RomanNum3ral
/
Sublist3r
mirror of https://github.com/aboul3la/Sublist3r.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge 12b0fe545a into 729d649ec5

This commit is contained in:
ivarniaj 2026-03-01 17:13:42 +00:00 committed by GitHub
parent 729d649ec5 12b0fe545a
commit 362db4eae9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
14 changed files with 115232 additions and 130309 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Dockerfile Normal file
View File

@ -0,0 +1,29 @@
FROM python:buster
LABEL version="0.0.1-dev" \
author="RoninNakomoto (https://github/com/RoninNakomoto)" \
docker_build="docker build -t sublister ." \
docker_run_basic="docker run --rm sublister -h"
RUN mkdir /Sublister2
COPY [".", "/Sublist3r2"]
ENV PATH=${PATH}:/Sublist3r2
RUN apt-get update && \
apt-get install -y build-essential libffi-dev libgit2-dev && \
pip install /Sublist3r2 && \
addgroup Sublist3r2 --force-badname && \
useradd -g Sublist3r2 -d /Sublist3r2 -s /bin/sh Sublist3r2 && \
chown -R Sublist3r2:Sublist3r2 /Sublist3r2 && \
export RANDOM_PASSWORD=$(tr -dc A-Za-z0-9 </dev/urandom | head -c44) && \
echo "root:$RANDOM_PASSWORD" | chpasswd && \
unset RANDOM_PASSWORD && \
passwd -l root
USER Sublist3r2
ENTRYPOINT ["sublist3r2"]
CMD ["-h"]

2
MANIFEST.in
View File

@ -1,2 +1,2 @@
include LICENSE README.md include LICENSE README.md
include subbrute/*.txt include sublist3r2/aiodnsbrute/*.txt

183
README.md
View File

@ -1,183 +1,98 @@
## About Sublist3r ## About Sublist3r2
Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. Sublist3r2 is an improved and bug-free working version of Sublist3r, the original subdomains enumeration tool but with a much faster bruteforcing routine. It now uses aiodnsbrute instead of subbrute and is capable of bruteforcing 150k subdomains within 15 minutes (at default thread count of 7000).</br>
#### Package Description:
*Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. It helps penetration testers and bug hunters collect and gather subdomains for the domain they are targeting. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster and ReverseDNS. (from original author page)*
"
### Compatibility notes:
Sublist3r2 currently supports python3 on linux dists. Python3.6+ is the recommended version. </br>
Other operating systems (macos, windows) will be supported in later releases. </br>
[subbrute](https://github.com/TheRook/subbrute) was integrated with Sublist3r to increase the possibility of finding more subdomains using bruteforce with an improved wordlist. The credit goes to TheRook who is the author of subbrute.
## Screenshots ## Screenshots
![Sublist3r](http://www.secgeek.net/images/Sublist3r.png "Sublist3r in action") <a href="https://freeimage.host/i/ffJOH7"><img src="https://iili.io/ffJOH7.md.png" alt="ffJOH7.md.png" border="0"></a>
## Dependencies
Sublist3r2 depends on the `requests`, `dnspython` , `argparse` and `aiodnsbrute` python modules.
## Installation ## Installation
``` Install **Sublist3r** and its **dependencies**, inside a python3 **virtual env** as detailed in **installation steps below**, in order to avoid non-tool specific python related errors that normally result from broken dependencies when user installs several dependency-conflicting python tools under the system-wide python installation.</br>
git clone https://github.com/aboul3la/Sublist3r.git Any issues raised due to inappropriate user installation will be closed to allow focus on resolving real bugs and implementing new features </br>
```
## Recommended Python Version: The installation steps assume you will keep your python virtual envs in a folder called environments under your home directory directory:
Sublist3r currently supports **Python 2** and **Python 3**.
* The recommended version for Python 2 is **2.7.x**
* The recommended version for Python 3 is **3.4.x**
## Dependencies:
Sublist3r depends on the `requests`, `dnspython` and `argparse` python modules.
These dependencies can be installed using the requirements file:
- Installation on Windows:
``` ```
c:\python27\python.exe -m pip install -r requirements.txt 1- $ git clone https://github.com/RoninNakomoto/Sublist3r2.git // Download tool from github
``` 2- $ python3 -m venv ~/environments/sublist3r // create a python version 3 virtual environment for sublist3r
- Installation on Linux 3- $ source ~/environments/sublist3r/bin/activate // activate sublist3r python environment.
``` 4- $ python -m pip install --upgrade pip // update pip inside virtual env.
sudo pip install -r requirements.txt 5- $ cd ~/sublist3r/ // switch to your sublist3r download folder.
``` 6- $ pip install -r requirements.txt // install sublist3r module dependencies.
7- $ python sublist3r2.py -d domain.com // run sublist3r.py from within activated environment
Alternatively, each module can be installed independently as shown below. 8- $ deactivate // deactivate environment once done runnning the script.
note: do not use sudo. **Activate/deactivate virtual env. before/after each use**
#### Requests Module (http://docs.python-requests.org/en/latest/)
- Install for Windows:
```
c:\python27\python.exe -m pip install requests
```
- Install for Ubuntu/Debian:
```
sudo apt-get install python-requests
```
- Install for Centos/Redhat:
```
sudo yum install python-requests
```
- Install using pip on Linux:
```
sudo pip install requests
```
#### dnspython Module (http://www.dnspython.org/)
- Install for Windows:
```
c:\python27\python.exe -m pip install dnspython
```
- Install for Ubuntu/Debian:
```
sudo apt-get install python-dnspython
```
- Install using pip:
```
sudo pip install dnspython
```
#### argparse Module
- Install for Ubuntu/Debian:
```
sudo apt-get install python-argparse
```
- Install for Centos/Redhat:
```
sudo yum install python-argparse
```
- Install using pip:
```
sudo pip install argparse
```
**for coloring in windows install the following libraries**
```
c:\python27\python.exe -m pip install win_unicode_console colorama
``` ```
## Usage ## Usage
Short Form | Long Form | Description Short Form | Long Form | Description
------------- | ------------- |------------- ------------- | ------------- |-------------
-d | --domain | Domain name to enumerate subdomains of -d | --domain | Domain name to use for subdomain enumeration
-b | --bruteforce | Enable the subbrute bruteforce module -b | --bruteforce | Turn-on aiodnsbrute bruteforce mode
-p | --ports | Scan the found subdomains against specific tcp ports -p | --ports | Check/Filter subdomain results for open tcp ports (provide comma separated ports)
-v | --verbose | Enable the verbose mode and display results in realtime -v | --verbose | Enable verbose mode and display results in realtime
-t | --threads | Number of threads to use for subbrute bruteforce -t | --threads | Number of threads to use for aiodnsbrute bruteforce
-e | --engines | Specify a comma-separated list of search engines -e | --engines | Specify a comma-separated list of search engines
-o | --output | Save the results to text file -o | --output | Save results to text file
-h | --help | show the help message and exit -h | --help | show the help message and exit
### Examples ### Examples
* To list all the basic options and switches use -h switch: * To list all the basic options and switches use -h switch:
```python sublist3r.py -h``` ```./sublist3r2.py -h```
* To enumerate subdomains of specific domain: * To perform basic enumeration of specified domain:
``python sublist3r.py -d example.com`` ``./sublist3r2.py -d example.com``
* To enumerate subdomains of specific domain and show only subdomains which have open ports 80 and 443 : * To check and filter subdomains for results with open ports 80 and 443 :
``python sublist3r.py -d example.com -p 80,443`` ``./sublist3r2.py -d example.com -p 80,443``
* To enumerate subdomains of specific domain and show the results in realtime: * To enumerate subdomains of specific domain and show the results in realtime:
``python sublist3r.py -v -d example.com`` ``./sublist3r2.py -v -d example.com``
* To enumerate subdomains and enable the bruteforce module: * To enable bruteforce mode against specified domain:
``python sublist3r.py -b -d example.com`` ``./sublist3r2.py -b -d example.com``
* To enumerate subdomains and use specific engines such Google, Yahoo and Virustotal engines * To enumerate subdomains and use specific engines such as Google, Yahoo and Virustotal engines
``python sublist3r.py -e google,yahoo,virustotal -d example.com`` ``./sublist3r2.py -e google,yahoo,virustotal -d example.com``
## Using Sublist3r as a module in your python scripts
**Example**
```python
import sublist3r
subdomains = sublist3r.main(domain, no_threads, savefile, ports, silent, verbose, enable_bruteforce, engines)
```
The main function will return a set of unique subdomains found by Sublist3r
**Function Usage:**
* **domain**: The domain you want to enumerate subdomains of.
* **savefile**: save the output into text file.
* **ports**: specify a comma-sperated list of the tcp ports to scan.
* **silent**: set sublist3r to work in silent mode during the execution (helpful when you don't need a lot of noise).
* **verbose**: display the found subdomains in real time.
* **enable_bruteforce**: enable the bruteforce module.
* **engines**: (Optional) to choose specific engines.
Example to enumerate subdomains of Yahoo.com:
```python
import sublist3r
subdomains = sublist3r.main('yahoo.com', 40, 'yahoo_subdomains.txt', ports= None, silent=False, verbose= False, enable_bruteforce= False, engines=None)
```
## License ## License
Sublist3r is licensed under the GNU GPL license. take a look at the [LICENSE](https://github.com/aboul3la/Sublist3r/blob/master/LICENSE) for more information. Sublist3r is licensed under the GNU GPL license. take a look at the [LICENSE](https://github.com/RoninNakomoto/Sublist3r2/blob/master/LICENSE) for more information.
