├── LICENSE.md ├── README.md ├── config.json ├── core ├── __init__.py ├── __pycache__ │ ├── __init__.cpython-38.pyc │ ├── dnslookup.cpython-38.pyc │ ├── domainfuzzer.cpython-38.pyc │ ├── env.cpython-38.pyc │ └── logger.cpython-38.pyc ├── dnslookup.py ├── domainfuzzer.py ├── env.py └── logger.py ├── fierce_improved.txt ├── patchnotes.txt ├── plugins ├── README.md ├── __init__.py ├── __pycache__ │ └── __init__.cpython-38.pyc ├── aws │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py ├── censys │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py ├── circl │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py ├── citrix │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py ├── crtsh │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py ├── dnsdumpster │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py ├── hackertarget │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py ├── microsoft │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py ├── securitytrails │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ │ ├── __init__.cpython-38.pyc │ │ └── plugin.cpython-38.pyc │ └── plugin.py └── virustotal │ ├── README.md │ ├── __init__.py │ ├── __pycache__ │ ├── __init__.cpython-38.pyc │ └── plugin.cpython-38.pyc │ └── plugin.py ├── requirements.txt ├── subdomain_megalist.txt └── subfuz.py /LICENSE.md: -------------------------------------------------------------------------------- 1 | SubFuz - A Subdomain Fuzzing Tool 2 | Copyright (C) 2019 Torstein Mauseth 3 | 4 | This program is free software: you can redistribute it and/or modify 5 | it under the terms of the GNU General Public License as published by 6 | the Free Software Foundation, either version 3 of the License, or 7 | (at your option) any later version. 8 | 9 | This program is distributed in the hope that it will be useful, 10 | but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | GNU General Public License for more details. 13 | 14 | You should have received a copy of the GNU General Public License 15 | along with this program. If not, see . -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SubFuz - A Subdomain Fuzzer 2 | SubFuz is a fuzzing tool used for enumerating subdomains through multiple methods. 3 | This tool has various buildt in enumeration methods, at the same time as plugin support to enrich your result from different 3rd party sources. SubFuz accepts internationalized domain name (IDN) allowing you to scan domains like пример.example, 例.example, мысал.example - as well as use UTF-8 based words in your fuzzing dictionary. 4 | 5 | When SubFuz identifies a valid subdomain, it will perform mutation techniques on the subdomain to find similar, adjacent or deeper subdomains. As an example, if web.exampe.com was discovered, SubFuz will then check DNS to see if there's a web01.example.com, web02.example.com and so on. SubFuz will also append any words listed in the config option "deep_domains", testing for things such as admin.web.example.com, api.web.example.com and so on. 6 | 7 | ### Requirements 8 | [![](https://img.shields.io/badge/python-3-blue.svg)](https://www.python.org/downloads/) 9 | 10 | Currently tested on Linux with python 3.10 11 | ``` 12 | sudo apt-get install python3 python3-pip 13 | git clone https://github.com/netsecurity-as/subfuz/ 14 | cd subfuz 15 | python3 -m pip install -r requirements.txt 16 | ``` 17 | 18 | ### Usage 19 | ``` 20 | $ python3 subfuz.py -h 21 | usage: subfuz.py [-h] [-d TARGET] [-l TARGET_LIST] [-w DICTIONARY] 22 | [-o LOG_FILENAME] [-csv CSV_FILENAME] [-deep DEEP] [-dns DNS] 23 | [-protocol PROTOCOL] [-record RECORD] [-p P] [-z Z] [-r R] 24 | [-t T] [-zone] [-ptr] [-quiet] [-all] 25 | 26 | required arguments: 27 | -d TARGET Specify domain to fuzz, or.. 28 | -l TARGET_LIST Specify list of domains to fuzz 29 | 30 | optional arguments: 31 | -w DICTIONARY Specify fuzzing dictionary to use 32 | -o LOG_FILENAME Write output to a file 33 | -csv CSV_FILENAME Write output to a csv file. Use - for stdout 34 | -deep DEEP Specify fuzzing dictionary for deep subdomain testing 35 | -dns DNS Override DNS server to query [ None ] 36 | -protocol PROTOCOL Override DNS protocol [ None ] 37 | -record RECORD Override DNS query record [ None ] 38 | -p P DNS timeout [ 3 ] sec 39 | -z Z DNS request throttle [ 0 ] ms 40 | -r R DNS retries if failed [ 3 ] 41 | -t T Threads active [ 5 ] 42 | -zone Disable Zone Transfer testing 43 | -ptr Disable PTR check on related domains on the current /24 network 44 | -quiet Suppress terminal output 45 | 46 | 47 | plugins: 48 | -all Enable all plugins 49 | - 50 | ``` 51 | 52 | ### Configuration 53 | See configuration [**config.json**](/config.json) to customizing default options, enabling / disabling plugins. 54 | 55 | | Parameter | Default | Description | 56 | | ------ | ------ | ------ | 57 | | threads | 5 | Number of paralell threads to run scans with | 58 | | dns_fallback | 8.8.8.8 | Fallback DNS server to resolve queries | 59 | | dns_fallback_protocol | UDP | Fallback protocol to resolv with | 60 | | dns_fallback_record | ANY | Fallback record type to resolv with | 61 | | dns_override | null | Permanently override DNS server | 62 | | dns_override_protocol | null | Permanently override DNS protocol | 63 | | dns_override_record | null | Permanently override DNS record | 64 | | throttle | 0 | Ratelimit each thread by x milliseconds | 65 | | timeout | 3 | DNS query timeout | 66 | | retry | 3 | Amount of retries on failed queries | 67 | | deep_domains | N/A | Additional Tests performed on located subdomains.e.g. admin.subdomain.domain.com 68 | | txt_record_search | N/A | Display and log matching TXT records | 69 | 70 | ### Plugins 71 | For plugin developement or contributions, see [/plugins/README.md](/plugins/README.md) for how to get started. 72 | SubFuz is currently extended with the following plugins: 73 | 74 | | Plugin | README | Author | 75 | | ------ | ------ | ------ | 76 | | virustotal | [/plugins/virustotal/README.md](plugins/virustotal/README.md) | [Eplox](https://github.com/Eplox/) | 77 | | crtsh | [/plugins/crtsh/README.md](plugins/crtsh/README.md) | [Eplox](https://github.com/Eplox/) | 78 | | censys | [/plugins/censys/README.md](plugins/censys/README.md) | [Eplox](https://github.com/Eplox/) | 79 | | hackertarget | hackertarget.com | [Vegar](https://github.com/VegarLH) 80 | | microsoft | [/plugins/microsoft/README.md](plugins/microsoft/README.md) | [Eplox](https://github.com/Eplox/) | 81 | | citrix | [/plugins/citrix/README.md](plugins/citrix/README.md) | [hahnium](https://github.com/hahnium) | 82 | | aws | [/plugins/aws/README.md](plugins/aws/README.md) | [hahnium](https://github.com/hahnium) | 83 | | circl | [/plugins/circl/README.md](plugins/circl/README.md) | [hahnium](https://github.com/hahnium) | 84 | | dnsdumpster | [/plugins/dnsdumpster/README.md](plugins/dnsdumpster/README.md) | [hahnium](https://github.com/hahnium) | 85 | 86 | ### Recommendations 87 | Grab the domain fuzzing lists from Daniel Miessler repository: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS 88 | 89 | Included DNS wordlist is based on this source. 90 | 91 | ### License 92 | This project is licensed under the [GPL license](/LICENSE.md). 