DNS Spider is a multithreaded bruteforcer of subdomains that leverages a wordlist and/or character permutation.
39ad27d6d5242990a8105766614da17511aa4ebe6dcac490096e88bd2c6734bf#!/usr/bin/env python
#
# dnsspider.py - multithreaded subdomain bruteforcer
#
# bruteforces subdomains via wordlist or character permutation
#
# NOTES:
# - quick'n'dirty code
#
# by noptrix - http://www.noptrix.net/
# improvement by bons
#
# Changelog
#
# v0.3:
# - added verbose/quiet mode - default is quiet now
# - fixed try/catch for domainnames
# - fixed some tab width (i normally use <= 80 chars per line)
#
# v0.2:
# - append DNS and IP output to found list
# - added diffound list for subdomains resolved to different addresses
# - get right ip address from current used iface to avoid socket problems
# - fixed socket exception syntax and output
# - added usage note for fixed port and multithreaded socket exception
#
# v0.1:
# - first release
import sys
import time
import string
import itertools
import socket
import threading
import re
from optparse import OptionParser
try:
import dns.message
import dns.query
except ImportError:
print('[-] ERROR: you need "dnspython" package')
sys.exit()
BANNER = '+----------------------------------------+\n' \
'| dnsspider.py - http://www.noptrix.net/ |\n' \
'+----------------------------------------+'
USAGE = '\n\n' \
' dnsspider.py -t <type> -a <domain> [options]'
VERSION = 'dnsspider.py v0.3'
defaults = {}
hostnames = []
prefix = ''
found = []
diffound = []
chars = string.ascii_lowercase
digits = string.digits
wordlist = ['admin', 'auth', 'backup', 'bm', 'central', 'control', 'cvs',
'data', 'db', 'dev', 'devel', 'dns', 'external', 'firewall',
'ftp', 'fw', 'gate', 'gateway', 'gw', 'git', 'hpc', 'info',
'internal', 'intranet', 'intern', 'it', 'login', 'mail', 'main',
'manage', 'mobile', 'mx', 'mx01', 'mysql', 'noc', 'ns', 'office',
'op', 'phpmyadmin', 'pma', 'plesk', 'private', 'rack','router',
'secure', 'sec', 'server', 'shop', 'smtp', 'ssh', 'support', 'svn',
'test', 'testing', 'update', 'vpn', 'vz', 'web', 'webmail',
'webshop', 'workstation', 'www']
def usage():
print('\n' + USAGE)
sys.exit()
def check_usage():
if len(sys.argv) == 1:
print('[-] WARNING: use -h for help and usage')
sys.exit()
def get_default_nameserver():
print('[+] getting default nameserver')
lines = list(open('/etc/resolv.conf', 'r'))
for line in lines:
line = string.strip(line)
if not line or line[0] == ';' or line[0] == '#':
continue
fields = string.split(line)
if len(fields) < 2:
continue
if fields[0] == 'nameserver':
defaults['nameserver'] = fields[1]
return defaults
def get_default_source_ip():
print('[+] getting default ip address')
try:
# get current used iface enstablishing temp socket
ipsocket = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
ipsocket.connect(("gmail.com",80))
defaults['ipaddr'] = ipsocket.getsockname()[0]
print('[+] found currently used interface ip ' + defaults['ipaddr'])
ipsocket.close()
except:
print('''[-] ERROR: NO INTERNET? can\'t get your ip-address, use "-i" \
option and define yourself ''')
return defaults
def parse_cmdline():
p = OptionParser(usage=USAGE, version=VERSION)
p.add_option('-t', dest='type',
help='attack type (0 for dictionary 1 for bruteforce)')
p.add_option('-a', dest='domain',
help='(sub)domain to bruteforce')
p.add_option('-l', dest='wordlist',
help='wordlist, one hostname per line (default predefined in code)')
p.add_option('-d', dest='dnshost',
help='choose another nameserver (default your system\'s)')
p.add_option('-i', dest='ipaddr',
help='source ip address to use (default your first)')
p.add_option('-p', dest='port', default=0,
help='source port to use (default %default --> first free random \
port) Note: if fixed port, use max 1 thread!')
p.add_option('-u', dest='protocol', default='udp',
help='speak via udp or tcp (default %default)')
p.add_option('-c', dest='charset', default=0,
help='choose charset 0 [a-z0-9], 1 [a-z] or 2 [0-9] \
(default %default)')
p.add_option('-m', dest='max', default=2,
help='max chars to bruteforce (default %default)')
p.add_option('-s', dest='prefix',
help='give a prefix for bruteforce, e.g. "www" (default none)')
p.add_option('-o', dest='timeout', default=1,
help='when to timeout (default %default)')
p.add_option('-v', action='store_true', dest='verbose',
help='verbose mode. prints every attempt. (default quiet)')
p.add_option('-w', dest='wait', default=0,
help='seconds to wait for next request (default %default)')
p.add_option('-x', dest='threads', default=32,
help='number of threads to use (default %default) - choose more :)')
p.add_option('-r', dest='logfile', default='stdout',
help='write found subdomains to file (default %default)')
(opts, args) = p.parse_args()
return opts
def check_cmdline(opts):
if not opts.type or not opts.domain:
print('[-] ERROR: see usage, mount /dev/brain!')