## Credits ## Credits
* [TheRook](https://github.com/TheRook) - The bruteforce module was based on his script **subbrute**. * [aboul3la](https://github.com/aboul3la/) - author of the original sublist3r tool. **sublist3r**.
* [Bitquark](https://github.com/bitquark) - The Subbrute's wordlist was based on his research **dnspop**. * [blark](https://github.com/blark/) - author of aiodns asynchronous bruteforce tool/module **aiodnsbrute**.
* [danielmiessler](https://github.com/danielmiessler/) - default bruteforce woordlist based on his SecLists release. **SecLists**
## Thanks
* Special Thanks to [Ibrahim Mosaad](https://twitter.com/ibrahim_mosaad) for his great contributions that helped in improving the tool.
## Version ## Version
**Current version is 1.0** **Current version is Sublist3r2 v1.0**

5
requirements.txt
View File

@ -1,3 +1,8 @@
argparse argparse
dnspython dnspython
requests requests
asyncio
uvloop
tqdm
aiodns
click

46
setup.py
View File

@ -1,15 +1,25 @@
#!/usr/bin/env python
import os
from setuptools import setup, find_packages from setuptools import setup, find_packages
def read(fname: str) -> str:
"""Open files relative to package."""
return open(os.path.join(os.path.dirname(__file__), fname)).read()
setup( setup(
name='Sublist3r', name='sublist3r2',
version='1.0', version='1.0.1',
python_requires='>=2.7', python_requires='>=3.6',
install_requires=['dnspython', 'requests', 'argparse; python_version==\'2.7\''],
packages=find_packages()+['.'],
include_package_data=True,
url='https://github.com/aboul3la/Sublist3r',
license='GPL-2.0',
description='Subdomains enumeration tool for penetration testers', description='Subdomains enumeration tool for penetration testers',
long_description=read('README.md'),
long_description_content_type='text/markdown',
keywords='subdomain dns detection',
url='https://github.com/RoninNakomoto/Sublist3r2',
license='GPL-2.0',
packages=find_packages(),
include_package_data=True,
classifiers=[ classifiers=[
'Development Status :: 5 - Production/Stable', 'Development Status :: 5 - Production/Stable',
'Environment :: Console', 'Environment :: Console',
@ -18,19 +28,23 @@ setup(
'Intended Audience :: Telecommunications Industry', 'Intended Audience :: Telecommunications Industry',
'License :: OSI Approved :: GNU General Public License v2', 'License :: OSI Approved :: GNU General Public License v2',
'Operating System :: POSIX :: Linux', 'Operating System :: POSIX :: Linux',
'Programming Language :: Python', 'Operating System :: MacOS',
'Programming Language :: Python :: 2',
'Programming Language :: Python :: 3', 'Programming Language :: Python :: 3',
'Programming Language :: Python :: 2.7',
'Programming Language :: Python :: 3.4',
'Programming Language :: Python :: 3.5',
'Programming Language :: Python :: 3.6',
'Topic :: Security', 'Topic :: Security',
], ],
keywords='subdomain dns detection', install_requires=[
'argparse',
'dnspython',
'requests',
'asyncio',
'uvloop',
'tqdm',
'aiodns',
'click',
],
entry_points={ entry_points={
'console_scripts': [ 'console_scripts': [
'sublist3r = sublist3r:interactive', 'sublist3r2 = sublist3r2:interactive',
], ],
}, },
) )

129408
subbrute/names.txt
View File

File diff suppressed because it is too large Load Diff

635
subbrute/subbrute.py
View File

@ -1,635 +0,0 @@
#!/usr/bin/env python
#
#SubBrute v1.2
#A (very) fast subdomain enumeration tool.
#
#Maintained by rook
#Contributors:
#JordanMilne, KxCode, rc0r, memoryprint, ppaulojr
#
import re
import optparse
import os
import signal
import sys
import uuid
import random
import ctypes
import dns.resolver
import dns.rdatatype
import json
#Python 2.x and 3.x compatiablity
#We need the Queue library for exception handling
try:
import queue as Queue
except:
import Queue
#The 'multiprocessing' library does not rely upon a Global Interpreter Lock (GIL)
import multiprocessing
#Microsoft compatiablity
if sys.platform.startswith('win'):
#Drop-in replacement, subbrute + multiprocessing throws exceptions on windows.
import threading
multiprocessing.Process = threading.Thread
class verify_nameservers(multiprocessing.Process):
def __init__(self, target, record_type, resolver_q, resolver_list, wildcards):
multiprocessing.Process.__init__(self, target = self.run)
self.daemon = True
signal_init()
self.time_to_die = False
self.resolver_q = resolver_q
self.wildcards = wildcards
#Do we need wildcards for other types of records?
#This needs testing!
self.record_type = "A"
if record_type == "AAAA":
self.record_type = record_type
self.resolver_list = resolver_list
resolver = dns.resolver.Resolver()
#The domain provided by the user.
self.target = target
#1 website in the world, modify the following line when this status changes.
#www.google.cn, I'm looking at you ;)
self.most_popular_website = "www.google.com"
#We shouldn't need the backup_resolver, but we we can use them if need be.
#We must have a resolver, and localhost can work in some environments.
self.backup_resolver = resolver.nameservers + ['127.0.0.1', '8.8.8.8', '8.8.4.4']
#Ideally a nameserver should respond in less than 1 sec.
resolver.timeout = 1
resolver.lifetime = 1
try:
#Lets test the letancy of our connection.
#Google's DNS server should be an ideal time test.
resolver.nameservers = ['8.8.8.8']
resolver.query(self.most_popular_website, self.record_type)
except:
#Our connection is slower than a junebug in molasses
resolver = dns.resolver.Resolver()
self.resolver = resolver
def end(self):
self.time_to_die = True
#This process cannot block forever, it needs to check if its time to die.
def add_nameserver(self, nameserver):
keep_trying = True
while not self.time_to_die and keep_trying:
try:
self.resolver_q.put(nameserver, timeout = 1)
trace("Added nameserver:", nameserver)
keep_trying = False
except Exception as e:
if type(e) == Queue.Full or str(type(e)) == "<class 'queue.Full'>":
keep_trying = True
def verify(self, nameserver_list):
added_resolver = False
for server in nameserver_list:
if self.time_to_die:
#We are done here.
break
server = server.strip()
if server:
self.resolver.nameservers = [server]
try:
#test_result = self.resolver.query(self.most_popular_website, "A")
#should throw an exception before this line.
if True:#test_result:
#Only add the nameserver to the queue if we can detect wildcards.
if(self.find_wildcards(self.target)):# and self.find_wildcards(".com")
#wildcards have been added to the set, it is now safe to be added to the queue.
#blocking queue, this process will halt on put() when the queue is full:
self.add_nameserver(server)
added_resolver = True
else:
trace("Rejected nameserver - wildcard:", server)
except Exception as e:
#Rejected server :(
trace("Rejected nameserver - unreliable:", server, type(e))
return added_resolver
def run(self):
#Every user will get a different set of resovlers, this helps redistribute traffic.
random.shuffle(self.resolver_list)
if not self.verify(self.resolver_list):
#This should never happen, inform the user.
sys.stderr.write('Warning: No nameservers found, trying fallback list.\n')
#Try and fix it for the user:
self.verify(self.backup_resolver)
#End of the resolvers list.
try:
self.resolver_q.put(False, timeout = 1)
except:
pass
#Only add the nameserver to the queue if we can detect wildcards.
#Returns False on error.
def find_wildcards(self, host):
#We want sovle the following three problems:
#1)The target might have a wildcard DNS record.
#2)The target maybe using geolocaiton-aware DNS.
#3)The DNS server we are testing may respond to non-exsistant 'A' records with advertizements.
#I have seen a CloudFlare Enterprise customer with the first two conditions.
try:
#This is case #3, these spam nameservers seem to be more trouble then they are worth.
wildtest = self.resolver.query(uuid.uuid4().hex + ".com", "A")
if len(wildtest):
trace("Spam DNS detected:", host)
return False
except:
pass
test_counter = 8
looking_for_wildcards = True
while looking_for_wildcards and test_counter >= 0 :
looking_for_wildcards = False
#Don't get lost, this nameserver could be playing tricks.
test_counter -= 1
try:
testdomain = "%s.%s" % (uuid.uuid4().hex, host)
wildtest = self.resolver.query(testdomain, self.record_type)
#This 'A' record may contain a list of wildcards.
if wildtest:
for w in wildtest:
w = str(w)
if w not in self.wildcards:
#wildcards were detected.
self.wildcards[w] = None
#We found atleast one wildcard, look for more.
looking_for_wildcards = True
except Exception as e:
if type(e) == dns.resolver.NXDOMAIN or type(e) == dns.name.EmptyLabel:
#not found
return True
else:
#This resolver maybe flakey, we don't want it for our tests.
trace("wildcard exception:", self.resolver.nameservers, type(e))
return False
#If we hit the end of our depth counter and,
#there are still wildcards, then reject this nameserver because it smells bad.
return (test_counter >= 0)
class lookup(multiprocessing.Process):
def __init__(self, in_q, out_q, resolver_q, domain, wildcards, spider_blacklist):
multiprocessing.Process.__init__(self, target = self.run)
signal_init()
self.required_nameservers = 16
self.in_q = in_q
self.out_q = out_q
self.resolver_q = resolver_q
self.domain = domain
self.wildcards = wildcards
self.spider_blacklist = spider_blacklist
self.resolver = dns.resolver.Resolver()
#Force pydns to use our nameservers
self.resolver.nameservers = []
def get_ns(self):
ret = []
try:
ret = [self.resolver_q.get_nowait()]
if ret == False:
#Queue is empty, inform the rest.
self.resolver_q.put(False)
ret = []
except:
pass
return ret
def get_ns_blocking(self):
ret = []
ret = [self.resolver_q.get()]
if ret == False:
trace("get_ns_blocking - Resolver list is empty.")
#Queue is empty, inform the rest.
self.resolver_q.put(False)
ret = []
return ret
def check(self, host, record_type = "A", retries = 0):
trace("Checking:", host)
cname_record = []
retries = 0
if len(self.resolver.nameservers) <= self.required_nameservers:
#This process needs more nameservers, lets see if we have one avaible
self.resolver.nameservers += self.get_ns()
#Ok we should be good to go.
while True:
try:
#Query the nameserver, this is not simple...
if not record_type or record_type == "A":
resp = self.resolver.query(host)
#Crawl the response
hosts = extract_hosts(str(resp.response), self.domain)
for h in hosts:
if h not in self.spider_blacklist:
self.spider_blacklist[h]=None
trace("Found host with spider:", h)
self.in_q.put((h, record_type, 0))
return resp
if record_type == "CNAME":
#A max 20 lookups
for x in range(20):
try:
resp = self.resolver.query(host, record_type)
except dns.resolver.NoAnswer:
resp = False
pass
if resp and resp[0]:
host = str(resp[0]).rstrip(".")
cname_record.append(host)
else:
return cname_record
else:
#All other records:
return self.resolver.query(host, record_type)
except Exception as e:
if type(e) == dns.resolver.NoNameservers:
#We should never be here.
#We must block, another process should try this host.
#do we need a limit?
self.in_q.put((host, record_type, 0))
self.resolver.nameservers += self.get_ns_blocking()
return False
elif type(e) == dns.resolver.NXDOMAIN:
#"Non-existent domain name."
return False
elif type(e) == dns.resolver.NoAnswer:
#"The response did not contain an answer."
if retries >= 1:
trace("NoAnswer retry")
return False
retries += 1
elif type(e) == dns.resolver.Timeout:
trace("lookup failure:", host, retries)
#Check if it is time to give up.
if retries >= 3:
if retries > 3:
#Sometimes 'internal use' subdomains will timeout for every request.
#As far as I'm concerned, the authorative name server has told us this domain exists,
#we just can't know the address value using this method.
return ['Mutiple Query Timeout - External address resolution was restricted']
else:
#Maybe another process can take a crack at it.
self.in_q.put((host, record_type, retries + 1))
return False
retries += 1
#retry...
elif type(e) == IndexError:
#Some old versions of dnspython throw this error,
#doesn't seem to affect the results, and it was fixed in later versions.
pass
elif type(e) == TypeError:
# We'll get here if the number procs > number of resolvers.
# This is an internal error do we need a limit?
self.in_q.put((host, record_type, 0))
return False
elif type(e) == dns.rdatatype.UnknownRdatatype:
error("DNS record type not supported:", record_type)
else:
trace("Problem processing host:", host)
#dnspython threw some strange exception...
raise e
def run(self):
#This process needs one resolver before it can start looking.
self.resolver.nameservers += self.get_ns_blocking()
while True:
found_addresses = []
work = self.in_q.get()
#Check if we have hit the end marker
while not work:
#Look for a re-queued lookup
try:
work = self.in_q.get(blocking = False)
#if we took the end marker of the queue we need to put it back
if work:
self.in_q.put(False)
except:#Queue.Empty
trace('End of work queue')
#There isn't an item behind the end marker
work = False
break
#Is this the end all work that needs to be done?
if not work:
#Perpetuate the end marker for all threads to see
self.in_q.put(False)
#Notify the parent that we have died of natural causes
self.out_q.put(False)
break
else:
if len(work) == 3:
#keep track of how many times this lookup has timedout.
(hostname, record_type, timeout_retries) = work
response = self.check(hostname, record_type, timeout_retries)
else:
(hostname, record_type) = work
response = self.check(hostname, record_type)
sys.stdout.flush()
trace(response)
#self.wildcards is populated by the verify_nameservers() thread.
#This variable doesn't need a muetex, because it has a queue.
#A queue ensure nameserver cannot be used before it's wildcard entries are found.
reject = False
if response:
for a in response:
a = str(a)
if a in self.wildcards:
trace("resovled wildcard:", hostname)
reject= True
#reject this domain.
break;
else:
found_addresses.append(a)
if not reject:
#This request is filled, send the results back
result = (hostname, record_type, found_addresses)
self.out_q.put(result)
#Extract relevant hosts
#The dot at the end of a domain signifies the root,
#and all TLDs are subs of the root.
host_match = re.compile(r"((?<=[\s])[a-zA-Z0-9_-]+\.(?:[a-zA-Z0-9_-]+\.?)+(?=[\s]))")
def extract_hosts(data, hostname):
#made a global to avoid re-compilation
global host_match
ret = []
hosts = re.findall(host_match, data)
for fh in hosts:
host = fh.rstrip(".")
#Is this host in scope?
if host.endswith(hostname):
ret.append(host)
return ret
#Return a list of unique sub domains, sorted by frequency.
#Only match domains that have 3 or more sections subdomain.domain.tld
domain_match = re.compile("([a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*)+")
def extract_subdomains(file_name):
#Avoid re-compilation
global domain_match
subs = {}
sub_file = open(file_name).read()
f_all = re.findall(domain_match, sub_file)
del sub_file
for i in f_all:
if i.find(".") >= 0:
p = i.split(".")[0:-1]
#gobble everything that might be a TLD
while p and len(p[-1]) <= 3:
p = p[0:-1]
#remove the domain name
p = p[0:-1]
#do we have a subdomain.domain left?
if len(p) >= 1:
trace(str(p), " : ", i)
for q in p:
if q :
#domain names can only be lower case.
q = q.lower()
if q in subs:
subs[q] += 1
else:
subs[q] = 1
#Free some memory before the sort...
del f_all
#Sort by freq in desc order
subs_sorted = sorted(subs.keys(), key = lambda x: subs[x], reverse = True)
return subs_sorted
def print_target(target, record_type = None, subdomains = "names.txt", resolve_list = "resolvers.txt", process_count = 16, output = False, json_output = False, found_subdomains=[],verbose=False):
subdomains_list = []
results_temp = []
run(target, record_type, subdomains, resolve_list, process_count)
for result in run(target, record_type, subdomains, resolve_list, process_count):
(hostname, record_type, response) = result
if not record_type:
result = hostname
else:
result = "%s,%s" % (hostname, ",".join(response).strip(","))
if result not in found_subdomains:
if verbose:
print(result)
subdomains_list.append(result)
return set(subdomains_list)
def run(target, record_type = None, subdomains = "names.txt", resolve_list = "resolvers.txt", process_count = 16):
subdomains = check_open(subdomains)
resolve_list = check_open(resolve_list)
if (len(resolve_list) / 16) < process_count:
sys.stderr.write('Warning: Fewer than 16 resovlers per thread, consider adding more nameservers to resolvers.txt.\n')
if os.name == 'nt':
wildcards = {}
spider_blacklist = {}
else:
wildcards = multiprocessing.Manager().dict()
spider_blacklist = multiprocessing.Manager().dict()
in_q = multiprocessing.Queue()
out_q = multiprocessing.Queue()
#have a buffer of at most two new nameservers that lookup processes can draw from.
resolve_q = multiprocessing.Queue(maxsize = 2)
#Make a source of fast nameservers avaiable for other processes.
verify_nameservers_proc = verify_nameservers(target, record_type, resolve_q, resolve_list, wildcards)
verify_nameservers_proc.start()
#The empty string
in_q.put((target, record_type))
spider_blacklist[target]=None
#A list of subdomains is the input
for s in subdomains:
s = str(s).strip()
if s:
if s.find(","):
#SubBrute should be forgiving, a comma will never be in a url
#but the user might try an use a CSV file as input.
s=s.split(",")[0]
if not s.endswith(target):
hostname = "%s.%s" % (s, target)
else:
#A user might feed an output list as a subdomain list.
hostname = s
if hostname not in spider_blacklist:
spider_blacklist[hostname]=None
work = (hostname, record_type)
in_q.put(work)
#Terminate the queue
in_q.put(False)
for i in range(process_count):
worker = lookup(in_q, out_q, resolve_q, target, wildcards, spider_blacklist)
worker.start()
threads_remaining = process_count
while True:
try:
#The output is valid hostnames
result = out_q.get(True, 10)
#we will get an empty exception before this runs.
if not result:
threads_remaining -= 1
else:
#run() is a generator, and yields results from the work queue
yield result
except Exception as e:
#The cx_freeze version uses queue.Empty instead of Queue.Empty :(
if type(e) == Queue.Empty or str(type(e)) == "<class 'queue.Empty'>":
pass
else:
raise(e)
#make sure everyone is complete
if threads_remaining <= 0:
break
trace("killing nameserver process")
#We no longer require name servers.
try:
killproc(pid = verify_nameservers_proc.pid)
except:
#Windows threading.tread
verify_nameservers_proc.end()
trace("End")
#exit handler for signals. So ctrl+c will work.