93 | 94 | [![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0) 95 | -------------------------------------------------------------------------------- /config.json: -------------------------------------------------------------------------------- 1 | { 2 | "config":{ 3 | "threads": 5, 4 | "dns_fallback": "8.8.8.8", 5 | "dns_fallback_protocol": "UDP", 6 | "dns_fallback_record": "ANY", 7 | "dns_override": null, 8 | "dns_override_protocol": null, 9 | "dns_override_record": null, 10 | "throttle": 0, 11 | "timeout": 3, 12 | "retry": 3, 13 | "deep_domains":["admin", "api", "app", "backup", "beta", "blog", "cdn", "client", "cpanel", "customer", 14 | "demo", "dev", "devapp", "email", "gw", "intra", "mail", "new", "old", "owa", "phpmyadmin", 15 | "prod", "remote", "security", "stage", "store", "support", "test", "webconf", "webmail", 16 | "www"], 17 | "txt_record_search":["v=spf","v=DKIM", "v=DMARC"], 18 | "error_file":"error.log" 19 | }, 20 | "plugins":{ 21 | "_comment": "name of plugin config must be equal to constant 'NAME' for the plugin", 22 | "_comment2": "set enable to true for subfuz to include listed plugin.", 23 | "virustotal":{ 24 | "enable": false, 25 | "api-key":"" 26 | }, 27 | "crtsh":{ 28 | "enable": true 29 | }, 30 | "censys":{ 31 | "enable": false, 32 | "uid": "", 33 | "secret": "", 34 | "max_records": 100 35 | }, 36 | "hackertarget":{ 37 | "enable": true 38 | }, 39 | "microsoft": { 40 | "enable": true 41 | }, 42 | "citrix": { 43 | "enable": true 44 | }, 45 | "aws": { 46 | "enable": true 47 | }, 48 | "circl": { 49 | "enable": false, 50 | "user": "", 51 | "pass": "" 52 | }, 53 | "dnsdumpster": { 54 | "enable": true 55 | }, 56 | "securitytrails": { 57 | "enable": false, 58 | "apikey": "" 59 | } 60 | } 61 | } -------------------------------------------------------------------------------- /core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__init__.py -------------------------------------------------------------------------------- /core/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /core/__pycache__/dnslookup.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/dnslookup.cpython-38.pyc -------------------------------------------------------------------------------- /core/__pycache__/domainfuzzer.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/domainfuzzer.cpython-38.pyc -------------------------------------------------------------------------------- /core/__pycache__/env.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/env.cpython-38.pyc -------------------------------------------------------------------------------- /core/__pycache__/logger.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/logger.cpython-38.pyc -------------------------------------------------------------------------------- /core/dnslookup.py: -------------------------------------------------------------------------------- 1 | import dns.name 2 | import dns.message 3 | import dns.query 4 | import dns.flags 5 | import dns.rdatatype 6 | import dns.reversename 7 | from socket import gethostbyname_ex 8 | 9 | 10 | # acceptable request types: 11 | """ ['A', 'A6', 'AAAA', 'AFSDB', 'ANY', 'APL', 'AVC', 'AXFR', 'CAA', 'CDNSKEY', 'CDS', 'CERT', 'CNAME', 12 | 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48', 'EUI64', 'GPOS', 'HINFO', 'HIP', 'IPSECKEY', 13 | 'ISDN', 'IXFR', 'KEY', 'KX', 'LOC', 'MAILA', 'MAILB', 'MB', 'MD', 'MF', 'MG', 'MINFO', 'MR', 'MX', 14 | 'NAPTR', 'NONE', 'NS', 'NSAP', 'NSAP_PTR', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'NULL', 'NXT', 'OPT', 'PTR', 15 | 'PX', 'RP', 'RRSIG', 'RT', 'SIG', 'SOA', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TLSA', 'TSIG', 'TXT', 16 | 'UNSPEC', 'URI', 'WKS', 'X25'] """ 17 | 18 | class ProtocolError(Exception): 19 | pass 20 | 21 | def lookup(domain, type='ANY', nameserver='8.8.8.8', protocol='UDP', dnstimeout=2): 22 | domain = domain.encode('idna').decode('utf-8') 23 | if type == 'PTR': 24 | domain = dns.reversename.from_address(domain).to_text() 25 | nameserver = gethostbyname_ex(nameserver.encode('idna'))[2][0] 26 | ADDITIONAL_RDCLASS = 65535 27 | try: 28 | request = dns.message.make_query(domain, getattr(dns.rdatatype, type)) 29 | except Exception: 30 | return False 31 | request.flags |= dns.flags.AD 32 | request.find_rrset(request.additional, dns.name.root, ADDITIONAL_RDCLASS, dns.rdatatype.OPT, create=True, force_unique=True) 33 | 34 | try: 35 | if protocol == 'TCP': 36 | return dns.query.tcp(request, nameserver, timeout=dnstimeout).answer 37 | elif protocol == 'UDP': 38 | return dns.query.udp(request, nameserver, timeout=dnstimeout).answer 39 | else: 40 | raise ProtocolError("Invalid Protocol", -1) 41 | except Exception: 42 | return False 43 | 44 | -------------------------------------------------------------------------------- /core/domainfuzzer.py: -------------------------------------------------------------------------------- 1 | from core.dnslookup import lookup 2 | from core.logger import Output, col 3 | from threading import Thread, Lock 4 | from core.env import SIGINT_handler 5 | from socket import gethostbyname_ex 6 | import time, signal, math 7 | import random, string, sys, re 8 | import dns.zone 9 | import traceback 10 | 11 | class ScanList(): 12 | def __init__(self, args): 13 | if args.dictionary: 14 | try: 15 | #self.unscanned = map(unicode.strip, io.open(args.dictionary, encoding='utf-8', mode='r').readlines()) 16 | with open(args.dictionary, encoding='UTF-8') as f: 17 | self.unscanned = [line.rstrip() for line in f] 18 | except IOError as e: 19 | print(traceback.print_exc()) 20 | print (e) 21 | sys.exit() 22 | else: 23 | self.unscanned = [] 24 | self.unscanned.insert(0,'') 25 | self.scanned = [] 26 | self.found = [] 27 | self.n_unscanned = len(self.unscanned) 28 | self.n_scanned = len(self.scanned) 29 | self.items = [] 30 | self.subnets = [] 31 | self.ptr_unscanned_ip = [] 32 | self.ptr_scanned = 0 33 | self.scan_failed = [] 34 | self.failcounter = 0 35 | 36 | 37 | class SubFuz(): 38 | def __init__(self, domain, config, args, PLUGINS_DIR, CORE_DIR): 39 | self.handler = SIGINT_handler() 40 | signal.signal(signal.SIGINT, self.handler.signal_handler) 41 | self.log = Output(args.log_filename, args.csv_filename, config['config']['error_file'], args.quiet) 42 | self.domain = domain.encode('idna').decode('utf-8') 43 | self.throttle = args.z / 1000.0 44 | self.threads = args.t 45 | self.zone = args.zone 46 | self.retry = config['config']['retry'] 47 | if args.csv_filename: self.csv = True 48 | else: self.csv = False 49 | if args.deep: 50 | with open(args.deep, encoding='UTF-8') as f: 51 | self.deep_domains = [line.rstrip() for line in f] 52 | #self.deep_domains = map(unicode.strip, io.open(args.deep, encoding='utf-8', mode='r').readlines()) 53 | else: self.deep_domains = config["config"]["deep_domains"] 54 | self.timeout = args.p 55 | if args.dns: self.dns = args.dns 56 | else: self.dns = config['config']['dns_fallback'] 57 | if args.protocol: self.protocol = args.protocol 58 | else: self.protocol = config['config']['dns_fallback_protocol'] 59 | self.protocol = self.protocol.upper() 60 | if args.record: self.record = args.record 61 | else: self.record = config['config']['dns_fallback_record'] 62 | self.args = args 63 | self.config = config 64 | # TODO move wildcards to ScanList 65 | self.a_wildcard = self.aaaa_wildcard = self.txt_wildcard = self.mx_wildcard = self.cname_wildcard = [] 66 | self.sl = ScanList(args) 67 | # Mutex lock required to avoid issues with multiple threads working on the same object. 68 | self.mutex = Lock() 69 | 70 | self.f1 = '{:50}' 71 | self.f2 = '{:8}' 72 | self.f3 = '{:10}' 73 | self.f4 = '{:46}' 74 | 75 | self.log.normal("Scanning: %s" % domain, True) 76 | 77 | def check_dns_server(self): 78 | # If dns override is not specified 79 | dns_servers = [] 80 | if not self.args.dns: 81 | ns_record = lookup(self.domain, 'NS', self.config['config']['dns_fallback'], self.protocol, self.timeout) 82 | if not ns_record: 83 | ns_record = lookup(".".join(self.domain.split('.')[-2:]), 'NS', self.config['config']['dns_fallback'], self.protocol, self.timeout) 84 | # TODO very ugly way of doing it, https://publicsuffix.org/list/public_suffix_list.dat is on the to-do list 85 | # currently doesn't handle target domain inputs like subdomain.domain.co.uk or similar domains very well yet. 86 | if not ns_record: # Exit early if ns_record is not found. 87 | self.log.fatal('Unable to lookup NS server', True) 88 | return False 89 | nameservers = [x for x in ns_record if x.rdtype == 2] 90 | if nameservers: 91 | self.log.normal('Name Servers:', True) 92 | # For every NS record found 93 | for y in nameservers[0]: 94 | dns_server_name = y.target.to_text() 95 | # get DNS server IP 96 | try: 97 | print(dns_server_name) 98 | dns_servers.append( 99 | [lookup(dns_server_name,'A', self.config['config']['dns_fallback'], self.protocol, self.timeout)[0][0].address, y.target.to_text()]) 100 | except: 101 | self.log.fatal(self.f4.format(dns_server_name) + '{:15}'.format('Unable to resolv DNS server'), True) 102 | else: 103 | self.log.warn('No Name Servers found for %s' % self.domain, True) 104 | return False 105 | else: 106 | dns_servers.append([self.args.dns, self.args.dns]) 107 | # Zone transfer 108 | for dns_server in dns_servers: 109 | nameserver = gethostbyname_ex(dns_server[0].encode('idna'))[2][0] 110 | if self.zone: 111 | try: 112 | z = dns.zone.from_xfr(dns.query.xfr(nameserver, self.domain, timeout=10, lifetime=10)) 113 | self.log.good(self.f4.format(dns_server[1]) + '{:15}'.format(dns_server[0]) + ' - Zone Transfer allowed.', True) 114 | #names = z.nodes.keys() 115 | #for n in names: 116 | # self.log.normal(z[n].to_text(n), True) 117 | except: 118 | self.log.warn( 119 | self.f4.format(dns_server[1]) + '{:15}'.format(dns_server[0]) + ' - Zone Transfer not allowed.', True) 120 | else: 121 | self.log.neutral(self.f4.format(dns_server[1]) + '{:15}'.format(dns_server[0]), True) 122 | 123 | # Testing for open TCP and UDP ports for DNS servers, and what type of records are permitted. 124 | # TCP - ANY 125 | dns_result = [] 126 | start = time.time() 127 | tany = lookup(self.domain, 'ANY', dns_server[0], 'TCP', self.timeout) 128 | end = time.time() 129 | if tany: 130 | if [x for x in tany if x.rdtype == 1 or x.rdtype == 28 or x.rdtype == 5 or x.rdtype == 15 or x.rdtype == 16]: 131 | dns_result.append(['TCP', dns_server[0], 'ANY', end - start]) 132 | # TCP - A 133 | start = time.time() 134 | ta = lookup(self.domain, 'A', dns_server[0], 'TCP', self.timeout) 135 | end = time.time() 136 | if ta: 137 | if [x for x in ta if x.rdtype == 1]: 138 | dns_result.append(['TCP', dns_server[0], 'A', end - start]) 139 | # UDP - ANY 140 | start = time.time() 141 | uany = lookup(self.domain, 'ANY', dns_server[0], 'UDP', self.timeout) 142 | end = time.time() 143 | if uany: 144 | if [x for x in uany if x.rdtype == 1 or x.rdtype == 28 or x.rdtype == 5 or x.rdtype == 15 or x.rdtype == 16]: 145 | dns_result.append(['UDP', dns_server[0], 'ANY', end - start]) 146 | # UDP - A 147 | start = time.time() 148 | ua = lookup(self.domain, 'A', dns_server[0], 'UDP', self.timeout) 149 | end = time.time() 150 | if ua: 151 | if [x for x in ua if x.rdtype == 1]: 152 | dns_result.append(['UDP', dns_server[0], 'A', end - start]) 153 | 154 | 155 | # Figure out the best combination to use 156 | dns_result = sorted(dns_result, key=lambda x: (x[3], x[1], x[0], x[2])) 157 | a = [i for i in dns_result if i[0] == 'UDP' and i[2] == 'ANY'] 158 | b = [i for i in dns_result if i[0] == 'TCP' and i[2] == 'ANY'] 159 | c = [i for i in dns_result if i[0] == 'UDP' and i[2] == 'A'] 160 | d = [i for i in dns_result if i[0] == 'TCP' and i[2] == 'A'] 161 | 162 | if a: # ANY + UDP 163 | self.dns, self.protocol, self.record, delay = a[0][1], a[0][0], a[0][2], a[0][3] 164 | elif b: # ANY + TCP 165 | self.dns, self.protocol, self.record, delay = b[0][1], b[0][0], b[0][2], b[0][3] 166 | elif c: # A + UDP 167 | self.dns, self.protocol, self.record, delay = c[0][1], c[0][0], c[0][2], c[0][3] 168 | elif d: # A + TCP 169 | self.dns, self.protocol, self.record, delay = d[0][1], d[0][0], d[0][2], d[0][3] 170 | else: #fallback 171 | self.dns, self.protocol, self.record, delay = self.config['config']['dns_fallback'], self.config['config']['dns_fallback_protocol'], self.config['config']['dns_fallback_record'], 0 172 | self.log.warn('Unable to find information about %s, falling back to DNS %s, Proto %s, Type %s ' % (self.domain, self.dns, self.protocol, self.record), True) 173 | 174 | # Compensate for override 175 | override_dns = self.args.dns 176 | override_record = self.args.record 177 | override_protocol = self.args.protocol 178 | if override_record: self.record = override_record 179 | if override_dns: self.dns = override_dns 180 | if override_protocol: self.protocol = override_protocol 181 | self.log.neutral('Using nameserver %s, query type %s over %s with RTT of %.4f seconds' % (self.dns, self.record, self.protocol, delay), True) 182 | return True 183 | 184 | def check_wildcard(self, domain_addr): 185 | try: 186 | wildcard = ''.join(random.choice(string.ascii_lowercase) for _ in range(15)) 187 | ans = lookup( (wildcard + '.' + domain_addr), self.record, self.dns, self.protocol, self.timeout) 188 | if ans: 189 | wc = False 190 | d = domain_addr #.encode('utf-8') 191 | for r in ans: 192 | if r.rdtype == 1: # A RECORD 193 | item = [] 194 | for x in r.items: 195 | item.append(x.to_text()) 196 | self.a_wildcard += item 197 | self.log.warn(self.f1.format("Wildcard A record found for %s: " % d) + ", ".join(item), True) 198 | wc = True 199 | 200 | if r.rdtype == 5: # CNAME RECORD 201 | item = [] 202 | for x in r.items: 203 | item.append(x.to_text()) 204 | self.cname_wildcard += item 205 | self.log.warn(self.f1.format("Wildcard CNAME record found for %s: " % d) + ", ".join(item), True) 206 | wc = True 207 | 208 | if r.rdtype == 16: # TXT RECORD 209 | item = [] 210 | for x in r.items: 211 | item.append(x.to_text()) 212 | self.txt_wildcard += item 213 | self.log.warn(self.f1.format("Wildcard TXT record found for %s: " % d) + ", ".join(item), True) 214 | wc = True 215 | 216 | if r.rdtype == 28: # AAAA RECORD 217 | item = [] 218 | for x in r.items: 219 | item.append(x.to_text()) 220 | self.aaaa_wildcard += item 221 | self.log.warn(self.f1.format("Wildcard AAAA record found for %s: " % d) + ", ".join(item), True) 222 | wc = True 223 | 224 | if r.rdtype == 15: # MX RECORD 225 | item = [] 226 | for x in r.items: 227 | item.append(x.to_text()) 228 | self.mx_wildcard += item 229 | self.log.warn(self.f1.format("Wildcard MX record found for %s: " % d) + ", ".join(item), True) 230 | wc = True 231 | if wc == True: return True 232 | #if not wc: 233 | # return False 234 | except Exception as e: 235 | self.log.fatal(('Wildcard check on %s.' % domain_addr), False) 236 | print(traceback.print_exc()) 237 | print (e) 238 | return False 239 | 240 | 241 | def execute_plugins(self, plugins, self_class): 242 | for name, value in self.args._get_kwargs(): 243 | for plugin in plugins: 244 | if self.handler.SIGINT: 245 | return 246 | if (value is True or self.args.all) and name is plugin.NAME: 247 | try: 248 | plugin_conf = self.config['plugins'][plugin.NAME] 249 | self.log.good('Executing plugin: %s' % name, True) 250 | subdomains = plugin.execute(domain = self.domain, config = plugin_conf, subfuz = self_class) 251 | if subdomains: 252 | self.log.neutral("%d subdomains found" % len(subdomains), False) 253 | for d in subdomains: 254 | self.new_targets(d.lower()) 255 | except Exception as e: 256 | print(traceback.print_exc()) 257 | self.log.fatal(str(e), True) 258 | # TODO: domains causes output clutter that is wildcard related. 259 | 260 | 261 | def scan(self): 262 | self.log.normal('\n\n' + self.f1.format('Domain Name') + self.f2.format('Record') + 'Value', True) 263 | self.log.normal('------------------------------------------------------', True) 264 | threads = [] 265 | for i in range(self.threads): 266 | t = Thread(target=self.scan_worker) 267 | threads.append(t) 268 | t.start() 269 | while any(t.is_alive() for t in threads): 270 | self.status_print() 271 | time.sleep(0.05) 272 | self.status_print(True) 273 | return 274 | 275 | def status_print(self, end=False): 276 | if sys.stdout.isatty() and not self.args.quiet: 277 | self.log.printer() 278 | total = self.sl.n_unscanned + self.sl.n_scanned 279 | percentage = math.ceil(self.sl.n_scanned + 0.0) / total * 100 280 | sys.stdout.write("Status: " + col.cyan + "%d/%d " % (self.sl.n_scanned, total) + col.end + "domains tested. " 281 | + col.brown + "%.2f%%" % percentage + col.end + " done. failed: " + col.red + "%d" % 282 | self.sl.failcounter + col.end + " \r") 283 | if end: sys.stdout.write('\n\n') 284 | sys.stdout.flush() 285 | return 286 | 287 | 288 | def append_target(self, subdomain): 289 | try: 290 | if subdomain not in self.sl.scanned and subdomain not in self.sl.unscanned: 291 | self.sl.unscanned.insert(0,subdomain.rstrip('.')) 