DNS Spider is a multithreaded bruteforcer of subdomains that leverages a wordlist and/or character permutation.
d91b3aaaa5aaad0cc4cff4d5d4cde89bde531628689625900beaafad64527442#!/usr/bin/env python
#
# dnsspider.py - multithreaded subdomain bruteforcer
#
# bruteforces subdomains via wordlist or character permutation
#
# NOTES: quick'n'dirty code
#
# by noptrix - http://www.noptrix.net/
import sys
import time
import string
import itertools
import socket
import threading
from optparse import OptionParser
try:
import dns.message
import dns.query
except ImportError:
print('[-] ERROR: you need "dnspython" package')
sys.exit()
BANNER = '--------------------------------------\n' \
'dnsspider.py - http://www.noptrix.net/\n' \
'--------------------------------------'
USAGE = '\n\n' \
' dnsspider.py -t <type> -a <domain> [options]'
VERSION = 'dnsspider.py v0.1'
defaults = {}
hostnames = []
prefix = ''
found = []
chars = string.ascii_lowercase
digits = string.digits
wordlist = ['admin', 'auth', 'backup', 'bm', 'central', 'control', 'cvs',
'data', 'db', 'dev', 'devel', 'dns', 'external', 'firewall',
'ftp', 'fw', 'gate', 'gateway', 'gw', 'hpc', 'info', 'internal',
'intranet', 'it', 'login', 'mail', 'main', 'manage', 'mobile',
'mx', 'mysql', 'noc', 'ns', 'office', 'op', 'phpmyadmin', 'plesk',
'private', 'router', 'secure', 'server', 'shop', 'smtp', 'ssh',
'support', 'svn', 'test', 'update', 'vpn', 'vz', 'web', 'webmail',
'webshop', 'workstation', 'www']
def usage():
print('\n' + USAGE)
sys.exit()
def check_usage():
if len(sys.argv) == 1:
print('[-] WARNING: use -h for help and usage')
sys.exit()
def get_default_nameserver():
print('[+] getting default nameserver')
lines = list(open('/etc/resolv.conf', 'r'))
for line in lines:
line = string.strip(line)
if not line or line[0] == ';' or line[0] == '#':
continue
fields = string.split(line)
if len(fields) < 2:
continue
if fields[0] == 'nameserver':
defaults['nameserver'] = fields[1]
return defaults
def get_default_source_ip():
print('[+] getting default ip address')
try:
defaults['ipaddr'] = socket.gethostbyaddr(socket.gethostname())[2][0]
except:
print('''
[-] ERROR: can\'t get your ip-address, use "-i" option and define
yourself
''')
return defaults
def parse_cmdline():
p = OptionParser(usage=USAGE, version=VERSION)
p.add_option('-t', dest='type',
help='attack type (0 for dictionary 1 for bruteforce)')
p.add_option('-a', dest='domain',
help='(sub)domain to bruteforce')
p.add_option('-l', dest='wordlist',
help='wordlist, one hostname per line (default predefined in code)')
p.add_option('-d', dest='dnshost',
help='choose another nameserver (default your system\'s)')
p.add_option('-i', dest='ipaddr',
help='source ip address to use (default your first)')
p.add_option('-p', dest='port', default=0,
help='source port to use (default %default)')
p.add_option('-u', dest='protocol', default='udp',
help='speak via udp or tcp (default %default)')
p.add_option('-c', dest='charset', default=0,
help='choose charset 0 [a-z0-9], 1 [a-z] or 2 [0-9] (default %default)')
p.add_option('-m', dest='max', default=2,
help='max chars to bruteforce (default %default)')
p.add_option('-s', dest='prefix',
help='give a prefix for bruteforce, e.g. "www" (default none)')
p.add_option('-o', dest='timeout', default=1,
help='when to timeout (default %default)')
p.add_option('-w', dest='wait', default=0,
help='seconds to wait for next request (default %default)')
p.add_option('-x', dest='threads', default=32,
help='number of threads to use (default %default) - choose more :)')
p.add_option('-r', dest='logfile', default='stdout',
help='write found subdomains to file (default %default)')
(opts, args) = p.parse_args()
return opts
def check_cmdline(opts):
if not opts.type or not opts.domain:
print('[-] ERROR: see usage, mount /dev/brain!')
