpster error in enumerate: " + str(e) + W) + return [] def extract_domains(self, resp): - tbl_regex = re.compile('<\/a>Host Records.*?(.*?)', re.S) - link_regex = re.compile('(.*?)
', re.S) - links = [] + """Extract subdomains from HTML response""" + links = set() + try: - results_tbl = tbl_regex.findall(resp)[0] - except IndexError: - results_tbl = '' - links_list = link_regex.findall(results_tbl) - links = list(set(links_list)) + # Pattern 1: Table rows with subdomains + table_pattern = r'([a-zA-Z0-9][-a-zA-Z0-9]*(?:\.[a-zA-Z0-9][-a-zA-Z0-9]*)*\.' + re.escape(self.domain) + r')' + matches = re.findall(table_pattern, resp, re.IGNORECASE) + links.update(matches) + + # Pattern 2: Any subdomain mention + subdomain_pattern = r'(?:^|[>\s])([a-zA-Z0-9][-a-zA-Z0-9]*(?:\.[a-zA-Z0-9][-a-zA-Z0-9]*)*\.' + re.escape(self.domain) + r')(?:[<\s]|$)' + matches = re.findall(subdomain_pattern, resp, re.IGNORECASE | re.MULTILINE) + links.update(matches) + + # Pattern 3: Host Records section + host_records_pattern = r'.*?]*>(.*?)' + host_section = re.search(host_records_pattern, resp, re.DOTALL | re.IGNORECASE) + if host_section: + subdomain_in_table = r'>([a-zA-Z0-9][-a-zA-Z0-9]*(?:\.[a-zA-Z0-9][-a-zA-Z0-9]*)*\.' + re.escape(self.domain) + r')<' + matches = re.findall(subdomain_in_table, host_section.group(1), re.IGNORECASE) + links.update(matches) + + except Exception as e: + self.print_(R + "[!] Error extracting domains: " + str(e) + W) + + # Process found links for link in links: - subdomain = link.strip() - if not subdomain.endswith(self.domain): - continue - if subdomain and subdomain not in self.subdomains and subdomain != self.domain: - self.subdomains.append(subdomain.strip()) - return links - + subdomain = link.strip().lower() + # Validate subdomain + if subdomain.endswith(self.domain) and subdomain != self.domain: + if subdomain not in self.subdomains: + self.subdomains.append(subdomain) + + return list(links) class Virustotal(enumratorBaseThreaded): def __init__(self, domain, subdomains=None, q=None, silent=False, verbose=True): @@ -904,7 +983,7 @@ def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, e if not domain.startswith('http://') or not domain.startswith('https://'): domain = 'http://' + domain - parsed_domain = urlparse.urlparse(domain) + parsed_domain = urlparse(domain) if not silent: print(B + "[-] Enumerating subdomains now for %s" % parsed_domain.netloc + W) @@ -926,13 +1005,12 @@ def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, e } chosenEnums = [] - if engines is None: chosenEnums = [ - BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, - NetcraftEnum, DNSdumpster, Virustotal, ThreatCrowd, - CrtSearch, PassiveDNS - ] + BaiduEnum, YahooEnum, GoogleEnum, BingEnum, AskEnum, + NetcraftEnum, DNSdumpster, ThreatCrowd, + CrtSearch, PassiveDNS + ] else: engines = engines.split(',') for engine in engines: