多线程子域名 bruteforcer - dnsspider
发布时间:2020-12-15 21:09:26 所属栏目:大数据 来源:网络整理
导读:今天PHP站长网 52php.cn把收集自互联网的代码分享给大家,仅供参考。 #!/usr/bin/env python## dnsspider.py - multithreaded subdomain bruteforcer## bruteforces subdomains via wordlist or character permutation# #
|
以下代码由PHP站长网 52php.cn收集自互联网 现在PHP站长网小编把它分享给大家,仅供参考 #!/usr/bin/env python
#
# dnsspider.py - multithreaded subdomain bruteforcer
#
# bruteforces subdomains via wordlist or character permutation
#
# NOTES:
# - quick'n'dirty code
#
# by noptrix - http://www.noptrix.net/
# improvement by bons
#
# Changelog
#
# v0.3:
# - added verbose/quiet mode - default is quiet now
# - fixed try/catch for domainnames
# - fixed some tab width (i normally use <= 80 chars per line)
#
# v0.2:
# - append DNS and IP output to found list
# - added diffound list for subdomains resolved to different addresses
# - get right ip address from current used iface to avoid socket problems
# - fixed socket exception syntax and output
# - added usage note for fixed port and multithreaded socket exception
#
# v0.1:
# - first release
import sys
import time
import string
import itertools
import socket
import threading
import re
from optparse import OptionParser
try:
import dns.message
import dns.query
except ImportError:
print('[-] ERROR: you need "dnspython" package')
sys.exit()
BANNER = '+----------------------------------------+n'
'| dnsspider.py - http://www.noptrix.net/ |n'
'+----------------------------------------+'
USAGE = 'nn'
' dnsspider.py -t <type> -a <domain> [options]'
VERSION = 'dnsspider.py v0.3'
defaults = {}
hostnames = []
prefix = ''
found = []
diffound = []
chars = string.ascii_lowercase
digits = string.digits
wordlist = ['admin','auth','backup','bm','central','control','cvs','data','db','dev','devel','dns','external','firewall','ftp','fw','gate','gateway','gw','git','hpc','info','internal','intranet','intern','it','login','mail','main','manage','mobile','mx','mx01','mysql','noc','ns','office','op','phpmyadmin','pma','plesk','private','rack','router','secure','sec','server','shop','smtp','ssh','support','svn','test','testing','update','vpn','vz','web','webmail','webshop','workstation','www']
def usage():
print('n' + USAGE)
sys.exit()
def check_usage():
if len(sys.argv) == 1:
print('[-] WARNING: use -h for help and usage')
sys.exit()
def get_default_nameserver():
print('[+] getting default nameserver')
lines = list(open('/etc/resolv.conf','r'))
for line in lines:
line = string.strip(line)
if not line or line[0] == ';' or line[0] == '#':
continue
fields = string.split(line)
if len(fields) < 2:
continue
if fields[0] == 'nameserver':
defaults['nameserver'] = fields[1]
return defaults
def get_default_source_ip():
print('[+] getting default ip address')
try:
# get current used iface enstablishing temp socket
ipsocket = socket.socket(socket.AF_INET,socket.SOCK_DGRAM)
ipsocket.connect(("gmail.com",80))
defaults['ipaddr'] = ipsocket.getsockname()[0]
print('[+] found currently used interface ip ' + defaults['ipaddr'])
ipsocket.close()
except:
print('''[-] ERROR: NO INTERNET? can't get your ip-address,use "-i"
option and define yourself ''')
return defaults
def parse_cmdline():
p = OptionParser(usage=USAGE,version=VERSION)
p.add_option('-t',dest='type',help='attack type (0 for dictionary 1 for bruteforce)')
p.add_option('-a',dest='domain',help='(sub)domain to bruteforce')
p.add_option('-l',dest='wordlist',help='wordlist,one hostname per line (default predefined in code)')
p.add_option('-d',dest='dnshost',help='choose another nameserver (default your system's)')
p.add_option('-i',dest='ipaddr',help='source ip address to use (default your first)')
p.add_option('-p',dest='port',default=0,help='source port to use (default %default --> first free random
port) Note: if fixed port,use max 1 thread!')
p.add_option('-u',dest='protocol',default='udp',help='speak via udp or tcp (default %default)')
p.add_option('-c',dest='charset',help='choose charset 0 [a-z0-9],1 [a-z] or 2 [0-9]
(default %default)')
p.add_option('-m',dest='max',default=2,help='max chars to bruteforce (default %default)')
p.add_option('-s',dest='prefix',help='give a prefix for bruteforce,e.g. "www" (default none)')
p.add_option('-o',dest='timeout',default=1,help='when to timeout (default %default)')
p.add_option('-v',action='store_true',dest='verbose',help='verbose mode. prints every attempt. (default quiet)')
p.add_option('-w',dest='wait',help='seconds to wait for next request (default %default)')
p.add_option('-x',dest='threads',default=32,help='number of threads to use (default %default) - choose more :)')
p.add_option('-r',dest='logfile',default='stdout',help='write found subdomains to file (default %default)')
(opts,args) = p.parse_args()
return opts
def check_cmdline(opts):
if not opts.type or not opts.domain:
print('[-] ERROR: see usage,mount /dev/brain!')
sys.exit()
def set_opts(defaults,opts):
if not opts.dnshost:
opts.dnshost = defaults['nameserver']
if not opts.ipaddr:
opts.ipaddr = defaults['ipaddr']
if int(opts.charset) == 0:
opts.charset = chars + digits
elif int(opts.charset) == 1:
opts.charset = chars
else:
opts.charset = digits
if not opts.prefix:
opts.prefix = prefix
return opts
def read_hostnames(opts):
print('[+] reading hostnames')
hostnames = []
if opts.wordlist:
hostnames = list(open(opts.wordlist,'r'))
return hostnames
else:
return wordlist
def attack(opts,hostname,attack_pool):
if opts.verbose:
sys.stdout.write('--- trying %s n' % hostname)
sys.stdout.flush()
try:
x = dns.message.make_query(hostname,1)
if opts.protocol == 'udp':
a = dns.query.udp(x,opts.dnshost,float(opts.timeout),53,None,opts.ipaddr,int(opts.port),True,False)
else:
a = dns.query.tcp(x,False)
attack_pool.release()
except dns.exception.Timeout:
sys.exit()
except (socket.error,e):
print('''[-] ACHTUNGSCHEISSE! Socket Error! NO INTERNET? ip|srcport
incorrectly defined? you can run only one thread if fixed source port
specified''')
print(e)
sys.exit()
if a.answer:
answ = ''
# iterate dns rrset answer (can be multiple sets) field to extract
# detailed info (dns and ip)
for i in a.answer:
answ += str(i[0])
answ += ' '
answer = (hostname,answ)
found.append(answer)
else:
pass
def str_gen(opts,hostnames):
print('[+] generating list of strings')
tmp_hostnames = itertools.product(opts.charset,repeat=int(opts.max))
hostnames = list(tmp_hostnames)
hostnames = map(''.join,hostnames)
return hostnames
def run_threads(opts,attack_pool,threads):
t = threading.Thread(target=attack,args=(opts,attack_pool))
attack_pool.acquire()
t.start()
threads.append(t)
return threads
def prepare_attack(opts,hostnames):
sys.stdout.write('[+] attacking '%s' via ' % opts.domain)
threads = list()
attack_pool = threading.BoundedSemaphore(value=int(opts.threads))
if opts.type == '0':
sys.stdout.write('dictionaryn')
for hostname in hostnames:
hostname = hostname.rstrip() + '.' + opts.domain
time.sleep(float(opts.wait))
threads = run_threads(opts,threads)
for t in threads:
t.join()
elif opts.type == '1':
sys.stdout.write('bruteforcen')
hostnames = str_gen(opts,hostnames)
for hostname in hostnames:
hostname = opts.prefix + hostname + '.' + opts.domain
time.sleep(float(opts.wait))
threads = run_threads(opts,threads)
for t in threads:
t.join()
else:
print('n[-] ERROR: unknown attack type')
sys.exit()
def ip_extractor(ip):
#extract ip from string of rrset answer object
extracted = re.findall(r'[0-9]+(?:.[0-9]+){3}',ip)
return extracted[0]
def analyze_results(opts,found):
#get maindomain ip
try:
mainhostip = socket.gethostbyname(opts.domain)
#append domain|ip to diffound if subdomain ip different than starting
# domain ip
([diffound.append(domain+' | '+ip)
for domain,ip in found if ip_extractor(ip) != mainhostip])
except dns.exception.Timeout:
sys.exit()
except(socket.error,e):
print('''[-] SCHEISSEGASSE... wrong domain or no internet?''')
print(e)
sys.exit()
def log_results(opts,found,diffound):
print('[+] game over')
if opts.logfile == 'stdout':
print('---')
if not found:
print('no hosts found :(')
else:
print('ANSWERED DNS REQUESTS:n---')
for f in found:
print(f[0]+' | '+f[1])
if not diffound:
print('---nNO HOSTS WITH DIFFERENT IP FOUND :(')
else:
print('---nANSWERED DNS REQUEST WITH DIFFERENT IP:n---')
for domain in diffound:
print(domain)
else:
print('[+] logging results to %s') % opts.logfile
with open(opts.logfile,'w') as f:
if found:
f.write('ANSWERED DNS REQUESTS:n')
f.write('---n')
for x in found:
f.write('Domain: '+x[0]+' | '+x[1]+ 'n')
if not diffound:
f.write('---nNO HOSTS WITH DIFFERENT IP FOUND :(n')
else:
f.write('---nANSWERED DNS REQUEST WITH DIFFERENT IP:n---')
for domain in diffound:
f.write(domain + 'n')
f.close()
def main():
check_usage()
opts = parse_cmdline()
check_cmdline(opts)
if not opts.dnshost:
defaults = get_default_nameserver()
if not opts.ipaddr:
defaults = get_default_source_ip()
opts = set_opts(defaults,opts)
hostnames = read_hostnames(opts)
prepare_attack(opts,hostnames)
analyze_results(opts,found)
log_results(opts,diffound)
if __name__ == '__main__':
try:
print(BANNER)
main()
except KeyboardInterrupt:
print('n[-] WARNING: aborted by user')
raise SystemExit
# EOF...
以上内容由PHP站长网【52php.cn】收集整理供大家参考研究 如果以上内容对您有帮助,欢迎收藏、点赞、推荐、分享。 (编辑:李大同) 【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容! |