该工具第一是查询执行参数-a Search xxx.com
第二是爆破-a Blast domain wordlist
,工具同样可以使用DNS域名的枚举,和上面的区别就在于该方法使用了DNS迭代查询.
Web子域名查询: 该工具第一是查询执行参数-a Search xxx.com
第二是爆破-a Blast domain wordlist
import requests
import re,linecache,argparse
head={'user-agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36'}
def Banner():
print(" _ ____ _ _ ")
print(" | | _ _/ ___|| |__ __ _ _ __| | __")
print(" | | | | | ___ | '_ / _` | '__| |/ /")
print(" | |__| |_| |___) | | | | (_| | | | < ")
print(" |_______, |____/|_| |_|__,_|_| |_|_\")
print(" |___/ n")
print("E-Mail: me@lyshark.com")
# 查询子域名
def SearchDomain(domain):
url = "https://crt.sh/?q=" domain
try:
req = requests.get(url=url,headers=head,timeout=10)
result = re.findall('<TD>(.*?)</TD>n <TD><A',req.text,re.S)
for item in result:
print(item)
except Exception:
pass
def VisitWeb(prefix,domain):
try:
url = "https://{}.{}".format(prefix,domain)
ret = requests.get(url=url, headers=head, timeout=1)
if(ret.status_code == 200):
return 1
else:
return 0
except:
return 0
# 爆破子域名
def BlastWeb(domain,wordlist):
forlen = len(linecache.getlines(wordlist))
fp = open(wordlist,"r ")
for i in range(0,forlen):
main = str(fp.readline().split()[0])
if VisitWeb(main, domain) != 0:
print("旁站: {}.{} 存在".format(main,domain))
if __name__ == "__main__":
Banner()
def RunCMD(argc, args):
if (argc == "Search"):
SearchDomain(args[0])
elif (argc == "Blast"):
SubDomain = args[0]
WordList = args[1]
BlastWeb(SubDomain,WordList)
Usage = "[*] Usage : main.py -a [Search | Blast] xxx.com"
parser = argparse.ArgumentParser(usage=Usage)
parser.add_argument("-a",dest="RunCMD",help="查询子域名命令")
args = parser.parse_args()
if args.RunCMD:
argc = args.RunCMD
RunCMD(argc,args)
else:
parser.print_help()
通过DNS爆破子域名: 该工具同样可以使用DNS域名的枚举,和上面的区别就在于该方法使用了DNS迭代查询.
代码语言:javascript复制import threading
import argparse
from queue import Queue
import dns.resolver
class BlastDNSDomain(threading.Thread):
def __init__(self,queue,result):
threading.Thread.__init__(self)
self._queue = queue
self.result = result
def run(self):
while not self._queue.empty():
SubDomain = self._queue.get_nowait()
try:
result =dns.resolver.query(SubDomain,'A')
if result.response.answer:
self.result.append(SubDomain)
print("[ ] {}".format(SubDomain))
except Exception:
pass
def Banner():
print(" _ ____ _ _ ")
print(" | | _ _/ ___|| |__ __ _ _ __| | __")
print(" | | | | | ___ | '_ / _` | '__| |/ /")
print(" | |__| |_| |___) | | | | (_| | | | < ")
print(" |_______, |____/|_| |_|__,_|_| |_|_\")
print(" |___/ n")
print("E-Mail: me@lyshark.com")
if __name__ == "__main__":
Banner()
Usage = "main.py -d xxx.com -w dict.log -t 5"
parser = OptionParser(usage=Usage)
parser.add_argument("-d", "--domain", dest="Domain", help="Specify subdomain format")
parser.add_argument("-w", "--wordlist", dest="WordList", help="Specify a dictionary file")
parser.add_argument("-t", "--ThreadCount", dest="ThreadCount", help="Specify the number of execution threads")
args = parser.parse_args()
if args.Domain and args.WordList and args.ThreadCount:
queue = Queue()
result = []
with open(args.WordList) as fp:
for item in fp:
queue.put(item.rstrip() '.' args.Domain)
threads = []
for item in range(int(args.ThreadCount)):
threads.append(BlastDNSDomain(queue, result))
for t in threads:
t.start()
for t in threads:
t.join()
print("所有DNS域名: {}".format(set(result)))
else:
parser.print_help()