292 | self.sl.n_unscanned += 1 293 | #print (subdomain.rstrip('.')) 294 | except Exception as e: 295 | self.log.fatal(('Inserting target %s.' % subdomain), False) 296 | print(traceback.print_exc()) 297 | print (e) 298 | 299 | 300 | def new_targets(self, new_domain): 301 | if not self.domain == new_domain.rstrip('.') and self.domain in new_domain: 302 | if not self.check_wildcard(new_domain): 303 | try: 304 | self.mutex.acquire() 305 | subdomain = new_domain.split('.')[0].rstrip('0123456789') 306 | #print(subdomain) 307 | self.append_target(subdomain) # this is here for adding new targets found from plugins 308 | for d in reversed(range(0, 21)): 309 | self.append_target('%s%02d' % (subdomain, d)) 310 | self.append_target('%s%d' % (subdomain, d)) 311 | for s in self.deep_domains: 312 | self.append_target(s + '.' + subdomain) 313 | except Exception as e: 314 | self.log.fatal(('Adding new target %s, %s' % (new_domain, subdomain)), False) 315 | print(traceback.print_exc()) 316 | print (e) 317 | finally: 318 | self.mutex.release() 319 | 320 | 321 | def parse_record(self, ans, query): 322 | wildcard = False 323 | try: 324 | for r in ans: 325 | if r.rdtype == 1: # A RECORD 326 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna') 327 | for x in r.items: 328 | item = x.to_text() 329 | if item in self.a_wildcard: 330 | wildcard = True 331 | else: 332 | self.sl.items.append([d, item]) 333 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('A') + self.f3.format(item)) 334 | self.log.csv_queue.append("%s,A,%s,%s,%s" % (d, item,item,self.domain)) 335 | 336 | 337 | if r.rdtype == 5: # CNAME RECORD 338 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna') 339 | for x in r.items: 340 | item = x.to_text() 341 | if item in self.cname_wildcard: 342 | wildcard = True 343 | else: 344 | self.sl.items.append([d, item]) 345 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('CNAME') + self.f3.format(item.rstrip('.'))) 346 | if self.csv: 347 | cname_ans = lookup(d, 'A') 348 | for line in cname_ans: 349 | if line.rdtype == 1: 350 | for dns_entry in line.items: 351 | self.log.csv_queue.append("%s,CNAME,%s,%s,%s" % (d, item.rstrip('.'), dns_entry.to_text(), self.domain)) 352 | 353 | 354 | if r.rdtype == 12: # PTR RECORD 355 | #d = r.name.to_text().rstrip('.').decode('utf-8').decode('idna') 356 | for x in r.items: 357 | item = x.to_text() 358 | if self.domain.split('.')[-2] in item: 359 | if not [y for y in self.sl.items if item.rstrip('.') in y if query in y[1]]: 360 | self.sl.items.append([item, query]) 361 | self.log.log_queue.append(self.f1.format(item.rstrip('.') +' ') + self.f2.format('PTR') + self.f3.format(query)) 362 | self.log.csv_queue.append("%s,PTR,%s,%s,%s" % (item.rstrip('.'), query,query,self.domain)) 363 | else: 364 | wildcard = True 365 | 366 | if r.rdtype == 16: # TXT RECORD 367 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna') 368 | for x in r.items: 369 | item = x.to_text() 370 | if item in self.txt_wildcard: 371 | wildcard = True 372 | else: 373 | if [t for t in self.config['config']['txt_record_search'] if t in item]: 374 | self.sl.items.append([d, item]) 375 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('TXT') + self.f3.format(item)) 376 | self.log.csv_queue.append("%s,TXT,%s,,%s" % (d, item,self.domain)) 377 | 378 | if r.rdtype == 28: # AAAA RECORD 379 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna') 380 | for x in r.items: 381 | item = x.to_text() 382 | if item in self.aaaa_wildcard: 383 | wildcard = True 384 | else: 385 | self.sl.items.append([d, item]) 386 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('AAAA') + self.f3.format(item)) 387 | self.log.csv_queue.append("%s,AAAA,%s,%s,%s" % (d, item, item, self.domain)) 388 | 389 | if r.rdtype == 15: # MX RECORD 390 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna') 391 | for x in r.items: 392 | item = x.to_text() 393 | if item in self.mx_wildcard: 394 | wildcard = True 395 | else: 396 | self.sl.items.append([d, item]) 397 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('MX') + self.f3.format(item.split(' ')[1].rstrip('.'))) 398 | if self.csv: 399 | mx_value = item.split(' ')[1].rstrip('.') 400 | mx_ans = lookup(mx_value, 'A') 401 | for line in mx_ans: 402 | if line.rdtype == 1: 403 | for dns_entry in line.items: 404 | self.log.csv_queue.append("%s,MX,%s,%s,%s" % (d, mx_value, dns_entry.to_text(), self.domain)) 405 | 406 | new = ['mail._domainkey', '_dmarc', 'default._domainkey', 'selector1._domainkey', 'selector2._domainkey', 's1._domainkey', 's2._domainkey'] 407 | for n in new: 408 | if d == self.domain: 409 | self.append_target(n) 410 | else: 411 | self.append_target(n + '.' + d.replace(self.domain, '').strip('.')) 412 | except Exception as e: 413 | self.log.fatal(('Parsing records for: %s with answer %s' % (query, ans)), False) 414 | print(traceback.print_exc()) 415 | print (e) 416 | return wildcard 417 | 418 | 419 | def scan_worker(self): 420 | while True: 421 | if self.handler.SIGINT: 422 | return 423 | self.mutex.acquire() 424 | try: 425 | if self.record == 'PTR': 426 | tests = ['PTR'] 427 | subdomain = self.sl.ptr_unscanned_ip.pop(0) 428 | self.sl.ptr_scanned += 1 429 | else: 430 | subdomain = self.sl.unscanned.pop(0) 431 | #print(subdomain) 432 | if self.args.record: tests = [self.record] 433 | elif self.record == 'A': 434 | if subdomain == '': tests = ['A', 'TXT', 'MX'] 435 | else: tests = ['A'] 436 | else: tests = ['ANY'] 437 | except: 438 | if len(self.sl.unscanned) == 0: 439 | return 440 | finally: 441 | self.mutex.release() 442 | time.sleep(self.throttle) 443 | # if domain already has been scanned (remove duplicates) 444 | # else, add domain to "scanned" list. 445 | if subdomain in self.sl.scanned: 446 | continue 447 | else: 448 | self.sl.scanned.append(subdomain) 449 | for t in tests: 450 | if self.record == 'PTR': 451 | d = subdomain 452 | else: 453 | d = (subdomain + u'.' + self.domain).lower().lstrip('.') 454 | try: 455 | ans = lookup(d, t, self.dns, self.protocol, self.timeout) 456 | if ans: 457 | wildcard = self.parse_record(ans, d) 458 | if ans and not wildcard and d != self.domain and self.record != 'PTR': 459 | self.new_targets(d) 460 | self.sl.found.append(d) 461 | elif ans == False and self.record != 'PTR': 462 | hit = [x for x in self.sl.scan_failed if x[0] == subdomain] 463 | if hit: 464 | z = self.sl.scan_failed.index(hit[0]) 465 | self.sl.scan_failed[z][1] += 1 466 | if hit[0][1] > self.retry: 467 | self.sl.failcounter += 1 468 | if self.args.verbose: 469 | self.log.status('Failed lookup on %s' % d + ' ' * 20, False) 470 | self.log.error_queue.append('Failed lookup on %s' % d ) 471 | continue 472 | else: 473 | self.sl.scan_failed.append([subdomain, 1]) 474 | self.sl.scanned.remove(subdomain) 475 | self.sl.unscanned.insert(0,subdomain) 476 | if ans != False and self.record != 'PTR' and ((t == 'ANY' or t == 'A') or t == self.args.record): 477 | # basically don't count queries that's TXT or MX if querying a server doesn't respond to ANY 478 | self.sl.n_scanned += 1 479 | self.sl.n_unscanned -= 1 480 | except Exception as e: 481 | try: 482 | self.log.fatal(('Domain Query failed on %s.' % d), False) 483 | except: 484 | pass 485 | print(traceback.print_exc()) 486 | print (e) 487 | 488 | 489 | def subnets(self): 490 | # Parse through results and check for similar IP's and assign them to "subnets" 491 | # TODO: For god's sake, I'm hardly able to understand this myself. 492 | for z in self.sl.items: 493 | if re.search("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$", z[1]): 494 | ip = ".".join([z[1].split('.')