sys.exit()
def set_opts(defaults, opts):
if not opts.dnshost:
opts.dnshost = defaults['nameserver']
if not opts.ipaddr:
opts.ipaddr = defaults['ipaddr']
if int(opts.charset) == 0:
opts.charset = chars + digits
elif int(opts.charset) == 1:
opts.charset = chars
else:
opts.charset = digits
if not opts.prefix:
opts.prefix = prefix
return opts
def read_hostnames(opts):
print('[+] reading hostnames')
hostnames = []
if opts.wordlist:
hostnames = list(open(opts.wordlist, 'r'))
return hostnames
else:
return wordlist
def attack(opts, hostname, attack_pool):
sys.stdout.write('--- trying %s \n' % hostname)
sys.stdout.flush()
try:
x = dns.message.make_query(hostname, 1)
if opts.protocol == 'udp':
a = dns.query.udp(x, opts.dnshost, float(opts.timeout), 53, None,
opts.ipaddr, int(opts.port), True, False)
else:
a = dns.query.tcp(x, opts.dnshost, float(opts.timeout), 53, None,
opts.ipaddr, int(opts.port), False)
attack_pool.release()
except dns.exception.Timeout:
sys.exit()
except (socket.error,e):
sys.exit()
if a.answer:
found.append(hostname)
else:
pass
def str_gen(opts, hostnames):
print('[+] generating list of strings')
tmp_hostnames = itertools.product(opts.charset, repeat=int(opts.max))
hostnames = list(tmp_hostnames)
hostnames = map(''.join, hostnames)
return hostnames
def run_threads(opts, hostname, attack_pool, threads):
t = threading.Thread(target=attack, args=(opts, hostname, attack_pool))
attack_pool.acquire()
t.start()
threads.append(t)
return threads
def prepare_attack(opts, hostnames):
sys.stdout.write('[+] attacking \'%s\' via ' % opts.domain)
threads = list()
attack_pool = threading.BoundedSemaphore(value=int(opts.threads))
if opts.type == '0':
sys.stdout.write('dictionary\n')
for hostname in hostnames:
hostname = hostname.rstrip() + '.' + opts.domain
time.sleep(float(opts.wait))
threads = run_threads(opts, hostname, attack_pool, threads)
for t in threads:
t.join()
elif opts.type == '1':
sys.stdout.write('bruteforce\n')
hostnames = str_gen(opts, hostnames)
for hostname in hostnames:
hostname = opts.prefix + hostname + '.' + opts.domain
time.sleep(float(opts.wait))
threads = run_threads(opts, hostname, attack_pool, threads)
for t in threads:
t.join()
else:
print('[-] ERROR: unknown attack type')
sys.exit()
def log_results(opts, found):
print('[+] game over')
if opts.logfile == 'stdout':
print('---')
if not found:
print('no hosts found :(')
else:
for f in found:
print(f)
else:
print('[+] logged results to %s') % opts.logfile
with open(opts.logfile, 'w') as f:
if found:
for x in found:
f.write(x + '\n')
f.close()
def main():
check_usage()
opts = parse_cmdline()
check_cmdline(opts)
if not opts.dnshost:
defaults = get_default_nameserver()
defaults = get_default_source_ip()
opts = set_opts(defaults, opts)
hostnames = read_hostnames(opts)
prepare_attack(opts, hostnames)
log_results(opts, found)
if __name__ == '__main__':
try:
print(BANNER)
main()
except KeyboardInterrupt:
print('\n[-] WARNING: aborted by user')
raise SystemExit
# EOF
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed