├── LICENSE ├── README.md └── fransRecon.py /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 InitRoot 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Disclaimer 2 | I take not responsibility for your use of the software. Development is done in my personal capacity and carry no affiliation to my work. 3 | 4 | # fransRecon 5 | Script will enumerate domain name using horizontal enumeration, reverse lookup. 6 | Each horziontal domain will then be vertically enumerated using Sublist3r. 7 | 8 | Output can then be used for portscans etc. 9 | 10 | ### Horizontal enumeration: 11 | - On company registrar name 12 | - On domain name provided 13 | 14 | ### Vertical enumeration: 15 | - On all the domains found during horizontal enumeration 16 | 17 | ## Usage 18 | fransRecon.py example.com 19 | 20 | ![alt text](https://i.imgur.com/sba5giB.png "fransRecon") 21 | 22 | 23 | Note that this could take a *long time* to run for big domains. 24 | 25 | ## Install 26 | Should have to be run from in Sublist3r folder. 27 | Easiest is to clone this GIT and then clone sublist3r into the same folder. 28 | 29 | For python the following needs to be installed. 30 | ``` 31 | pip install pandas 32 | pip install click 33 | ``` 34 | The folder structure is as follow once installed: 35 | ``` 36 | ✘ ⚡ root@pentest  ~/Tools/fransRecon  ls -la 37 | total 96 38 | drwxr-xr-x 4 root root 4096 May 27 18:29 . 39 | drwxr-xr-x 14 root root 4096 May 26 12:48 .. 40 | -rwxr--r-- 1 root root 5545 May 26 22:17 fransRecon.py 41 | drwxr-xr-x 2 root root 4096 May 26 21:00 subbrute 42 | drwxr-xr-x 3 root root 4096 May 26 21:00 Sublist3r 43 | -rwxr-xr-x 1 root root 36120 May 26 21:00 sublist3r.py 44 | -rw-r--r-- 1 root root 36642 May 26 21:00 sublist3r.pyc 45 | ``` 46 | 47 | -------------------------------------------------------------------------------- /fransRecon.py: -------------------------------------------------------------------------------- 1 | # The script requires dig and need to be placed on same sublist3r folder. 2 | # Enter the domain name as argument. 3 | # Created by InitRoot (Frans Hendrik Botes) 4 | #!/usr/bin/env python 5 | 6 | import os 7 | import sys 8 | import subprocess 9 | import json 10 | import pprint 11 | import re 12 | import sys 13 | import time 14 | import pandas as pd 15 | import requests 16 | import argparse 17 | import click 18 | import json 19 | import ssl 20 | import sublist3r 21 | ############################################################################### 22 | # CONFIGS # 23 | ############################################################################### 24 | enumDomain = "" 25 | finalDomains= [] 26 | completeDomains = [] 27 | ############################################################################### 28 | # INTRO # 29 | ############################################################################### 30 | art = """ 31 | ______ _____ 32 | | ____| | __ \ 33 | | |__ _ __ __ _ _ __ ___ | |__) | ___ ___ ___ _ __ 34 | | __|| '__|/ _` || '_ \ / __| | _ / / _ \ / __|/ _ \ | '_ \ 35 | | | | | | (_| || | | |\__ \ | | \ \| __/| (__| (_) || | | | 36 | |_| |_| \__,_||_| |_||___/ |_| \_\\___| \___|\___/ |_| |_| 37 | 38 | """ 39 | def printArt(): 40 | print art 41 | 42 | 43 | ############################################################################### 44 | # CLEANUP # 45 | ############################################################################### 46 | #remove previous results files 47 | def cleanupFiles(): 48 | if os.path.exists("horDoms.txt"): 49 | os.remove("horDoms.txt") 50 | 51 | if os.path.exists("finalDoms.txt"): 52 | os.remove("finalDoms.txt") 53 | 54 | if os.path.exists("vertDoms.txt"): 55 | os.remove("vertDoms.txt") 56 | 57 | ############################################################################### 58 | # VERTICAL ENUMERATION # 59 | ############################################################################### 60 | def verticalEnum(): 61 | for domain in finalDomains: 62 | print "Performing vertical enumeration for: " + domain + " using Sublist3r." 63 | subdomains = sublist3r.main(domain, 40, 'vertDoms.txt',ports= None, silent=False, verbose= False, enable_bruteforce= False, engines=None) 64 | time.sleep(30) 65 | global completeDomains 66 | for dom in subdomains: 67 | completeDomains.append(dom) 68 | 69 | 70 | print "Sublist3r done, port scan will start next." 71 | print (completeDomains) 72 | 73 | ############################################################################### 74 | # HORIZONTAL ENUMERATION # 75 | ############################################################################### 76 | # Scrapes the viewdns site 77 | def getdatafromViewDNS(searchQuery): 78 | searchQuery = searchQuery.replace(" ", "+") 79 | url = "https://viewdns.info/reversewhois/?q=" + searchQuery 80 | print ("[*] Extracting from: " + url) 81 | try: 82 | result = pd.read_html(requests.get(url, headers={"User-Agent": "Mozilla/5.0"}).text) 83 | response = result[3][0] 84 | iter_url = iter(response) 85 | return iter_url 86 | # next(iter_url) 87 | #for url in iter_url: 88 | # print(url) 89 | except Exception as e: 90 | print("[!] Couldn't send query, error: {e} exiting...\n") 91 | exit 92 | 93 | # Will return the org name for any domain name. 94 | def getOrganization(inputDomain): 95 | enumDomain=inputDomain 96 | whoisCMD = 'whois '+enumDomain+'| grep "Registrant Organization" | sed "s:Organization::" | grep -o -m 1 -P "(?<=: ).*"' 97 | domainOrg=subprocess.Popen(whoisCMD, shell=True, stdout=subprocess.PIPE).stdout 98 | domainOrg = domainOrg.read() 99 | return domainOrg 100 | 101 | # Main function to scrape other domain names based on the org and initial domain name. 102 | # [1] We start by scraping the org for horizontal domains and add to array. 103 | # [2] We scrape the inputDomain for horizontal domains and add to array. 104 | # [3] The array list is then send to Amass for vertical enumeration. 105 | 106 | def horizontalEnum(): 107 | #First set of enumeration only using the current domain name 108 | global finalDomains 109 | enumDomain=sys.argv[1] 110 | finalDomains.append(sys.argv[1]) 111 | print "Fetching domain organisation for " + enumDomain + " using WHOIS." 112 | enumOrg = getOrganization(enumDomain) 113 | print "- WHOIS lookup done, performing horizontal enumeration for {if found}: " + enumOrg 114 | #now we need to scrape other domains based on the organisation. 115 | scrapedData = getdatafromViewDNS(enumOrg) 116 | next(scrapedData) 117 | for url in scrapedData: 118 | finalDomains.append(url) 119 | 120 | #now we need to scrape other domains based on the inputDomain. 121 | time.sleep(20) 122 | scrapedData = getdatafromViewDNS(enumDomain) 123 | next(scrapedData) 124 | for url in scrapedData: 125 | finalDomains.append(url) 126 | 127 | #HorizontalArrayBuilt enumuerating using Amass 128 | print ("- All horizontal domains have been enumerated.") 129 | with open('horDoms.txt','w') as f: 130 | f.write( ','.join(finalDomains)) 131 | 132 | 133 | ############################################################################### 134 | # PORT ENUMERATION # 135 | ############################################################################### 136 | 137 | 138 | 139 | 140 | ############################################################################### 141 | # MAIN PROGRAM # 142 | ############################################################################### 143 | 144 | def main(arguments): 145 | printArt() 146 | cleanupFiles() 147 | horizontalEnum() 148 | verticalEnum() 149 | 150 | if __name__ == '__main__': 151 | if len(sys.argv) > 1: 152 | sys.exit(main(sys.argv[1])) 153 | else: 154 | printArt() 155 | print ("Please use domainname with e.g. fransRecon.py domainName") 156 | exit 157 | --------------------------------------------------------------------------------