#The 'multiprocessing' library each process is it's own process which side-steps the GIL
#If the user wants to exit prematurely, each process must be killed.
def killproc(signum = 0, frame = 0, pid = False):
if not pid:
pid = os.getpid()
if sys.platform.startswith('win'):
try:
kernel32 = ctypes.windll.kernel32
handle = kernel32.OpenProcess(1, 0, pid)
kernel32.TerminateProcess(handle, 0)
except:
#Oah windows.
pass
else:
os.kill(pid, 9)
#Toggle debug output
verbose = False
def trace(*args, **kwargs):
if verbose:
for a in args:
sys.stderr.write(str(a))
sys.stderr.write(" ")
sys.stderr.write("\n")
def error(*args, **kwargs):
for a in args:
sys.stderr.write(str(a))
sys.stderr.write(" ")
sys.stderr.write("\n")
sys.exit(1)
def check_open(input_file):
ret = []
#If we can't find a resolver from an input file, then we need to improvise.
try:
ret = open(input_file).readlines()
except:
error("File not found:", input_file)
if not len(ret):
error("File is empty:", input_file)
return ret
#Every 'multiprocessing' process needs a signal handler.
#All processes need to die, we don't want to leave zombies.
def signal_init():
#Escliate signal to prevent zombies.
signal.signal(signal.SIGINT, killproc)
try:
signal.signal(signal.SIGTSTP, killproc)
signal.signal(signal.SIGQUIT, killproc)
except:
#Windows
pass
if __name__ == "__main__":
if getattr(sys, 'frozen', False):
# cx_freeze windows:
base_path = os.path.dirname(sys.executable)
multiprocessing.freeze_support()
else:
#everything else:
base_path = os.path.dirname(os.path.realpath(__file__))
parser = optparse.OptionParser("usage: %prog [options] target")
parser.add_option("-s", "--subs", dest = "subs", default = os.path.join(base_path, "names.txt"),
type = "string", help = "(optional) list of subdomains, default = 'names.txt'")
parser.add_option("-r", "--resolvers", dest = "resolvers", default = os.path.join(base_path, "resolvers.txt"),
type = "string", help = "(optional) A list of DNS resolvers, if this list is empty it will OS's internal resolver default = 'resolvers.txt'")
parser.add_option("-t", "--targets_file", dest = "targets", default = "",
type = "string", help = "(optional) A file containing a newline delimited list of domains to brute force.")
parser.add_option("-o", "--output", dest = "output", default = False, help = "(optional) Output to file (Greppable Format)")
parser.add_option("-j", "--json", dest="json", default = False, help="(optional) Output to file (JSON Format)")
parser.add_option("-a", "-A", action = 'store_true', dest = "ipv4", default = False,
help = "(optional) Print all IPv4 addresses for sub domains (default = off).")
parser.add_option("--type", dest = "type", default = False,
type = "string", help = "(optional) Print all reponses for an arbitrary DNS record type (CNAME, AAAA, TXT, SOA, MX...)")
parser.add_option("-c", "--process_count", dest = "process_count",
default = 16, type = "int",
help = "(optional) Number of lookup theads to run. default = 16")
parser.add_option("-f", "--filter_subs", dest = "filter", default = "",
type = "string", help = "(optional) A file containing unorganized domain names which will be filtered into a list of subdomains sorted by frequency. This was used to build names.txt.")
parser.add_option("-v", "--verbose", action = 'store_true', dest = "verbose", default = False,
help = "(optional) Print debug information.")
(options, args) = parser.parse_args()
verbose = options.verbose
if len(args) < 1 and options.filter == "" and options.targets == "":
parser.error("You must provie a target. Use -h for help.")
if options.filter != "":
#cleanup this file and print it out
for d in extract_subdomains(options.filter):
print(d)
sys.exit()
if options.targets != "":
targets = check_open(options.targets) #the domains
else:
targets = args #multiple arguments on the cli: ./subbrute.py google.com gmail.com yahoo.com if (len(resolver_list) / 16) < options.process_count:
output = False
if options.output:
try:
output = open(options.output, "w")
except:
error("Failed writing to file:", options.output)
json_output = False
if options.json:
try:
json_output = open(options.json, "w")
except:
error("Failed writing to file:", options.json)
record_type = False
if options.ipv4:
record_type="A"
if options.type:
record_type = str(options.type).upper()
threads = []
for target in targets:
target = target.strip()
if target:
#target => domain
#record_type =>
#options.subs => file the contain the subdomains list
#options.process_count => process count default = 16
#options.resolvers => the resolvers file
#options.output
#options.json
print(target, record_type, options.subs, options.resolvers, options.process_count, output, json_output)
print_target(target, record_type, options.subs, options.resolvers, options.process_count, output, json_output)

274
sublist3r.py → sublist3r2/__init__.py
View File

@ -1,42 +1,29 @@
#!/usr/bin/env python #!/usr/bin/env python
# coding: utf-8 # coding: utf-8
# Sublist3r v1.0 # Sublist3r2 v1.0
# By Ahmed Aboul-Ela - twitter.com/aboul3la
# modules in standard library # Builtin modules
import re
import sys
import os
import argparse import argparse
import time
import hashlib import hashlib
import random
import multiprocessing
import threading
import socket
import json import json
import multiprocessing
import os
import random
import re
import socket
import sys
import threading
import time
import urllib.parse as urlparse
from collections import Counter from collections import Counter
# external modules # External modules
from subbrute import subbrute
import dns.resolver import dns.resolver
import requests import requests
from sublist3r2.aiodnsbrute.cli import aioDNSBrute
# Python 2.x and 3.x compatiablity # Version info
if sys.version > '3': __version__ = '1.0.1'
import urllib.parse as urlparse
import urllib.parse as urllib
else:
import urlparse
import urllib
# In case you cannot install some of the required development packages
# there's also an option to disable the SSL warning:
try:
import requests.packages.urllib3
requests.packages.urllib3.disable_warnings()
except:
pass
# Check if we are running this on windows platform # Check if we are running this on windows platform
is_windows = sys.platform.startswith('win') is_windows = sys.platform.startswith('win')
@ -50,15 +37,14 @@ if is_windows:
R = '\033[91m' # red R = '\033[91m' # red
W = '\033[0m' # white W = '\033[0m' # white
try: try:
import win_unicode_console , colorama import colorama
import win_unicode_console
win_unicode_console.enable() win_unicode_console.enable()
colorama.init() colorama.init()
#Now the unicode will work ^_^ # Now the unicode will work ^_^
except: except Exception:
print("[!] Error: Coloring libraries not installed, no coloring will be used [Check the readme]") print("[!] Error: Coloring libraries not installed, no coloring will be used [Check the readme]")
G = Y = B = R = W = G = Y = B = R = W = '' G = Y = B = R = W = ''
else: else:
G = '\033[92m' # green G = '\033[92m' # green
Y = '\033[93m' # yellow Y = '\033[93m' # yellow
@ -66,6 +52,7 @@ else:
R = '\033[91m' # red R = '\033[91m' # red
W = '\033[0m' # white W = '\033[0m' # white
def no_color(): def no_color():
global G, Y, B, R, W global G, Y, B, R, W
G = Y = B = R = W = '' G = Y = B = R = W = ''
@ -73,14 +60,13 @@ def no_color():
def banner(): def banner():
print("""%s print("""%s
____ _ _ _ _ _____ ____ _ _ _ _ _____ ______
/ ___| _ _| |__ | (_)___| |_|___ / _ __ / ___| _ _| |__ | (_)___| |_|___ / _ __\ __ | Sublist3r2 v%s
\___ \| | | | '_ \| | / __| __| |_ \| '__| \___ \| | | | '_ \| | / __| __| |_ \| '__| / / a subdomains enum tool originally by @aboul3la
___) | |_| | |_) | | \__ \ |_ ___) | | ___) | |_| | |_) | | \__ \ |_ ___) | | / /_ maintained by Ronin Nakomoto, crahan, its0x08
|____/ \__,_|_.__/|_|_|___/\__|____/|_|%s%s |____/ \__,_|_.__/|_|_|___/\__|____/|_| /____|%s https://github.com/RoninNakomoto/Sublist3r2
# Coded By Ahmed Aboul-Ela - @aboul3la """ % (R, __version__, Y)) # noqa
""" % (R, W, Y))
def parser_error(errmsg): def parser_error(errmsg):
@ -95,11 +81,11 @@ def parse_args():
parser = argparse.ArgumentParser(epilog='\tExample: \r\npython ' + sys.argv[0] + " -d google.com") parser = argparse.ArgumentParser(epilog='\tExample: \r\npython ' + sys.argv[0] + " -d google.com")
parser.error = parser_error parser.error = parser_error
parser._optionals.title = "OPTIONS" parser._optionals.title = "OPTIONS"
parser.add_argument('-d', '--domain', help="Domain name to enumerate it's subdomains", required=True) parser.add_argument('-d', '--domain', help="Domain name to use for subdomain enumeration", required=True)
parser.add_argument('-b', '--bruteforce', help='Enable the subbrute bruteforce module', nargs='?', default=False) parser.add_argument('-b', '--bruteforce', help='Turn-on aiodnsbrute bruteforce mode', nargs='?', default=False)
parser.add_argument('-p', '--ports', help='Scan the found subdomains against specified tcp ports') parser.add_argument('-p', '--ports', help='Check/Filter subdomain results for open ports (provide comma separated ports')
parser.add_argument('-v', '--verbose', help='Enable Verbosity and display results in realtime', nargs='?', default=False) parser.add_argument('-v', '--verbose', help='Enable verbose mode and display results in realtime', nargs='?', default=False)
parser.add_argument('-t', '--threads', help='Number of threads to use for subbrute bruteforce', type=int, default=30) parser.add_argument('-t', '--threads', help='Number of threads to use for aiodnsbrute bruteforce', type=int, default=7000)
parser.add_argument('-e', '--engines', help='Specify a comma-separated list of search engines') parser.add_argument('-e', '--engines', help='Specify a comma-separated list of search engines')
parser.add_argument('-o', '--output', help='Save the results to text file') parser.add_argument('-o', '--output', help='Save the results to text file')
parser.add_argument('-n', '--no-color', help='Output without color', default=False, action='store_true') parser.add_argument('-n', '--no-color', help='Output without color', default=False, action='store_true')
@ -259,7 +245,10 @@ class enumratorBase(object):
class enumratorBaseThreaded(multiprocessing.Process, enumratorBase): class enumratorBaseThreaded(multiprocessing.Process, enumratorBase):
def __init__(self, base_url, engine_name, domain, subdomains=None, q=None, silent=False, verbose=True): def __init__(self, base_url, engine_name, domain, subdomains=None, q=None, silent=False, verbose=True):
subdomains = subdomains or [] subdomains = subdomains or []
enumratorBase.__init__(self, base_url, engine_name, domain, subdomains, silent=silent, verbose=verbose) enumratorBase.__init__(
self, base_url, engine_name, domain, subdomains,
silent=silent, verbose=verbose
)
multiprocessing.Process.__init__(self) multiprocessing.Process.__init__(self)
self.q = q self.q = q
return return
@ -277,13 +266,16 @@ class GoogleEnum(enumratorBaseThreaded):
self.engine_name = "Google" self.engine_name = "Google"
self.MAX_DOMAINS = 11 self.MAX_DOMAINS = 11
self.MAX_PAGES = 200 self.MAX_PAGES = 200
super(GoogleEnum, self).__init__(base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) super(GoogleEnum, self).__init__(
base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
self.q = q self.q = q
return return
def extract_domains(self, resp): def extract_domains(self, resp):
links_list = list() links_list = list()
link_regx = re.compile('<cite.*?>(.*?)<\/cite>') link_regx = re.compile(r'<cite.*?>(.*?)<\/cite>')
try: try:
links_list = link_regx.findall(resp) links_list = link_regx.findall(resp)
for link in links_list: for link in links_list:
@ -300,7 +292,7 @@ class GoogleEnum(enumratorBaseThreaded):
return links_list return links_list
def check_response_errors(self, resp): def check_response_errors(self, resp):
if (type(resp) is str or type(resp) is unicode) and 'Our systems have detected unusual traffic' in resp: if (type(resp) is str) and 'Our systems have detected unusual traffic' in resp:
self.print_(R + "[!] Error: Google probably now is blocking our requests" + W) self.print_(R + "[!] Error: Google probably now is blocking our requests" + W)
self.print_(R + "[~] Finished now the Google Enumeration ..." + W) self.print_(R + "[~] Finished now the Google Enumeration ..." + W)
return False return False
@ -327,20 +319,23 @@ class YahooEnum(enumratorBaseThreaded):
self.engine_name = "Yahoo" self.engine_name = "Yahoo"
self.MAX_DOMAINS = 10 self.MAX_DOMAINS = 10
self.MAX_PAGES = 0 self.MAX_PAGES = 0
super(YahooEnum, self).__init__(base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) super(YahooEnum, self).__init__(
base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
self.q = q self.q = q
return return
def extract_domains(self, resp): def extract_domains(self, resp):
link_regx2 = re.compile('<span class=" fz-.*? fw-m fc-12th wr-bw.*?">(.*?)</span>') link_regx2 = re.compile(r'<span class=" fz-.*? fw-m fc-12th wr-bw.*?">(.*?)</span>')
link_regx = re.compile('<span class="txt"><span class=" cite fw-xl fz-15px">(.*?)</span>') link_regx = re.compile(r'<span class="txt"><span class=" cite fw-xl fz-15px">(.*?)</span>')
links_list = [] links_list = []
try: try:
links = link_regx.findall(resp) links = link_regx.findall(resp)
links2 = link_regx2.findall(resp) links2 = link_regx2.findall(resp)
links_list = links + links2 links_list = links + links2
for link in links_list: for link in links_list:
link = re.sub("<(\/)?b>", "", link) link = re.sub(r'<(\/)?b>', '', link)
if not link.startswith('http'): if not link.startswith('http'):
link = "http://" + link link = "http://" + link
subdomain = urlparse.urlparse(link).netloc subdomain = urlparse.urlparse(link).netloc
@ -378,13 +373,16 @@ class AskEnum(enumratorBaseThreaded):
self.engine_name = "Ask" self.engine_name = "Ask"
self.MAX_DOMAINS = 11 self.MAX_DOMAINS = 11
self.MAX_PAGES = 0 self.MAX_PAGES = 0
enumratorBaseThreaded.__init__(self, base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) enumratorBaseThreaded.__init__(
self, base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
self.q = q self.q = q
return return
def extract_domains(self, resp): def extract_domains(self, resp):
links_list = list() links_list = list()
link_regx = re.compile('<p class="web-result-url">(.*?)</p>') link_regx = re.compile(r'<p class="web-result-url">(.*?)</p>')
try: try:
links_list = link_regx.findall(resp) links_list = link_regx.findall(resp)
for link in links_list: for link in links_list:
@ -421,22 +419,25 @@ class BingEnum(enumratorBaseThreaded):
self.engine_name = "Bing" self.engine_name = "Bing"
self.MAX_DOMAINS = 30 self.MAX_DOMAINS = 30
self.MAX_PAGES = 0 self.MAX_PAGES = 0
enumratorBaseThreaded.__init__(self, base_url, self.engine_name, domain, subdomains, q=q, silent=silent) enumratorBaseThreaded.__init__(
self, base_url, self.engine_name, domain, subdomains,
q=q, silent=silent
)
self.q = q self.q = q
self.verbose = verbose self.verbose = verbose
return return
def extract_domains(self, resp): def extract_domains(self, resp):
links_list = list() links_list = list()
link_regx = re.compile('<li class="b_algo"><h2><a href="(.*?)"') link_regx = re.compile(r'<li class="b_algo"><h2><a href="(.*?)"')
link_regx2 = re.compile('<div class="b_title"><h2><a href="(.*?)"') link_regx2 = re.compile(r'<div class="b_title"><h2><a href="(.*?)"')
try: try:
links = link_regx.findall(resp) links = link_regx.findall(resp)
links2 = link_regx2.findall(resp) links2 = link_regx2.findall(resp)
links_list = links + links2 links_list = links + links2
for link in links_list: for link in links_list:
link = re.sub('<(\/)?strong>|<span.*?>|<|>', '', link) link = re.sub(r'<(\/)?strong>|<span.*?>|<|>', '', link)
if not link.startswith('http'): if not link.startswith('http'):
link = "http://" + link link = "http://" + link
subdomain = urlparse.urlparse(link).netloc subdomain = urlparse.urlparse(link).netloc
@ -466,7 +467,10 @@ class BaiduEnum(enumratorBaseThreaded):
self.engine_name = "Baidu" self.engine_name = "Baidu"
self.MAX_DOMAINS = 2 self.MAX_DOMAINS = 2
self.MAX_PAGES = 760 self.MAX_PAGES = 760
enumratorBaseThreaded.__init__(self, base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) enumratorBaseThreaded.__init__(
self, base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
self.querydomain = self.domain self.querydomain = self.domain
self.q = q self.q = q
return return
@ -475,11 +479,11 @@ class BaiduEnum(enumratorBaseThreaded):
links = list() links = list()
found_newdomain = False found_newdomain = False
subdomain_list = [] subdomain_list = []
link_regx = re.compile('<a.*?class="c-showurl".*?>(.*?)</a>') link_regx = re.compile(r'<a.*?class="c-showurl".*?>(.*?)</a>')
try: try:
links = link_regx.findall(resp) links = link_regx.findall(resp)
for link in links: for link in links:
link = re.sub('<.*?>|>|<|&nbsp;', '', link) link = re.sub(r'<.*?>|>|<|&nbsp;', '', link)
if not link.startswith('http'): if not link.startswith('http'):
link = "http://" + link link = "http://" + link
subdomain = urlparse.urlparse(link).netloc subdomain = urlparse.urlparse(link).netloc
@ -524,7 +528,10 @@ class NetcraftEnum(enumratorBaseThreaded):
subdomains = subdomains or [] subdomains = subdomains or []
self.base_url = 'https://searchdns.netcraft.com/?restriction=site+ends+with&host={domain}' self.base_url = 'https://searchdns.netcraft.com/?restriction=site+ends+with&host={domain}'
self.engine_name = "Netcraft" self.engine_name = "Netcraft"
super(NetcraftEnum, self).__init__(self.base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) super(NetcraftEnum, self).__init__(
self.base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
self.q = q self.q = q
return return
@ -542,7 +549,7 @@ class NetcraftEnum(enumratorBaseThreaded):
return return
def get_next(self, resp): def get_next(self, resp):
link_regx = re.compile('<a.*?href="(.*?)">Next Page') link_regx = re.compile(r'<a.*?href="(.*?)">Next Page')
link = link_regx.findall(resp) link = link_regx.findall(resp)
url = 'http://searchdns.netcraft.com' + link[0] url = 'http://searchdns.netcraft.com' + link[0]
return url return url
@ -552,7 +559,9 @@ class NetcraftEnum(enumratorBaseThreaded):
cookies_list = cookie[0:cookie.find(';')].split("=") cookies_list = cookie[0:cookie.find(';')].split("=")
cookies[cookies_list[0]] = cookies_list[1] cookies[cookies_list[0]] = cookies_list[1]
# hashlib.sha1 requires utf-8 encoded str # hashlib.sha1 requires utf-8 encoded str
cookies['netcraft_js_verification_response'] = hashlib.sha1(urllib.unquote(cookies_list[1]).encode('utf-8')).hexdigest() cookies['netcraft_js_verification_response'] = hashlib.sha1(
urlparse.unquote(cookies_list[1]).encode('utf-8')
).hexdigest()
return cookies return cookies
def get_cookies(self, headers): def get_cookies(self, headers):
@ -578,7 +587,7 @@ class NetcraftEnum(enumratorBaseThreaded):
def extract_domains(self, resp): def extract_domains(self, resp):
links_list = list() links_list = list()
link_regx = re.compile('<a class="results-table__host" href="(.*?)"') link_regx = re.compile(r'<a class="results-table__host" href="(.*?)"')
try: try:
links_list = link_regx.findall(resp) links_list = link_regx.findall(resp)
for link in links_list: for link in links_list:
@ -602,7 +611,10 @@ class DNSdumpster(enumratorBaseThreaded):
self.engine_name = "DNSdumpster" self.engine_name = "DNSdumpster"
self.q = q self.q = q
self.lock = None self.lock = None
super(DNSdumpster, self).__init__(base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) super(DNSdumpster, self).__init__(
base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
return return
def check_host(self, host): def check_host(self, host):
@ -611,13 +623,13 @@ class DNSdumpster(enumratorBaseThreaded):
Resolver.nameservers = ['8.8.8.8', '8.8.4.4'] Resolver.nameservers = ['8.8.8.8', '8.8.4.4']
self.lock.acquire() self.lock.acquire()
try: try:
ip = Resolver.query(host, 'A')[0].to_text() ip = Resolver.resolve(host, 'A')[0].to_text()
if ip: if ip:
if self.verbose: if self.verbose:
self.print_("%s%s: %s%s" % (R, self.engine_name, W, host)) self.print_("%s%s: %s%s" % (R, self.engine_name, W, host))
is_valid = True is_valid = True
self.live_subdomains.append(host) self.live_subdomains.append(host)
except: except Exception:
pass pass
self.lock.release() self.lock.release()
return is_valid return is_valid
@ -637,7 +649,7 @@ class DNSdumpster(enumratorBaseThreaded):
return self.get_response(resp) return self.get_response(resp)
def get_csrftoken(self, resp): def get_csrftoken(self, resp):
csrf_regex = re.compile('<input type="hidden" name="csrfmiddlewaretoken" value="(.*?)">', re.S) csrf_regex = re.compile(r'<input type="hidden" name="csrfmiddlewaretoken" value="(.*?)">', re.S)
token = csrf_regex.findall(resp)[0] token = csrf_regex.findall(resp)[0]
return token.strip() return token.strip()
@ -655,8 +667,8 @@ class DNSdumpster(enumratorBaseThreaded):
return self.live_subdomains return self.live_subdomains
def extract_domains(self, resp): def extract_domains(self, resp):
tbl_regex = re.compile('<a name="hostanchor"><\/a>Host Records.*?<table.*?>(.*?)</table>', re.S) tbl_regex = re.compile(r'<a name="hostanchor"><\/a>Host Records.*?<table.*?>(.*?)</table>', re.S)
link_regex = re.compile('<td class="col-md-4">(.*?)<br>', re.S) link_regex = re.compile(r'<td class="col-md-4">(.*?)<br>', re.S)
links = [] links = []
try: try:
results_tbl = tbl_regex.findall(resp)[0] results_tbl = tbl_regex.findall(resp)[0]
@ -676,36 +688,52 @@ class DNSdumpster(enumratorBaseThreaded):
class Virustotal(enumratorBaseThreaded): class Virustotal(enumratorBaseThreaded):
def __init__(self, domain, subdomains=None, q=None, silent=False, verbose=True): def __init__(self, domain, subdomains=None, q=None, silent=False, verbose=True):
subdomains = subdomains or [] subdomains = subdomains or []
base_url = 'https://www.virustotal.com/ui/domains/{domain}/subdomains' base_url = 'https://www.virustotal.com/api/v3/domains/{domain}/subdomains'
self.engine_name = "Virustotal" self.engine_name = "Virustotal"
self.apikey = os.getenv("VT_APIKEY")
if self.apikey is None:
vt_apikey = input(B + "[+] Enter VirusTotal API key, press Enter for none: " + W).strip()
if vt_apikey != "":
self.apikey = vt_apikey
self.q = q self.q = q
super(Virustotal, self).__init__(base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) super(Virustotal, self).__init__(
base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
self.url = self.base_url.format(domain=self.domain) self.url = self.base_url.format(domain=self.domain)
return return
# the main send_req need to be rewritten # the main send_req need to be rewritten
def send_req(self, url): def send_req(self, url):
try: try:
self.headers.update({'X-ApiKey': self.apikey})
resp = self.session.get(url, headers=self.headers, timeout=self.timeout) resp = self.session.get(url, headers=self.headers, timeout=self.timeout)
except Exception as e: except Exception as e:
self.print_(e) self.print_(e)
resp = None resp = None
return self.get_response(resp) return self.get_response(resp)
# once the send_req is rewritten we don't need to call this function, the stock one should be ok # once the send_req is rewritten we don't need to call this function, the stock one should be ok
def enumerate(self): def enumerate(self):
while self.url != '': if self.apikey:
resp = self.send_req(self.url) while self.url != '':
resp = json.loads(resp) resp = self.send_req(self.url)
if 'error' in resp: resp = json.loads(resp)
self.print_(R + "[!] Error: Virustotal probably now is blocking our requests" + W) if 'error' in resp:
break self.print_(R + "Error Code: {}".format(resp['error']["code"]) + W)
if 'links' in resp and 'next' in resp['links']: self.print_(R + "Virus Total Server Message: {}".format(resp['error']["message"]) + W)
self.url = resp['links']['next'] break
else: if 'links' in resp and 'next' in resp['links']:
self.url = '' self.url = resp['links']['next']
self.extract_domains(resp) else:
self.url = ''
self.extract_domains(resp)
else:
self.print_(R + "[!] Error: VirusTotal API key environment variable not found. Skipping" + W)
self.print_(R + "[!] set VT_APIKEY to your virus total API key using: `export VT_APIKEY=Your_VT_API_KEY_VALUE`" + W)
self.print_(B + "[!] To get a VT APIKEY, register at https://www.virustotal.com/gui/join-us" + W)
return self.subdomains return self.subdomains
def extract_domains(self, resp): def extract_domains(self, resp):
@ -730,7 +758,10 @@ class ThreatCrowd(enumratorBaseThreaded):
base_url = 'https://www.threatcrowd.org/searchApi/v2/domain/report/?domain={domain}' base_url = 'https://www.threatcrowd.org/searchApi/v2/domain/report/?domain={domain}'
self.engine_name = "ThreatCrowd" self.engine_name = "ThreatCrowd"
self.q = q self.q = q
super(ThreatCrowd, self).__init__(base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) super(ThreatCrowd, self).__init__(
base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
return return
def req(self, url): def req(self, url):
@ -768,7 +799,10 @@ class CrtSearch(enumratorBaseThreaded):
base_url = 'https://crt.sh/?q=%25.{domain}' base_url = 'https://crt.sh/?q=%25.{domain}'
self.engine_name = "SSL Certificates" self.engine_name = "SSL Certificates"
self.q = q self.q = q
super(CrtSearch, self).__init__(base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) super(CrtSearch, self).__init__(
base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
return return
def req(self, url): def req(self, url):
@ -787,7 +821,7 @@ class CrtSearch(enumratorBaseThreaded):
return self.subdomains return self.subdomains
def extract_domains(self, resp): def extract_domains(self, resp):
link_regx = re.compile('<TD>(.*?)</TD>') link_regx = re.compile(r'<TD>(.*?)</TD>')
try: try:
links = link_regx.findall(resp) links = link_regx.findall(resp)
for link in links: for link in links:
@ -803,7 +837,7 @@ class CrtSearch(enumratorBaseThreaded):
continue continue
if '@' in subdomain: if '@' in subdomain:
subdomain = subdomain[subdomain.find('@')+1:] subdomain = subdomain[subdomain.find('@') + 1:]
if subdomain not in self.subdomains and subdomain != self.domain: if subdomain not in self.subdomains and subdomain != self.domain:
if self.verbose: if self.verbose:
@ -813,13 +847,17 @@ class CrtSearch(enumratorBaseThreaded):
print(e) print(e)
pass pass
class PassiveDNS(enumratorBaseThreaded): class PassiveDNS(enumratorBaseThreaded):
def __init__(self, domain, subdomains=None, q=None, silent=False, verbose=True): def __init__(self, domain, subdomains=None, q=None, silent=False, verbose=True):
subdomains = subdomains or [] subdomains = subdomains or []
base_url = 'https://api.sublist3r.com/search.php?domain={domain}' base_url = 'https://api.sublist3r.com/search.php?domain={domain}'
self.engine_name = "PassiveDNS" self.engine_name = "PassiveDNS"
self.q = q self.q = q
super(PassiveDNS, self).__init__(base_url, self.engine_name, domain, subdomains, q=q, silent=silent, verbose=verbose) super(PassiveDNS, self).__init__(
base_url, self.engine_name, domain, subdomains,
q=q, silent=silent, verbose=verbose
)
return return
def req(self, url): def req(self, url):
@ -895,7 +933,7 @@ def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, e
enable_bruteforce = True enable_bruteforce = True
# Validate domain # Validate domain
domain_check = re.compile("^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$") domain_check = re.compile(r'^(http|https)?[a-zA-Z0-9]+([\-\.]{1}[a-zA-Z0-9]+)*\.[a-zA-Z]{2,}$')
if not domain_check.match(domain): if not domain_check.match(domain):
if not silent: if not silent:
print(R + "Error: Please enter a valid domain" + W) print(R + "Error: Please enter a valid domain" + W)
@ -912,18 +950,19 @@ def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, e
if verbose and not silent: if verbose and not silent:
print(Y + "[-] verbosity is enabled, will show the subdomains results in realtime" + W) print(Y + "[-] verbosity is enabled, will show the subdomains results in realtime" + W)
supported_engines = {'baidu': BaiduEnum, supported_engines = {
'yahoo': YahooEnum, 'baidu': BaiduEnum,
'google': GoogleEnum, 'yahoo': YahooEnum,
'bing': BingEnum, 'google': GoogleEnum,
'ask': AskEnum, 'bing': BingEnum,
'netcraft': NetcraftEnum, 'ask': AskEnum,
'dnsdumpster': DNSdumpster, 'netcraft': NetcraftEnum,
'virustotal': Virustotal, 'dnsdumpster': DNSdumpster,
'threatcrowd': ThreatCrowd, 'virustotal': Virustotal,
'ssl': CrtSearch, 'threatcrowd': ThreatCrowd,
'passivedns': PassiveDNS 'ssl': CrtSearch,
} 'passivedns': PassiveDNS
}
chosenEnums = [] chosenEnums = []
@ -952,16 +991,17 @@ def main(domain, threads, savefile, ports, silent, verbose, enable_bruteforce, e
if enable_bruteforce: if enable_bruteforce:
if not silent: if not silent:
print(G + "[-] Starting bruteforce module now using subbrute.." + W) print(G + "[-] Starting bruteforce module now using aiodnsbrute.." + W)
record_type = False
path_to_file = os.path.dirname(os.path.realpath(__file__)) path_to_file = os.path.dirname(os.path.realpath(__file__))
subs = os.path.join(path_to_file, 'subbrute', 'names.txt') subs = os.path.join(path_to_file, 'aiodnsbrute', 'subdomains-top1million-110000.txt')
resolvers = os.path.join(path_to_file, 'subbrute', 'resolvers.txt') resolvers = os.path.join(path_to_file, 'aiodnsbrute', 'resolvers.txt')
process_count = threads wildcard = True
output = False verify = True
json_output = False query = True
bruteforce_list = subbrute.print_target(parsed_domain.netloc, record_type, subs, resolvers, process_count, output, json_output, search_list, verbose) thread_count = threads
bruteforce_list = aioDNSBrute.bruteforce_domain(
parsed_domain.netloc, resolvers, subs, wildcard, verify, thread_count, query
)
subdomains = search_list.union(bruteforce_list) subdomains = search_list.union(bruteforce_list)
if subdomains: if subdomains:
@ -1000,7 +1040,11 @@ def interactive():
if args.no_color: if args.no_color:
no_color() no_color()
banner() banner()
res = main(domain, threads, savefile, ports, silent=False, verbose=verbose, enable_bruteforce=enable_bruteforce, engines=engines) main(
domain, threads, savefile, ports,
silent=False, verbose=verbose, enable_bruteforce=enable_bruteforce, engines=engines
)
if __name__ == "__main__": if __name__ == "__main__":
interactive() interactive()

0
subbrute/__init__.py → sublist3r2/aiodnsbrute/__init__.py
View File

358
sublist3r2/aiodnsbrute/cli.py Normal file
View File

@ -0,0 +1,358 @@
import random
import string
import asyncio
import functools
import os
import uvloop
import aiodns
import click
import socket
import sys
from tqdm import tqdm
from sublist3r2.aiodnsbrute.logger import ConsoleLogger
class aioDNSBrute(object):
"""aiodnsbrute implements fast domain name brute forcing using Python's asyncio module."""
def __init__(self, verbosity=0, max_tasks=512):
"""Constructor.
Args:
verbosity: set output verbosity: 0 (default) is none, 3 is debug
max_tasks: the maximum number of tasks asyncio will queue (default 512)
"""
self.tasks = []
self.errors = []
self.fqdn = []
self.ignore_hosts = []
asyncio.set_event_loop_policy(uvloop.EventLoopPolicy())
self.loop = asyncio.get_event_loop()
self.resolver = aiodns.DNSResolver(loop=self.loop, rotate=True)
self.sem = asyncio.BoundedSemaphore(max_tasks)
self.max_tasks = max_tasks
self.verbosity = verbosity
self.logger = ConsoleLogger(verbosity)
async def _dns_lookup(self, name):
"""Performs a DNS request using aiodns, self.lookup_type is set by the run function.
A query for A record returns <ares_query_a_result> which does not return metadata about
when a CNAME was resolved (just host and ttl attributes) however it should be faster.
The <ares_host_result> returned by gethostbyname contains name, aliases, and addresses, if
name is different in response we can surmise that the original domain was a CNAME entry.
Args:
name: the domain name to resolve
Returns:
object: <ares_query_a_result> if query, <ares_host_result> if gethostbyname
"""
if self.lookup_type == "query":
return await self.resolver.query(name, "A")
elif self.lookup_type == "gethostbyname":
return await self.resolver.gethostbyname(name, socket.AF_INET)
def _dns_result_callback(self, name, future):
"""Handles the pycares object passed by the _dns_lookup function. We expect an errror to
be present in the returned object because most lookups will be for names that don't exist.
c-ares errors are passed through directly, error types can be identified in ares_strerror.c
Args:
name: original lookup name (because the query_result object doesn't contain it)
future: the completed future (pycares dns result)
"""
# Record processed we can now release the lock
self.sem.release()
# Handle known exceptions, barf on other ones
if future.exception() is not None:
try:
err_number = future.exception().args[0]
err_text = future.exception().args[1]
except IndexError:
self.logger.error(f"Couldn't parse exception: {future.exception()}")
# handle the DNS errors we expect to receive, show user unexpected errors
if err_number == 4:
# This is domain name not found, ignore it
pass
#elif err_number == 12:
# Timeout from DNS server
#self.logger.warn(f"Timeout for {name}")
elif err_number == 1:
# Server answered with no data
pass
#else:
#self.logger.error(
# f"{name} generated an unexpected exception: {future.exception()}"
#)
# for debugging/troubleshoooting keep a list of errors
# self.errors.append({'hostname': name, 'error': err_text})
# parse and output and store results.
else:
if self.lookup_type == "query":
ips = [ip.host for ip in future.result()]
cname = False
row = f"{name:<30}\t{ips}"
elif self.lookup_type == "gethostbyname":
r = future.result()
ips = [ip for ip in r.addresses]
if name == r.name:
cname = False
n = f"""{name:<30}\t{f"{'':<35}" if self.verbosity >= 2 else ""}"""
else:
cname = True
# format the name based on verbosity - this is kluge
short_cname = f"{r.name[:28]}.." if len(r.name) > 30 else r.name
n = f'{name}{"**" if self.verbosity <= 1 else ""}'
n = f'''{n:<30}\t{f"CNAME {short_cname:<30}" if self.verbosity >= 2 else ""}'''
row = f"{n:<30}\t{ips}"
# store the result
if set(ips) != set(self.ignore_hosts):
#self.logger.success(row)
dns_lookup_result = {"domain": name, "ip": ips}
if self.lookup_type == "gethostbyname" and cname:
dns_lookup_result["cname"] = r.name
dns_lookup_result["aliases"] = r.aliases
self.fqdn.append(dns_lookup_result)
self.logger.debug(future.result())
self.tasks.remove(future)
if self.verbosity >= 1:
self.pbar.update()
async def _queue_lookups(self, wordlist, domain):
"""Takes a list of words and adds them to the async loop also passing the original
lookup domain name; then attaches the processing callback to deal with the result.
Args:
wordlist: a list of names to perform lookups for
domain: the base domain to perform brute force against
"""
for word in wordlist:
# Wait on the semaphore before adding more tasks
await self.sem.acquire()
host = f"{word.strip()}.{domain}"
task = asyncio.ensure_future(self._dns_lookup(host))
task.add_done_callback(functools.partial(self._dns_result_callback, host))
self.tasks.append(task)
await asyncio.gather(*self.tasks, return_exceptions=True)
def bruteforce_domain(target, resolvers=None, wordlist="subdomains-top1million-110000.txt", wildcard=True, verify=True, thread_count=7000, query=True):
subdomains_list = []
names_list = []
verbosity = 1
if resolvers:
resolverfile = open(resolvers, 'r')
lines = resolverfile.read().splitlines()
resolvers = [x.strip() for x in lines if (x and not x.startswith("#"))]
bf = aioDNSBrute(verbosity=verbosity, max_tasks=thread_count)
subdomains_list = bf.run(wordlist, target, resolvers, wildcard, verify, query)
resolverfile.close()
for r in range(1, len(subdomains_list)):
names_list.append(subdomains_list[r]['domain'])
return names_list
def run(
self, wordlist, domain, resolvers=None, wildcard=True, verify=True, query=True
):
"""
Sets up the bruteforce job, does domain verification, sets resolvers, checks for wildcard
response to lookups, and sets the query type to be used. After all this, open the wordlist
file and start the brute force - with ^C handling to cleanup nicely.
Args:
wordlist: a string containing a path to a filename to be used as a wordlist
domain: the base domain name to be used for lookups
resolvers: a list of DNS resolvers to be used (default None, uses system resolvers)
wildcard: bool, do wildcard dns detection (default true)
verify: bool, check if domain exists (default true)
query: bool, use query to do lookups (default true), false means gethostbyname is used.
Returns:
dict containing result of lookups
"""
self.logger.info(
f"Brute forcing {domain} with a maximum of {self.max_tasks} concurrent tasks..."
)
if verify:
#self.logger.info(f"Using local resolver to verify {domain} exists.")
try:
socket.gethostbyname(domain)
except socket.gaierror as err:
self.logger.error(
f"Couldn't resolve {domain}, use the --no-verify switch to ignore this error."
)
raise SystemExit(
self.logger.error(f"Error from host lookup: {err}")
)
else:
self.logger.warn("Skipping domain verification. YOLO!")
if resolvers:
self.resolver.nameservers = resolvers
self.logger.info(
f"Using recursive DNS with {len(self.resolver.nameservers)} nameservers"
)
if wildcard:
# 63 chars is the max allowed segment length, there is practically no chance that it will be a legit record
random_sld = (
lambda: f'{"".join(random.choice(string.ascii_lowercase + string.digits) for i in range(63))}'
)
try:
self.lookup_type = "query"
wc_check = self.loop.run_until_complete(
self._dns_lookup(f"{random_sld()}.{domain}")
)
except aiodns.error.DNSError as err:
# we expect that the record will not exist and error 4 will be thrown
#self.logger.info(
# f"No wildcard response was detected for this domain."
#)
wc_check = None
finally:
if wc_check is not None:
self.ignore_hosts = [host.host for host in wc_check]
self.logger.warn(
f"Wildcard response detected, ignoring answers containing {self.ignore_hosts}"
)
else:
self.logger.warn("Wildcard detection is disabled")
if query:
#self.logger.info(
# "Using pycares `query` function to perform lookups, CNAMEs cannot be identified"
#)
self.lookup_type = "query"
else:
self.logger.info(
"Using pycares `gethostbyname` function to perform lookups, CNAME data will be appended to results (** denotes CNAME, show actual name with -vv)"
)
self.lookup_type = "gethostbyname"
with open(wordlist, encoding="utf-8", errors="ignore") as words:
w = words.read().splitlines()
self.logger.info(f"Wordlist loaded, proceeding with {len(w)} DNS requests")
try:
if self.verbosity >= 1:
self.pbar = tqdm(
total=len(w), unit="rec", maxinterval=0.1, mininterval=0
)
self.loop.run_until_complete(self._queue_lookups(w, domain))
except KeyboardInterrupt:
self.logger.warn("Caught keyboard interrupt, cleaning up...")
asyncio.gather(*asyncio.Task.all_tasks()).cancel()
self.loop.stop()
finally:
self.loop.close()
if self.verbosity >= 1:
self.pbar.close()
self.logger.info(f"Bruteforcing Complete")
return self.fqdn
@click.command()
@click.option(
"--wordlist",
"-w",
help="Wordlist to use for brute force.",
default=f"{os.path.dirname(os.path.realpath(__file__))}/wordlists/bitquark_20160227_subdomains_popular_1000",
)
@click.option(
"--max-tasks",
"-t",
default=512,
help="Maximum number of tasks to run asynchronosly.",
)
@click.option(
"--resolver-file",
"-r",
type=click.File("r"),
default=None,
help="A text file containing a list of DNS resolvers to use, one per line, comments start with #. Default: use system resolvers",
)
@click.option(
"--verbosity", "-v", count=True, default=1, help="Increase output verbosity"
)
@click.option(
"--output",
"-o",
type=click.Choice(["csv", "json", "off"]),
default="off",
help="Output results to DOMAIN.csv/json (extension automatically appended when not using -f).",
)
@click.option(
"--outfile",
"-f",
type=click.File("w"),
help="Output filename. Use '-f -' to send file output to stdout overriding normal output.",
)
@click.option(
"--query/--gethostbyname",
default=True,
help="DNS lookup type to use query (default) should be faster, but won't return CNAME information.",
)
@click.option(
"--wildcard/--no-wildcard",
default=True,
help="Wildcard detection, enabled by default",
)
@click.option(
"--verify/--no-verify",
default=True,
help="Verify domain name is sane before beginning, enabled by default",
)
@click.version_option("0.3.2")
@click.argument("domain", required=True)
def main(**kwargs):
"""aiodnsbrute is a command line tool for brute forcing domain names utilizing Python's asyncio module.
credit: blark (@markbaseggio)
"""
output = kwargs.get("output")
verbosity = kwargs.get("verbosity")
resolvers = kwargs.get("resolver_file")
if output != "off":
outfile = kwargs.get("outfile")
# turn off output if we want JSON/CSV to stdout, hacky
if outfile.__class__.__name__ == "TextIOWrapper":
verbosity = 0
if outfile is None:
# wasn't specified on command line
outfile = open(f'{kwargs["domain"]}.{output}', "w")
if resolvers:
lines = resolvers.read().splitlines()
resolvers = [x.strip() for x in lines if (x and not x.startswith("#"))]
bf = aioDNSBrute(verbosity=verbosity, max_tasks=kwargs.get("max_tasks"))
results = bf.run(
wordlist=kwargs.get("wordlist"),
domain=kwargs.get("domain"),
resolvers=resolvers,
wildcard=kwargs.get("wildcard"),
verify=kwargs.get("verify"),
query=kwargs.get("query"),
)
if output in ("json"):
import json
json.dump(results, outfile)
if output in ("csv"):
import csv
writer = csv.writer(outfile)
writer.writerow(["Hostname", "IPs", "CNAME", "Aliases"])
[
writer.writerow(
[
r.get("domain"),
r.get("ip", [""])[0],
r.get("cname"),
r.get("aliases", [""])[0],
]
)
for r in results
]
if __name__ == "__main__":
main()

31
sublist3r2/aiodnsbrute/logger.py Normal file
View File

@ -0,0 +1,31 @@
from tqdm import tqdm
from click import style
class ConsoleLogger(object):
"""A quick and dirty metasploit style console output logger that doesn't mess up tqdm output."""
def __init__(self, verbosity):
self.verbosity = verbosity
self.msg_type = {
"info": ("[*]", "blue", 1),
"success": ("[+]", "green", 1),
"error": ("[-]", "red", 1),
"warn": ("[!]", "yellow", 1),
"debug": ("[D]", "cyan", 3),
}
def __getattr__(self, attr):
try:
decorator = style(
f"{self.msg_type[attr][0]} ", fg=self.msg_type[attr][1], bold=True
)
msg_verbosity = self.msg_type[attr][2]
except KeyError:
decorator = ""
msg_verbosity = 1
finally:
if self.verbosity >= msg_verbosity:
return lambda msg: tqdm.write(f"{decorator}{msg}")
else:
return lambda msg: None

31
sublist3r2/aiodnsbrute/logger/logger.py Normal file
View File

@ -0,0 +1,31 @@
from tqdm import tqdm
from click import style
class ConsoleLogger(object):
"""A quick and dirty metasploit style console output logger that doesn't mess up tqdm output."""
def __init__(self, verbosity):
self.verbosity = verbosity
self.msg_type = {
"info": ("[*]", "blue", 1),
"success": ("[+]", "green", 1),
"error": ("[-]", "red", 1),
"warn": ("[!]", "yellow", 1),
"debug": ("[D]", "cyan", 3),
}
def __getattr__(self, attr):
try:
decorator = style(
f"{self.msg_type[attr][0]} ", fg=self.msg_type[attr][1], bold=True
)
msg_verbosity = self.msg_type[attr][2]
except KeyError:
decorator = ""
msg_verbosity = 1
finally:
if self.verbosity >= msg_verbosity:
return lambda msg: tqdm.write(f"{decorator}{msg}")
else:
return lambda msg: None

7
subbrute/resolvers.txt → sublist3r2/aiodnsbrute/resolvers.txt
View File

@ -984,3 +984,10 @@
95.158.129.2 95.158.129.2
95.173.193.3 95.173.193.3
95.85.9.86 95.85.9.86
80.67.188.188
108.61.201.119
159.69.198.101
47.101.136.37
118.24.208.197
114.115.240.175
119.29.107.85

114532
sublist3r2/aiodnsbrute/subdomains-top1million-110000.txt Normal file
View File

File diff suppressed because it is too large Load Diff