sys.exit()
def set_opts(defaults, opts):
if not opts.dnshost:
opts.dnshost = defaults['nameserver']
if not opts.ipaddr:
opts.ipaddr = defaults['ipaddr']
if int(opts.charset) == 0:
opts.charset = chars + digits
elif int(opts.charset) == 1:
opts.charset = chars
else:
opts.charset = digits
if not opts.prefix:
opts.prefix = prefix
return opts
def read_hostnames(opts):
print('[+] reading hostnames')
hostnames = []
if opts.wordlist:
hostnames = list(open(opts.wordlist, 'r'))
return hostnames
else:
return wordlist
def attack(opts, hostname, attack_pool):
if opts.verbose:
sys.stdout.write('--- trying %s \n' % hostname)
sys.stdout.flush()
try:
x = dns.message.make_query(hostname, 1)
if opts.protocol == 'udp':
a = dns.query.udp(x, opts.dnshost, float(opts.timeout), 53, None,
opts.ipaddr, int(opts.port), True, False)
else:
a = dns.query.tcp(x, opts.dnshost, float(opts.timeout), 53, None,
opts.ipaddr, int(opts.port), False)
attack_pool.release()
except dns.exception.Timeout:
sys.exit()
except (socket.error, e):
print('''[-] ACHTUNGSCHEISSE! Socket Error! NO INTERNET? ip|srcport
incorrectly defined? you can run only one thread if fixed source port
specified''')
print(e)
sys.exit()
if a.answer:
answ = ''
# iterate dns rrset answer (can be multiple sets) field to extract
# detailed info (dns and ip)
for i in a.answer:
answ += str(i[0])
answ += ' '
answer = (hostname,answ)
found.append(answer)
else:
pass
def str_gen(opts, hostnames):
print('[+] generating list of strings')
tmp_hostnames = itertools.product(opts.charset, repeat=int(opts.max))
hostnames = list(tmp_hostnames)
hostnames = map(''.join, hostnames)
return hostnames
def run_threads(opts, hostname, attack_pool, threads):
t = threading.Thread(target=attack, args=(opts, hostname, attack_pool))
attack_pool.acquire()
t.start()
threads.append(t)
return threads
def prepare_attack(opts, hostnames):
sys.stdout.write('[+] attacking \'%s\' via ' % opts.domain)
threads = list()
attack_pool = threading.BoundedSemaphore(value=int(opts.threads))
if opts.type == '0':
sys.stdout.write('dictionary\n')
for hostname in hostnames:
hostname = hostname.rstrip() + '.' + opts.domain
time.sleep(float(opts.wait))
threads = run_threads(opts, hostname, attack_pool, threads)
for t in threads:
t.join()
elif opts.type == '1':
sys.stdout.write('bruteforce\n')
hostnames = str_gen(opts, hostnames)
for hostname in hostnames:
hostname = opts.prefix + hostname + '.' + opts.domain
time.sleep(float(opts.wait))
threads = run_threads(opts, hostname, attack_pool, threads)
for t in threads:
t.join()
else:
print('\n[-] ERROR: unknown attack type')
sys.exit()
def ip_extractor(ip):
#extract ip from string of rrset answer object
extracted = re.findall(r'[0-9]+(?:\.[0-9]+){3}', ip)
return extracted[0]
def analyze_results(opts, found):
#get maindomain ip
try:
mainhostip = socket.gethostbyname(opts.domain)
#append domain|ip to diffound if subdomain ip different than starting
# domain ip
([diffound.append(domain+' | '+ip)
for domain, ip in found if ip_extractor(ip) != mainhostip])
except dns.exception.Timeout:
sys.exit()
except(socket.error, e):
print('''[-] SCHEISSEGASSE... wrong domain or no internet?''')
print(e)
sys.exit()
def log_results(opts, found, diffound):
print('[+] game over')
if opts.logfile == 'stdout':
print('---')
if not found:
print('no hosts found :(')
else:
print('ANSWERED DNS REQUESTS:\n---')
for f in found:
print(f[0]+' | '+f[1])
if not diffound:
print('---\nNO HOSTS WITH DIFFERENT IP FOUND :(')
else:
print('---\nANSWERED DNS REQUEST WITH DIFFERENT IP:\n---')
for domain in diffound:
print(domain)
else:
print('[+] logging results to %s') % opts.logfile
with open(opts.logfile, 'w') as f:
if found:
f.write('ANSWERED DNS REQUESTS:\n')
f.write('---\n')
for x in found:
f.write('Domain: '+x[0]+' | '+x[1]+ '\n')
if not diffound:
f.write('---\nNO HOSTS WITH DIFFERENT IP FOUND :(\n')
else:
f.write('---\nANSWERED DNS REQUEST WITH DIFFERENT IP:\n---')
for domain in diffound:
f.write(domain + '\n')
f.close()
def main():
check_usage()
opts = parse_cmdline()
check_cmdline(opts)
if not opts.dnshost:
defaults = get_default_nameserver()
if not opts.ipaddr:
defaults = get_default_source_ip()
opts = set_opts(defaults, opts)
hostnames = read_hostnames(opts)
prepare_attack(opts, hostnames)
analyze_results(opts, found)
log_results(opts, found, diffound)
if __name__ == '__main__':
try:
print(BANNER)
main()
except KeyboardInterrupt:
print('\n[-] WARNING: aborted by user')
raise SystemExit
# EOF
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed