├── .gitignore ├── README.md ├── chinaz.py ├── main.py ├── screenshot └── screenshot.png └── url.txt /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 目前该项目为旧版本,已经无法达到预期效果,请勿使用! 2 | 3 | 4 | # WhoisSubodmain 5 | 6 | > 通过Whois信息发现更多与目标有关联的域名,扩大攻击面。 7 | 8 | ## :bulb:描述 9 | 为什么想做这个? 10 | 在以往的渗透测试流程中,前期信息搜集是一个非常耗时的事情,如:目标有哪些子公司?目标对外有哪些投资?目标的母公司是什么?以这些为出发点开始思考,如何能"自动化"?,想了想还是慢慢的先把各个小点击破,另外一个出发点是应对XX行动,Let's do it 11 | 12 | ## 功能 13 | - [x] 注册联系人反查 14 | - [x] 注册邮箱反查 15 | - [x] 注册联系人邮箱反查 16 | - [x] ICP备案号反查 17 | - [x] 邮箱黑名单 18 | - [x] 联系人黑名单 19 | 20 | 21 | 注册联系人邮箱反查: 22 | 在以往的渗透中发现反查联系人会有多个不同邮箱的情况,故该功能点产生 23 | 24 | 邮箱黑名单: 25 | 包含常见的域名服务商,例如xinnet.com,ename.com等,主要减少噪音,如想要添加请修改chinaz.py内email_blacklist 26 | 27 | 联系人黑名单: 28 | 顾名思义和邮箱黑名单作用一样,减少噪音 29 | 30 | ## 如何使用 31 | 将目标一行一个放置根目录下url.txt内,最终输出程序根目录res.txt 32 | 33 | ```text 34 | python3 main.py 35 | ``` 36 | 37 | ## 运行截图 38 | ![screenshot.png](screenshot/screenshot.png) 39 | 40 | 41 | ## 思考 42 | 做出来在告诉你 :-0 43 | -------------------------------------------------------------------------------- /chinaz.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | 5 | ''' 6 | Author:YoungRichOG 7 | Hacking Everything :-) 8 | 2020/07/17 9 | ''' 10 | 11 | import requests,re,time,json 12 | 13 | 14 | headers = { 15 | 'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_0) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11' 16 | } 17 | 18 | def get_whois(domain): 19 | time.sleep(2) 20 | email_re = '(/reverse\?ddlSearchMode=1.*)">' 21 | domain_re = '(/reverse\?host=.*&ddlSearchMode=2)"' 22 | 23 | url = "http://whois.chinaz.com/{}".format(domain) 24 | r = requests.get(url=url,headers=headers) 25 | print('[*] 当前状态码:%s' %r.status_code) 26 | try: 27 | email = re.findall(email_re,r.text) 28 | contacts = re.findall(domain_re,r.text) 29 | except Exception as e: 30 | print(e) 31 | if email == []: 32 | email = 'null' 33 | else: 34 | email = email[0] 35 | if contacts == []: 36 | contacts ='null' 37 | else: 38 | contacts = contacts[0] 39 | 40 | email,contacts = check_blacklist(email,contacts) 41 | return email,contacts 42 | 43 | def get_email_info(email): 44 | domain = [] 45 | if email != 'null': 46 | print('[*] 开始获取邮箱反查') 47 | for i in range(1,101): 48 | time.sleep(2) 49 | print('[*] 第%s页' % i) 50 | url = "http://whois.chinaz.com{}&st=&startDay=&endDay=&wTimefilter=$wTimefilter&page={}".format(email,i) 51 | domain_re = '
' 52 | r = requests.get(url=url,headers=headers) 53 | print('[*] 当前状态码:%s' %r.status_code) 54 | domain_res = re.findall(domain_re,r.text) 55 | try: 56 | current_page = re.findall('共(.*)页,到第',r.text)[0] 57 | except: 58 | current_page = 0 59 | if int(current_page) > 10: 60 | break 61 | if '暂无相关数据' not in r.text: 62 | domain.append(re.findall(domain_re,r.text)) 63 | else: 64 | print('[*] 获取邮箱反查结束\n') 65 | break 66 | else: 67 | print('[*] 获取邮箱反查失败') 68 | 69 | if domain !=[]: 70 | return domain[0] 71 | else: 72 | return domain 73 | 74 | def get_contacts_info(contacts): 75 | domain = [] 76 | email_list = [] 77 | bbb = [] 78 | email = [] 79 | if contacts != 'null': 80 | print('[*] 开始获取联系人反查') 81 | for i in range(1,101): 82 | time.sleep(2) 83 | print('[*] 第%s页' % i) 84 | domain_re = '
' 85 | email_re = 'href="\?(.{0,500}?\&ddlSearchMode=1)' 86 | url = "http://whois.chinaz.com{}&st=&startDay=&endDay=&wTimefilter=$wTimefilter&page={}".format(contacts,i) 87 | r = requests.get(url=url,headers=headers) 88 | print('[*] 当前状态码:%s' % r.status_code) 89 | domain_res = re.findall(domain_re,r.text) 90 | email_list.append(re.findall(email_re,r.text)) 91 | 92 | 93 | try: 94 | current_page = re.findall('共(.*)页,到第',r.text)[0] 95 | except: 96 | current_page = 0 97 | if int(current_page) > 10: 98 | break 99 | if '暂无相关数据' not in r.text: 100 | for tmp in domain_res: 101 | domain.append(tmp) 102 | else: 103 | print('[*] 获取联系人反查结束\n') 104 | break 105 | else: 106 | print('[*] 获取联系人反查失败') 107 | 108 | for ii in email_list: 109 | if ii != []: 110 | for ss in ii: 111 | oo = re.findall('host=(.*?)&',ss) 112 | for mm in oo: 113 | if mm not in email: 114 | email.append(mm) 115 | bbb.append(ss) 116 | 117 | contacts_reverse_list = contacts_reverse_query(bbb) 118 | for tmp in contacts_reverse_list: 119 | for jj in tmp: 120 | domain.append(jj) 121 | 122 | return domain 123 | 124 | def get_icp_info(domain): 125 | domain_list = [] 126 | print('[*] 开始获取ICP备案反查') 127 | try: 128 | url = "http://icp.chinaz.com/{}".format(domain) 129 | r = requests.get(url=url,headers=headers,timeout=5) 130 | print('[*] 当前状态码:%s' %r.status_code) 131 | except Exception as e: 132 | raise e 133 | try: 134 | icp_re = re.findall('

(.*?)',r.text)[0] 135 | except: 136 | icp_re = 'null' 137 | if '-' in icp_re: 138 | icp_re = icp_re.split('-')[0] 139 | 140 | get_icp_list = get_icp_number_info(icp_re) 141 | 142 | 143 | for i in get_icp_list: 144 | if ' ' in i: 145 | domain_list.append(i.replace(' ','\n{},'.format(domain))) 146 | else: 147 | domain_list.append(i) 148 | return domain_list 149 | 150 | def get_icp_number_info(icp_re): 151 | domain_list = [] 152 | try: 153 | for i in range(1,101): 154 | time.sleep(2) 155 | print('[*] 第%s页' % i) 156 | url = "http://icp.chinaz.com/Home/PageData" 157 | data = {'pageNo':i,'pageSize':'1000','Kw':icp_re} 158 | r = requests.post(url=url,data=data,timeout=5,headers=headers) 159 | r_response = r.json()['data'] 160 | if r_response != []: 161 | for host in r_response: 162 | domain_list.append(host['host']) 163 | else: 164 | print('[*] 获取ICP备案反查结束\n') 165 | break 166 | except Exception as e: 167 | raise e 168 | 169 | return domain_list 170 | 171 | def contacts_reverse_query(bbb): 172 | domain = [] 173 | for a in bbb: 174 | print('[*] 开始获取联系人邮箱反查') 175 | for i in range(1,101): 176 | time.sleep(2) 177 | print('[*] 第%s页' % i) 178 | domain_re = '

' 179 | url = "http://whois.chinaz.com/reverse?{}&st=&startDay=&endDay=&wTimefilter=$wTimefilter&page={}".format(a,i) 180 | r = requests.get(url=url,headers=headers) 181 | print('[*] 当前状态码:%s' %r.status_code) 182 | domain_res = re.findall(domain_re,r.text) 183 | try: 184 | current_page = re.findall('共(.*)页,到第',r.text)[0] 185 | except: 186 | current_page = 0 187 | if int(current_page) > 10: 188 | break 189 | if '暂无相关数据' not in r.text: 190 | domain.append(domain_res) 191 | else: 192 | print('[*] 获取联系人邮箱反查结束\n') 193 | break 194 | return domain 195 | 196 | 197 | def check_blacklist(email,contacts): 198 | email_blacklist = [ 199 | 'xinnet.com','service.aliyun.com','35.cn','markmonitor.com','sfn.cn','brandma.co','ename.com','web.com' 200 | ] 201 | contacts_blacklist = ['REDACTEDFORPRIVACY'] 202 | common_re = 'host=(.*)&' 203 | try: 204 | email_res = re.findall(common_re,email)[0].split('@')[1] 205 | if email_res in email_blacklist: 206 | email = 'null' 207 | except: 208 | print('[*] 没有获取到邮箱') 209 | email = 'null' 210 | 211 | try: 212 | contacts_res = re.findall(common_re,contacts)[0] 213 | if contacts_res in contacts_blacklist: 214 | contacts = 'null' 215 | except: 216 | print('[*] 没有获取到联系人') 217 | contacts = 'null' 218 | 219 | return email,contacts -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python3 2 | # -*- coding:utf-8 -*- 3 | 4 | ''' 5 | Author:YoungRichOG 6 | Hacking Everything :-) 7 | 2020/07/17 8 | ''' 9 | 10 | import chinaz 11 | 12 | 13 | if __name__ == '__main__': 14 | with open('url.txt','r') as f: 15 | for i in f: 16 | print('[*] 当前任务:%s' %i.rstrip()) 17 | get_whois = chinaz.get_whois(domain=i.rstrip()) 18 | 19 | try: 20 | get_contacts_info = chinaz.get_contacts_info(contacts=get_whois[1]) 21 | get_email_info = chinaz.get_email_info(email=get_whois[0]) 22 | get_icp_info = chinaz.get_icp_info(domain=i.rstrip()) 23 | print('[*] get_contacts_info模块:',get_contacts_info) 24 | print('[*] get_email_info模块:',get_email_info) 25 | print('[*] get_icp_info模块:',get_icp_info) 26 | new_list = get_email_info + get_contacts_info + get_icp_info 27 | count = 0 28 | for s in list(set(new_list)): 29 | count += 1 30 | with open('res.txt','a+') as ff: 31 | ff.write(i.rstrip()+','+s+'\n') 32 | print('[*] 共发现域名:%s个' % count) 33 | print('*' * 30 + i.rstrip() + '整体结束' + '*' * 30) 34 | except Exception as e: 35 | print('发生错误:',e) -------------------------------------------------------------------------------- /screenshot/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/YoungRichOG/WhoisSubdomain/b70ede283014ef85afa5efd500319c882be081ad/screenshot/screenshot.png -------------------------------------------------------------------------------- /url.txt: -------------------------------------------------------------------------------- 1 | example.com --------------------------------------------------------------------------------