[i] for i in [0, 1, 2]]) + '.0-255' 495 | hit = [x for x in self.sl.subnets if x[0] == ip] 496 | if hit: 497 | z = self.sl.subnets.index(hit[0]) 498 | self.sl.subnets[z][1] += 1 499 | else: 500 | self.sl.subnets.append([ip, 1]) 501 | self.sl.subnets.sort() 502 | 503 | 504 | def ptr_scan(self): 505 | while self.sl.subnets: 506 | subnet = self.sl.subnets.pop(0) 507 | subnet = subnet[0][:subnet[0].rfind('.') + 1] 508 | for i in range(0, 256): 509 | self.sl.ptr_unscanned_ip.append(subnet + str(i)) 510 | n_ip = len(self.sl.ptr_unscanned_ip) 511 | if self.args.ptr and n_ip > 0: 512 | self.log.good('Checking PTR records for related subnets', False) 513 | self.record = 'PTR' 514 | threads = [] 515 | for i in range(self.threads): 516 | t = Thread(target=self.scan_worker) 517 | threads.append(t) 518 | t.start() 519 | while any(t.is_alive() for t in threads): 520 | if sys.stdout.isatty() and not self.args.quiet: 521 | self.log.printer() 522 | percentage = math.ceil(self.sl.ptr_scanned + 0.0)/n_ip*100 523 | sys.stdout.write("Status: " + col.cyan + "%d/%d " % (self.sl.ptr_scanned, n_ip) + col.end + "IP's tested." 524 | + col.brown + " %.2f%%" % percentage + col.end + " done. \r") 525 | sys.stdout.flush() 526 | time.sleep(0.05) 527 | # just to ensure everything is out 528 | self.log.printer() 529 | if not self.args.quiet: sys.stdout.write(' ' * 64 + '\n') 530 | 531 | 532 | def stats(self): 533 | if self.sl.ptr_scanned == 0: 534 | self.log.warn('No PTR records found for %s.' % self.domain, False) 535 | self.log.normal('\n\nA total of %d domains records was found.' % len(self.sl.items), True) 536 | self.subnets() 537 | if self.sl.subnets: 538 | self.log.normal('IP range detected:', True) 539 | for x in self.sl.subnets: 540 | self.log.normal(' %s - %d hits' % (x[0], x[1]), True) 541 | else: 542 | self.log.normal("No subnets was discovered.", True) 543 | if not self.args.quiet: print ("\nDONE") 544 | 545 | 546 | def close(self): 547 | del(self.log) 548 | 549 | def __exit__(self): 550 | self.close() 551 | 552 | def __del__(self): 553 | self.close() 554 | -------------------------------------------------------------------------------- /core/env.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | from core.logger import Output, col 4 | 5 | def setup_core_paths(subfuz): 6 | global DF_DIR 7 | global DF_FILE 8 | DF_FILE = os.path.realpath(subfuz) 9 | DF_DIR = os.path.dirname(subfuz) 10 | return (DF_FILE, DF_DIR) 11 | 12 | class SIGINT_handler(): 13 | def __init__(self): 14 | self.SIGINT = False 15 | 16 | def signal_handler(self, signal, frame): 17 | print (' ' * 60) 18 | Output().warn('CTRL+C pressed, aborting.', False) 19 | self.SIGINT = True 20 | 21 | -------------------------------------------------------------------------------- /core/logger.py: -------------------------------------------------------------------------------- 1 | import sys, os 2 | 3 | """ 4 | import logger 5 | # define output files 6 | l = logger.Output('test.txt', 'test.csv') 7 | # log sample 8 | l.good('test', True) 9 | # append to printer queue and print 10 | l.log_queue.append('test.com') 11 | l.csv_queue.append('1.2.3.4,A,test.com') 12 | l.printer() 13 | # del / close object to close up the output files 14 | del(l) 15 | """ 16 | 17 | class col: 18 | #TODO, move terminal check to env.py, also create a colour scheme for windows terminals 19 | if sys.stdout.isatty() and not os.name == 'nt': 20 | green = '\033[32m' 21 | blue = '\033[94m' 22 | red = '\033[31m' 23 | yellow = '\033[93m' 24 | brown = '\033[33m' 25 | cyan = '\033[96m' 26 | end = '\033[0m' 27 | else: 28 | green = '' 29 | blue = '' 30 | red = '' 31 | yellow = '' 32 | brown = '' 33 | cyan = '' 34 | end = '' 35 | 36 | class Output(): 37 | def __init__(self, log_filename=False, csv_filename=False, error_filename=False, quiet=False): 38 | self.log_queue = [] 39 | self.csv_queue = [] 40 | self.error_queue = [] 41 | self.already_prined = [] 42 | self.logfile = False 43 | self.csvfile = False 44 | self.errorfile = False 45 | self.quiet = quiet 46 | if log_filename: 47 | try: 48 | self.logfile = open(log_filename, "a+") 49 | except: 50 | self.fatal("Could not open output file: %s" % log_filename, False) 51 | sys.exit(1) 52 | if csv_filename: 53 | try: 54 | if csv_filename == "-": 55 | self.csvfile = sys.stdout 56 | else: 57 | self.csvfile = open(csv_filename, "a+") 58 | except: 59 | self.fatal("Could not open output file: %s" % csv_filename, False) 60 | sys.exit(1) 61 | if error_filename: 62 | try: 63 | self.errorfile = open(error_filename, "a+") 64 | except: 65 | self.fatal("Could not open output file: %s" % error_filename, False) 66 | sys.exit(1) 67 | 68 | def printer(self): 69 | while self.log_queue: 70 | n_line = self.log_queue.pop(0) 71 | if n_line not in self.already_prined: 72 | self.already_prined.append(n_line) 73 | self.normal(n_line, True) 74 | while self.csv_queue: 75 | c_line = self.csv_queue.pop(0) 76 | if c_line not in self.already_prined: 77 | self.already_prined.append(c_line) 78 | self.csv(c_line) 79 | while self.error_queue: 80 | self.error(self.error_queue.pop(0)) 81 | 82 | def csv(self, message): 83 | if self.csvfile: 84 | self.csvfile.write(message + '\n') 85 | 86 | def error(self, message): 87 | if self.errorfile: 88 | try: 89 | self.errorfile.write(message + '\n') 90 | except: 91 | print('ERROR - unable to write to file: ' + message) 92 | 93 | def normal(self, message, log): 94 | if not self.quiet: print(message) 95 | if self.logfile and log: 96 | self.logfile.write(message + '\n') 97 | 98 | def status(self, message, log): 99 | if not self.quiet: print(col.blue + "[*] " + col.end + message) 100 | if self.logfile and log: 101 | self.logfile.write("[*] " + message + '\n') 102 | 103 | def good(self, message, log): 104 | if not self.quiet: print(col.green + "[+] " + col.end + message) 105 | if self.logfile and log: 106 | self.logfile.write("[+] " + message + '\n') 107 | 108 | def neutral(self, message, log): 109 | if not self.quiet: print(col.yellow + "[X] " + col.end + message) 110 | if self.logfile and log: 111 | self.logfile.write("[X] " + message + '\n') 112 | 113 | def warn(self, message, log): 114 | if not self.quiet: print(col.red + "[-] " + col.end + message) 115 | if self.logfile and log: 116 | self.logfile.write("[-] " + message + '\n') 117 | 118 | def fatal(self, message, log): 119 | if not self.quiet: print("\n" + col.red + "FATAL: " + message + col.end) 120 | if self.logfile and log: 121 | self.logfile.write("FATAL: " + message + '\n') 122 | 123 | def close(self): 124 | if self.csvfile: self.csvfile.close() 125 | if self.logfile: self.logfile.close() 126 | if self.errorfile: self.errorfile.close() 127 | 128 | def __exit__(self): 129 | self.close() 130 | 131 | def __del__(self): 132 | self.close() 133 | 134 | 135 | -------------------------------------------------------------------------------- /fierce_improved.txt: -------------------------------------------------------------------------------- 1 | nyheiter 2 | nyheter 3 | postfix 4 | postfix01 5 | nyhet 6 | api 7 | bruk 8 | sprak 9 | intern 10 | valg 11 | sport 12 | vsport 13 | exch 14 | exch01 15 | exch02 16 | exch03 17 | exch-01 18 | exch-02 19 | exch-03 20 | exch1 21 | exch2 22 | exch3 23 | exch-1 24 | exch-2 25 | exch-3 26 | exchange 27 | darkweb 28 | a55 29 | phpmyadmin 30 | sslproxy 31 | einaros 32 | jarleb 33 | kundeportal 34 | cis 35 | kundewebtest 36 | webtest 37 | kundeweb 38 | konferanse 39 | lcsgateway 40 | tilgang 41 | xtra 42 | galleri 43 | signin 44 | 0 45 | 01 46 | 02 47 | 03 48 | 1 49 | 10 50 | 11 51 | 12 52 | 13 53 | 14 54 | 15 55 | 16 56 | 17 57 | 18 58 | 19 59 | 2 60 | 20 61 | 3 62 | 3com 63 | 4 64 | 5 65 | 6 66 | 7 67 | 8 68 | 9 69 | ILMI 70 | a 71 | a.auth-ns 72 | a01 73 | a02 74 | a1 75 | a2 76 | abc 77 | about 78 | ac 79 | academico 80 | acceso 81 | access 82 | accounting 83 | accounts 84 | acid 85 | activestat 86 | ad 87 | adam 88 | adkit 89 | admin 90 | admin2 91 | administracion 92 | administrador 93 | administrator 94 | administrators 95 | admins 96 | ads 97 | adserver 98 | adsl 99 | ae 100 | af 101 | affiliate 102 | affiliates 103 | afiliados 104 | ag 105 | agenda 106 | agent 107 | ai 108 | aix 109 | ajax 110 | ak 111 | akamai 112 | al 113 | alabama 114 | alaska 115 | albuquerque 116 | alerts 117 | alpha 118 | alterwind 119 | am 120 | amarillo 121 | americas 122 | an 123 | anaheim 124 | analyzer 125 | announce 126 | announcements 127 | antivirus 128 | ao 129 | ap 130 | apache 131 | apollo 132 | app 133 | app01 134 | app1 135 | apple 136 | application 137 | applications 138 | apps 139 | appserver 140 | aq 141 | ar 142 | archie 143 | arcsight 144 | argentina 145 | arizona 146 | arkansas 147 | arlington 148 | as 149 | as400 150 | asia 151 | asterix 152 | at 153 | athena 154 | atlanta 155 | atlas 156 | att 157 | au 158 | auction 159 | austin 160 | auth 161 | auto 162 | av 163 | aw 164 | ayuda 165 | az 166 | b 167 | b.auth-ns 168 | b01 169 | b02 170 | b1 171 | b2 172 | b2b 173 | b2c 174 | ba 175 | back 176 | backend 177 | backup 178 | baker 179 | bakersfield 180 | balance 181 | balancer 182 | baltimore 183 | banking 184 | bayarea 185 | bb 186 | bbdd 187 | bbs 188 | bd 189 | bdc 190 | be 191 | bea 192 | beta 193 | bf 194 | bg 195 | bh 196 | bi 197 | billing 198 | biz 199 | biztalk 200 | bj 201 | black 202 | blackberry 203 | blog 204 | blogs 205 | blue 206 | bm 207 | bn 208 | bnc 209 | bo 210 | bob 211 | bof 212 | boise 213 | bolsa 214 | border 215 | boston 216 | boulder 217 | boy 218 | br 219 | bravo 220 | brazil 221 | britian 222 | broadcast 223 | broker 224 | bronze 225 | brown 226 | bs 227 | bsd 228 | bsd0 229 | bsd01 230 | bsd02 231 | bsd1 232 | bsd2 233 | bt 234 | bug 235 | buggalo 236 | bugs 237 | bugzilla 238 | build 239 | bulletins 240 | burn 241 | burner 242 | buscador 243 | buy 244 | bv 245 | bw 246 | by 247 | bz 248 | c 249 | c.auth-ns 250 | ca 251 | cache 252 | cafe 253 | calendar 254 | california 255 | call 256 | calvin 257 | canada 258 | canal 259 | canon 260 | careers 261 | catalog 262 | cc 263 | cd 264 | cdburner 265 | cdn 266 | cert 267 | certificates 268 | certify 269 | certserv 270 | certsrv 271 | cf 272 | cg 273 | cgi 274 | ch 275 | channel 276 | channels 277 | charlie 278 | charlotte 279 | chat 280 | chats 281 | chatserver 282 | check 283 | checkpoint 284 | chi 285 | chicago 286 | ci 287 | cims 288 | cincinnati 289 | cisco 290 | citrix 291 | ck 292 | cl 293 | class 294 | classes 295 | classifieds 296 | classroom 297 | cleveland 298 | clicktrack 299 | client 300 | clientes 301 | clients 302 | club 303 | clubs 304 | cluster 305 | clusters 306 | cm 307 | cmail 308 | cms 309 | cn 310 | co 311 | cocoa 312 | code 313 | coldfusion 314 | colombus 315 | colorado 316 | columbus 317 | com 318 | commerce 319 | commerceserver 320 | communigate 321 | community 322 | compaq 323 | compras 324 | con 325 | concentrator 326 | conf 327 | conference 328 | conferencing 329 | confidential 330 | connect 331 | connecticut 332 | consola 333 | console 334 | consult 335 | consultant 336 | consultants 337 | consulting 338 | consumer 339 | contact 340 | content 341 | contracts 342 | core 343 | core0 344 | core01 345 | corp 346 | corpmail 347 | corporate 348 | correo 349 | correoweb 350 | cortafuegos 351 | counterstrike 352 | courses 353 | cr 354 | cricket 355 | crm 356 | crs 357 | cs 358 | cso 359 | css 360 | ct 361 | cu 362 | cust1 363 | cust10 364 | cust100 365 | cust101 366 | cust102 367 | cust103 368 | cust104 369 | cust105 370 | cust106 371 | cust107 372 | cust108 373 | cust109 374 | cust11 375 | cust110 376 | cust111 377 | cust112 378 | cust113 379 | cust114 380 | cust115 381 | cust116 382 | cust117 383 | cust118 384 | cust119 385 | cust12 386 | cust120 387 | cust121 388 | cust122 389 | cust123 390 | cust124 391 | cust125 392 | cust126 393 | cust13 394 | cust14 395 | cust15 396 | cust16 397 | cust17 398 | cust18 399 | cust19 400 | cust2 401 | cust20 402 | cust21 403 | cust22 404 | cust23 405 | cust24 406 | cust25 407 | cust26 408 | cust27 409 | cust28 410 | cust29 411 | cust3 412 | cust30 413 | cust31 414 | cust32 415 | cust33 416 | cust34 417 | cust35 418 | cust36 419 | cust37 420 | cust38 421 | cust39 422 | cust4 423 | cust40 424 | cust41 425 | cust42 426 | cust43 427 | cust44 428 | cust45 429 | cust46 430 | cust47 431 | cust48 432 | cust49 433 | cust5 434 | cust50 435 | cust51 436 | cust52 437 | cust53 438 | cust54 439 | cust55 440 | cust56 441 | cust57 442 | cust58 443 | cust59 444 | cust6 445 | cust60 446 | cust61 447 | cust62 448 | cust63 449 | cust64 450 | cust65 451 | cust66 452 | cust67 453 | cust68 454 | cust69 455 | cust7 456 | cust70 457 | cust71 458 | cust72 459 | cust73 460 | cust74 461 | cust75 462 | cust76 463 | cust77 464 | cust78 465 | cust79 466 | cust8 467 | cust80 468 | cust81 469 | cust82 470 | cust83 471 | cust84 472 | cust85 473 | cust86 474 | cust87 475 | cust88 476 | cust89 477 | cust9 478 | cust90 479 | cust91 480 | cust92 481 | cust93 482 | cust94 483 | cust95 484 | cust96 485 | cust97 486 | cust98 487 | cust99 488 | customer 489 | customers 490 | cv 491 | cvs 492 | cx 493 | cy 494 | cz 495 | d 496 | dallas 497 | data 498 | database 499 | database01 500 | database02 501 | database1 502 | database2 503 | databases 504 | datastore 505 | datos 506 | david 507 | db 508 | db0 509 | db01 510 | db02 511 | db1 512 | db2 513 | dc 514 | de 515 | dealers 516 | dec 517 | def 518 | default 519 | defiant 520 | delaware 521 | dell 522 | delta 523 | delta1 524 | demo 525 | demonstration 526 | demos 527 | denver 528 | depot 529 | des 530 | desarrollo 531 | descargas 532 | design 533 | designer 534 | detroit 535 | dev 536 | dev0 537 | dev01 538 | dev1 539 | devel 540 | develop 541 | developer 542 | developers 543 | development 544 | device 545 | devserver 546 | devsql 547 | dhcp 548 | dial 549 | dialup 550 | digital 551 | dilbert 552 | dir 553 | direct 554 | directory 555 | disc 556 | discovery 557 | discuss 558 | discussion 559 | discussions 560 | disk 561 | disney 562 | distributer 563 | distributers 564 | dj 565 | dk 566 | dm 567 | dmail 568 | dmz 569 | dnews 570 | dns 571 | dns-2 572 | dns0 573 | dns1 574 | dns2 575 | dns3 576 | do 577 | docs 578 | documentacion 579 | documentos 580 | domain 581 | domains 582 | dominio 583 | domino 584 | dominoweb 585 | doom 586 | download 587 | downloads 588 | downtown 589 | dragon 590 | drupal 591 | dsl 592 | dyn 593 | dynamic 594 | dynip 595 | dz 596 | e 597 | e-com 598 | e-commerce 599 | e0 600 | eagle 601 | earth 602 | east 603 | ec 604 | echo 605 | ecom 606 | ecommerce 607 | edi 608 | edu 609 | education 610 | edward 611 | ee 612 | eg 613 | eh 614 | ejemplo 615 | elpaso 616 | email 617 | employees 618 | empresa 619 | empresas 620 | en 621 | enable 622 | eng 623 | eng01 624 | eng1 625 | engine 626 | engineer 627 | engineering 628 | enterprise 629 | epsilon 630 | er 631 | erp 632 | es 633 | esd 634 | esm 635 | espanol 636 | estadisticas 637 | esx 638 | et 639 | eta 640 | europe 641 | events 642 | example 643 | exec 644 | extern 645 | external 646 | extranet 647 | f 648 | f5 649 | falcon 650 | farm 651 | faststats 652 | fax 653 | feedback 654 | feeds 655 | fi 656 | field 657 | file 658 | files 659 | fileserv 660 | fileserver 661 | filestore 662 | filter 663 | find 664 | finger 665 | firewall 666 | fix 667 | fixes 668 | fj 669 | fk 670 | fl 671 | flash 672 | florida 673 | flow 674 | fm 675 | fo 676 | foobar 677 | formacion 678 | foro 679 | foros 680 | fortworth 681 | forum 682 | forums 683 | foto 684 | fotos 685 | foundry 686 | fox 687 | foxtrot 688 | fr 689 | france 690 | frank 691 | fred 692 | freebsd 693 | freebsd0 694 | freebsd01 695 | freebsd02 696 | freebsd1 697 | freebsd2 698 | freeware 699 | fresno 700 | front 701 | frontdesk 702 | fs 703 | fsp 704 | ftp 705 | ftp- 706 | ftp0 707 | ftp2 708 | ftp_ 709 | ftpserver 710 | fw 711 | fw-1 712 | fw1 713 | fwsm 714 | fwsm0 715 | fwsm01 716 | fwsm1 717 | g 718 | ga 719 | galeria 720 | galerias 721 | galleries 722 | gallery 723 | games 724 | gamma 725 | gandalf 726 | gate 727 | gatekeeper 728 | gateway 729 | gauss 730 | gd 731 | ge 732 | gemini 733 | general 734 | george 735 | georgia 736 | germany 737 | gf 738 | gg 739 | gh 740 | gi 741 | gl 742 | glendale 743 | gm 744 | gmail 745 | gn 746 | go 747 | gold 748 | goldmine 749 | golf 750 | gopher 751 | gp 752 | gq 753 | gr 754 | green 755 | group 756 | groups 757 | groupwise 758 | gs 759 | gsx 760 | gt 761 | gu 762 | guest 763 | gw 764 | gw1 765 | gy 766 | h 767 | hal 768 | halflife 769 | hawaii 770 | hello 771 | help 772 | helpdesk 773 | helponline 774 | henry 775 | hermes 776 | hi 777 | hidden 778 | hk 779 | hm 780 | hn 781 | hobbes 782 | hollywood 783 | home 784 | homebase 785 | homer 786 | honeypot 787 | honolulu 788 | host 789 | host1 790 | host3 791 | host4 792 | host5 793 | hotel 794 | hotjobs 795 | houstin 796 | houston 797 | howto 798 | hp 799 | hpov 800 | hr 801 | ht 802 | http 803 | https 804 | hu 805 | hub 806 | humanresources 807 | i 808 | ia 809 | ias 810 | ibm 811 | ibmdb 812 | id 813 | ida 814 | idaho 815 | ids 816 | ie 817 | iis 818 | il 819 | illinois 820 | im 821 | images 822 | imail 823 | imap 824 | imap4 825 | img 826 | img0 827 | img01 828 | img02 829 | in 830 | inbound 831 | inc 832 | include 833 | incoming 834 | india 835 | indiana 836 | indianapolis 837 | info 838 | informix 839 | inside 840 | install 841 | int 842 | internal 843 | international 844 | internet 845 | intl 846 | intranet 847 | invalid 848 | investor 849 | investors 850 | io 851 | iota 852 | iowa 853 | iplanet 854 | ipmonitor 855 | ipsec 856 | ipsec-gw 857 | iq 858 | ir 859 | irc 860 | ircd 861 | ircserver 862 | ireland 863 | iris 864 | irvine 865 | irving 866 | is 867 | isa 868 | isaserv 869 | isaserver 870 | ism 871 | israel 872 | isync 873 | it 874 | italy 875 | ix 876 | j 877 | japan 878 | java 879 | je 880 | jedi 881 | jm 882 | jo 883 | jobs 884 | john 885 | jp 886 | jrun 887 | juegos 888 | juliet 889 | juliette 890 | juniper 891 | k 892 | kansas 893 | kansascity 894 | kappa 895 | kb 896 | ke 897 | kentucky 898 | kerberos 899 | keynote 900 | kg 901 | kh 902 | ki 903 | kilo 904 | king 905 | km 906 | kn 907 | knowledgebase 908 | knoxville 909 | koe 910 | korea 911 | kp 912 | kr 913 | ks 914 | kw 915 | ky 916 | kz 917 | l 918 | la 919 | lab 920 | laboratory 921 | labs 922 | lambda 923 | lan 924 | laptop 925 | laserjet 926 | lasvegas 927 | launch 928 | lb 929 | lc 930 | ldap 931 | legal 932 | leo 933 | li 934 | lib 935 | library 936 | lima 937 | lincoln 938 | link 939 | linux 940 | linux0 941 | linux01 942 | linux02 943 | linux1 944 | linux2 945 | lista 946 | lists 947 | listserv 948 | listserver 949 | live 950 | lk 951 | load 952 | loadbalancer 953 | local 954 | localhost 955 | log 956 | log0 957 | log01 958 | log02 959 | log1 960 | log2 961 | logfile 962 | logfiles 963 | logger 964 | logging 965 | loghost 966 | login 967 | logs 968 | london 969 | longbeach 970 | losangeles 971 | lotus 972 | louisiana 973 | lr 974 | ls 975 | lt 976 | lu 977 | luke 978 | lv 979 | ly 980 | lyris 981 | m 982 | ma 983 | mac 984 | mac1 985 | mac10 986 | mac11 987 | mac2 988 | mac3 989 | mac4 990 | mac5 991 | mach 992 | macintosh 993 | madrid 994 | mail 995 | mail2 996 | mailer 997 | mailgate 998 | mailhost 999 | mailing 1000 | maillist 1001 | maillists 1002 | mailroom 1003 | mailserv 1004 | mailsite 1005 | mailsrv 1006 | main 1007 | maine 1008 | maint 1009 | mall 1010 | manage 1011 | management 1012 | manager 1013 | manufacturing 1014 | map 1015 | mapas 1016 | maps 1017 | marketing 1018 | marketplace 1019 | mars 1020 | marvin 1021 | mary 1022 | maryland 1023 | massachusetts 1024 | master 1025 | max 1026 | mc 1027 | mci 1028 | md 1029 | mdaemon 1030 | me 1031 | media 1032 | member 1033 | members 1034 | memphis 1035 | mercury 1036 | merlin 1037 | messages 1038 | messenger 1039 | mg 1040 | mgmt 1041 | mh 1042 | mi 1043 | miami 1044 | michigan 1045 | mickey 1046 | midwest 1047 | mike 1048 | milwaukee 1049 | minneapolis 1050 | minnesota 1051 | mirror 1052 | mis 1053 | mississippi 1054 | missouri 1055 | mk 1056 | ml 1057 | mm 1058 | mn 1059 | mngt 1060 | mo 1061 | mobile 1062 | mom 1063 | monitor 1064 | monitoring 1065 | montana 1066 | moon 1067 | moscow 1068 | movies 1069 | mozart 1070 | mp 1071 | mp3 1072 | mpeg 1073 | mpg 1074 | mq 1075 | mr 1076 | mrtg 1077 | ms 1078 | ms-exchange 1079 | ms-sql 1080 | msexchange 1081 | mssql 1082 | mssql0 1083 | mssql01 1084 | mssql1 1085 | mt 1086 | mta 1087 | mtu 1088 | mu 1089 | multimedia 1090 | music 1091 | mv 1092 | mw 1093 | mx 1094 | my 1095 | mysql 1096 | mysql0 1097 | mysql01 1098 | mysql1 1099 | mz 1100 | n 1101 | na 1102 | name 1103 | names 1104 | nameserv 1105 | nameserver 1106 | nas 1107 | nashville 1108 | nat 1109 | nc 1110 | nd 1111 | nds 1112 | ne 1113 | nebraska 1114 | neptune 1115 | net 1116 | netapp 1117 | netdata 1118 | netgear 1119 | netmeeting 1120 | netscaler 1121 | netscreen 1122 | netstats 1123 | network 1124 | nevada 1125 | new 1126 | meet 1127 | newhampshire 1128 | newjersey 1129 | newmexico 1130 | neworleans 1131 | news 1132 | newsfeed 1133 | newsfeeds 1134 | newsgroups 1135 | newton 1136 | newyork 1137 | newzealand 1138 | nf 1139 | ng 1140 | nh 1141 | ni 1142 | nigeria 1143 | nj 1144 | nl 1145 | nm 1146 | nms 1147 | nntp 1148 | no 1149 | node 1150 | nokia 1151 | nombres 1152 | nora 1153 | north 1154 | northcarolina 1155 | northdakota 1156 | northeast 1157 | northwest 1158 | noticias 1159 | novell 1160 | november 1161 | np 1162 | nr 1163 | ns 1164 | ns- 1165 | ns0 1166 | ns01 1167 | ns02 1168 | ns1 1169 | ns2 1170 | ns3 1171 | ns4 1172 | ns5 1173 | ns_ 1174 | nt 1175 | nt4 1176 | nt40 1177 | ntmail 1178 | ntp 1179 | ntserver 1180 | nu 1181 | null 1182 | nv 1183 | ny 1184 | nz 1185 | o 1186 | oakland 1187 | ocean 1188 | odin 1189 | office 1190 | offices 1191 | oh 1192 | ohio 1193 | ok 1194 | oklahoma 1195 | oklahomacity 1196 | old 1197 | om 1198 | omaha 1199 | omega 1200 | omicron 1201 | online 1202 | ontario 1203 | open 1204 | openbsd 1205 | openview 1206 | operations 1207 | ops 1208 | ops0 1209 | ops01 1210 | ops02 1211 | ops1 1212 | ops2 1213 | opsware 1214 | or 1215 | oracle 1216 | orange 1217 | order 1218 | orders 1219 | oregon 1220 | orion 1221 | orlando 1222 | oscar 1223 | out 1224 | outbound 1225 | outgoing 1226 | outlook 1227 | outside 1228 | ov 1229 | owa 1230 | owa01 1231 | owa02 1232 | owa1 1233 | owa2 1234 | ows 1235 | oxnard 1236 | p 1237 | pa 1238 | page 1239 | pager 1240 | pages 1241 | paginas 1242 | papa 1243 | paris 1244 | parners 1245 | partner 1246 | partners 1247 | patch 1248 | patches 1249 | paul 1250 | payroll 1251 | pbx 1252 | pc 1253 | pc01 1254 | pc1 1255 | pc10 1256 | pc101 1257 | pc11 1258 | pc12 1259 | pc13 1260 | pc14 1261 | pc15 1262 | pc16 1263 | pc17 1264 | pc18 1265 | pc19 1266 | pc2 1267 | pc20 1268 | pc21 1269 | pc22 1270 | pc23 1271 | pc24 1272 | pc25 1273 | pc26 1274 | pc27 1275 | pc28 1276 | pc29 1277 | pc3 1278 | pc30 1279 | pc31 1280 | pc32 1281 | pc33 1282 | pc34 1283 | pc35 1284 | pc36 1285 | pc37 1286 | pc38 1287 | pc39 1288 | pc4 1289 | pc40 1290 | pc41 1291 | pc42 1292 | pc43 1293 | pc44 1294 | pc45 1295 | pc46 1296 | pc47 1297 | pc48 1298 | pc49 1299 | pc5 1300 | pc50 1301 | pc51 1302 | pc52 1303 | pc53 1304 | pc54 1305 | pc55 1306 | pc56 1307 | pc57 1308 | pc58 1309 | pc59 1310 | pc6 1311 | pc60 1312 | pc7 1313 | pc8 1314 | pc9 1315 | pcmail 1316 | pda 1317 | pdc 1318 | pe 1319 | pegasus 1320 | pennsylvania 1321 | peoplesoft 1322 | personal 1323 | pf 1324 | pg 1325 | pgp 1326 | ph 1327 | phi 1328 | philadelphia 1329 | phoenix 1330 | phoeniz 1331 | phone 1332 | phones 1333 | photos 1334 | pi 1335 | pics 1336 | pictures 1337 | pink 1338 | pipex-gw 1339 | pittsburgh 1340 | pix 1341 | pk 1342 | pki 1343 | pl 1344 | plano 1345 | platinum 1346 | pluto 1347 | pm 1348 | pm1 1349 | pn 1350 | po 1351 | policy 1352 | polls 1353 | pop 1354 | pop3 1355 | portal 1356 | portals 1357 | portfolio 1358 | portland 1359 | post 1360 | postales 1361 | postoffice 1362 | ppp1 1363 | ppp10 1364 | ppp11 1365 | ppp12 1366 | ppp13 1367 | ppp14 1368 | ppp15 1369 | ppp16 1370 | ppp17 1371 | ppp18 1372 | ppp19 1373 | ppp2 1374 | ppp20 1375 | ppp21 1376 | ppp3 1377 | ppp4 1378 | ppp5 1379 | ppp6 1380 | ppp7 1381 | ppp8 1382 | ppp9 1383 | pptp 1384 | pr 1385 | prensa 1386 | press 1387 | printer 1388 | printserv 1389 | printserver 1390 | priv 1391 | privacy 1392 | private 1393 | problemtracker 1394 | products 1395 | profiles 1396 | project 1397 | projects 1398 | promo 1399 | proxy 1400 | prueba 1401 | pruebas 1402 | ps 1403 | psi 1404 | pss 1405 | pt 1406 | pub 1407 | public 1408 | pubs 1409 | purple 1410 | pw 1411 | py 1412 | q 1413 | qa 1414 | qmail 1415 | qotd 1416 | quake 1417 | quebec 1418 | queen 1419 | quotes 1420 | r 1421 | r01 1422 | r02 1423 | r1 1424 | r2 1425 | ra 1426 | radio 1427 | radius 1428 | rapidsite 1429 | raptor 1430 | ras 1431 | rc 1432 | rcs 1433 | rd 1434 | re 1435 | read 1436 | realserver 1437 | recruiting 1438 | red 1439 | redhat 1440 | ref 1441 | reference 1442 | reg 1443 | register 1444 | registro 1445 | registry 1446 | regs 1447 | relay 1448 | rem 1449 | remote 1450 | remstats 1451 | reports 1452 | research 1453 | reseller 1454 | reserved 1455 | resumenes 1456 | rho 1457 | rhodeisland 1458 | ri 1459 | ris 1460 | rmi 1461 | ro 1462 | robert 1463 | romeo 1464 | root 1465 | rose 1466 | route 1467 | router 1468 | router1 1469 | rs 1470 | rss 1471 | rtelnet 1472 | rtr 1473 | rtr01 1474 | rtr1 1475 | ru 1476 | rune 1477 | rw 1478 | rwhois 1479 | s 1480 | s1 1481 | s2 1482 | sa 1483 | sac 1484 | sacramento 1485 | sadmin 1486 | safe 1487 | sales 1488 | saltlake 1489 | sam 1490 | san 1491 | sanantonio 1492 | sandiego 1493 | sanfrancisco 1494 | sanjose 1495 | saskatchewan 1496 | saturn 1497 | sb 1498 | sbs 1499 | sc 1500 | scanner 1501 | schedules 1502 | scotland 1503 | scotty 1504 | sd 1505 | se 1506 | search 1507 | seattle 1508 | sec 1509 | secret 1510 | secure 1511 | secured 1512 | securid 1513 | security 1514 | sendmail 1515 | seri 1516 | serv 1517 | serv2 1518 | server 1519 | server1 1520 | servers 1521 | service 1522 | services 1523 | servicio 1524 | servidor 1525 | setup 1526 | sg 1527 | sh 1528 | shared 1529 | sharepoint 1530 | shareware 1531 | shipping 1532 | shop 1533 | shoppers 1534 | shopping 1535 | si 1536 | siebel 1537 | sierra 1538 | sigma 1539 | signup 1540 | silver 1541 | sim 1542 | sirius 1543 | site 1544 | sj 1545 | sk 1546 | skywalker 1547 | sl 1548 | slackware 1549 | slmail 1550 | sm 1551 | smc 1552 | sms 1553 | smtp 1554 | smtphost 1555 | sn 1556 | sniffer 1557 | snmp 1558 | snmpd 1559 | snoopy 1560 | snort 1561 | so 1562 | socal 1563 | software 1564 | sol 1565 | solaris 1566 | solutions 1567 | soporte 1568 | source 1569 | sourcecode 1570 | sourcesafe 1571 | south 1572 | southcarolina 1573 | southdakota 1574 | southeast 1575 | southwest 1576 | spain 1577 | spam 1578 | spider 1579 | spiderman 1580 | splunk 1581 | spock 1582 | spokane 1583 | springfield 1584 | sprint 1585 | sqa 1586 | sql 1587 | sql0 1588 | sql01 1589 | sql1 1590 | sql7 1591 | sqlserver 1592 | squid 1593 | sr 1594 | ss 1595 | ssh 1596 | ssl 1597 | ssl0 1598 | ssl01 1599 | ssl1 1600 | st 1601 | staff 1602 | stage 1603 | staging 1604 | start 1605 | stat 1606 | static 1607 | statistics 1608 | stats 1609 | stlouis 1610 | stock 1611 | storage 1612 | store 1613 | storefront 1614 | streaming 1615 | stronghold 1616 | strongmail 1617 | studio 1618 | submit 1619 | subversion 1620 | sun 1621 | sun0 1622 | sun01 1623 | sun02 1624 | sun1 1625 | sun2 1626 | superman 1627 | supplier 1628 | suppliers 1629 | support 1630 | sv 1631 | sw 1632 | sw0 1633 | sw01 1634 | sw1 1635 | sweden 1636 | switch 1637 | switzerland 1638 | sy 1639 | sybase 1640 | sydney 1641 | sysadmin 1642 | sysback 1643 | syslog 1644 | syslogs 1645 | system 1646 | sz 1647 | t 1648 | tacoma 1649 | taiwan 1650 | talk 1651 | tampa 1652 | tango 1653 | tau 1654 | tc 1655 | tcl 1656 | td 1657 | team 1658 | tech 1659 | technology 1660 | techsupport 1661 | telephone 1662 | telephony 1663 | telnet 1664 | temp 1665 | tennessee 1666 | terminal 1667 | terminalserver 1668 | termserv 1669 | test 1670 | test2k 1671 | testbed 1672 | testing 1673 | testlab 1674 | testlinux 1675 | testserver 1676 | testsite 1677 | testsql 1678 | testxp 1679 | texas 1680 | tf 1681 | tftp 1682 | tg 1683 | th 1684 | thailand 1685 | theta 1686 | thor 1687 | tienda 1688 | tiger 1689 | time 1690 | titan 1691 | tivoli 1692 | tj 1693 | tk 1694 | tm 1695 | tn 1696 | to 1697 | tokyo 1698 | toledo 1699 | tom 1700 | tool 1701 | tools 1702 | toplayer 1703 | toronto 1704 | tour 1705 | tp 1706 | tr 1707 | tracker 1708 | train 1709 | training 1710 | transfers 1711 | trinidad 1712 | trinity 1713 | ts 1714 | ts1 1715 | tt 1716 | tucson 1717 | tulsa 1718 | tunnel 1719 | tv 1720 | tw 1721 | tx 1722 | tz 1723 | u 1724 | ua 1725 | uddi 1726 | ug 1727 | uk 1728 | um 1729 | uniform 1730 | union 1731 | unitedkingdom 1732 | unitedstates 1733 | unix 1734 | unixware 1735 | update 1736 | updates 1737 | upload 1738 | ups 1739 | upsilon 1740 | uranus 1741 | urchin 1742 | us 1743 | usa 1744 | usenet 1745 | user 1746 | users 1747 | ut 1748 | utah 1749 | utilities 1750 | uy 1751 | uz 1752 | v 1753 | va 1754 | vader 1755 | vantive 1756 | vault 1757 | vc 1758 | ve 1759 | vega 1760 | vegas 1761 | vend 1762 | vendors 1763 | venus 1764 | vermont 1765 | vg 1766 | vi 1767 | victor 1768 | video 1769 | videos 1770 | viking 1771 | violet 1772 | vip 1773 | virginia 1774 | vista 1775 | vm 1776 | vmserver 1777 | vmware 1778 | vn 1779 | vnc 1780 | voice 1781 | voicemail 1782 | voip 1783 | voyager 1784 | vpn 1785 | vpn0 1786 | vpn01 1787 | vpn02 1788 | vpn1 1789 | vpn2 1790 | vt 1791 | vu 1792 | w 1793 | w1 1794 | w2 1795 | w3 1796 | wa 1797 | wais 1798 | wallet 1799 | wam 1800 | wan 1801 | wap 1802 | warehouse 1803 | washington 1804 | wc3 1805 | web 1806 | webaccess 1807 | webadmin 1808 | webalizer 1809 | webboard 1810 | webcache 1811 | webcam 1812 | webcast 1813 | webdev 1814 | webdocs 1815 | webfarm 1816 | webhelp 1817 | weblib 1818 | weblogic 1819 | webmail 1820 | webmaster 1821 | webproxy 1822 | webring 1823 | webs 1824 | webserv 1825 | webserver 1826 | webservices 1827 | website 1828 | websites 1829 | websphere 1830 | websrv 1831 | websrvr 1832 | webstats 1833 | webstore 1834 | websvr 1835 | webtrends 1836 | welcome 1837 | west 1838 | westvirginia 1839 | wf 1840 | whiskey 1841 | white 1842 | whois 1843 | wi 1844 | wichita 1845 | wiki 1846 | wililiam 1847 | win 1848 | win01 1849 | win02 1850 | win1 1851 | win2 1852 | win2000 1853 | win2003 1854 | win2k 1855 | win2k3 1856 | windows 1857 | windows01 1858 | windows02 1859 | windows1 1860 | windows2 1861 | windows2000 1862 | windows2003 1863 | windowsxp 1864 | wingate 1865 | winnt 1866 | winproxy 1867 | wins 1868 | winserve 1869 | winxp 1870 | wire 1871 | wireless 1872 | wisconsin 1873 | wlan 1874 | wordpress 1875 | work 1876 | world 1877 | write 1878 | ws 1879 | ws1 1880 | ws10 1881 | ws11 1882 | ws12 1883 | ws13 1884 | ws2 1885 | ws3 1886 | ws4 1887 | ws5 1888 | ws6 1889 | ws7 1890 | ws8 1891 | ws9 1892 | wusage 1893 | wv 1894 | ww 1895 | www 1896 | www- 1897 | www-01 1898 | www-02 1899 | www-1 1900 | www-2 1901 | www-int 1902 | www0 1903 | www01 1904 | www02 1905 | www1 1906 | www2 1907 | www3 1908 | www_ 1909 | wwwchat 1910 | wwwdev 1911 | wwwmail 1912 | wy 1913 | wyoming 1914 | x 1915 | x-ray 1916 | xi 1917 | xlogan 1918 | xmail 1919 | xml 1920 | xp 1921 | y 1922 | yankee 1923 | ye 1924 | yellow 1925 | young 1926 | yt 1927 | yu 1928 | z 1929 | z-log 1930 | za 1931 | zebra 1932 | zera 1933 | zeus 1934 | zlog 1935 | zm 1936 | zulu 1937 | zw 1938 | mx1 1939 | mx2 1940 | mx3 1941 | mx4 1942 | mx5 1943 | mx6 1944 | mx7 1945 | mx8 1946 | mx9 1947 | mx10 1948 | mx01 1949 | mx02 1950 | mx03 1951 | mx04 1952 | mx05 1953 | mx06 1954 | mx07 1955 | mx08 1956 | mx09 1957 | mx11 1958 | mx12 1959 | aa 1960 | ab 1961 | ah 1962 | aj 1963 | ax 1964 | ay 1965 | bc 1966 | bk 1967 | bl 1968 | bp 1969 | bq 1970 | bu 1971 | bx 1972 | cb 1973 | ce 1974 | cj 1975 | cp 1976 | cq 1977 | cw 1978 | da 1979 | dd 1980 | df 1981 | dg 1982 | dh 1983 | di 1984 | dl 1985 | dn 1986 | dp 1987 | dq 1988 | dr 1989 | ds 1990 | dt 1991 | du 1992 | dv 1993 | dw 1994 | dx 1995 | dy 1996 | ea 1997 | eb 1998 | ed 1999 | ef 2000 | ei 2001 | ej 2002 | ek 2003 | el 2004 | em 2005 | eo 2006 | ep 2007 | eq 2008 | eu 2009 | ev 2010 | ew 2011 | ex 2012 | ey 2013 | ez 2014 | fa 2015 | fb 2016 | fc 2017 | fd 2018 | fe 2019 | ff 2020 | fg 2021 | fh 2022 | fn 2023 | fp 2024 | fq 2025 | ft 2026 | fu 2027 | fv 2028 | fx 2029 | fy 2030 | fz 2031 | gb 2032 | gc 2033 | gj 2034 | gk 2035 | gv 2036 | gx 2037 | gz 2038 | ha 2039 | hb 2040 | hc 2041 | hd 2042 | he 2043 | hf 2044 | hg 2045 | hh 2046 | hj 2047 | hl 2048 | ho 2049 | hq 2050 | hs 2051 | hv 2052 | hw 2053 | hx 2054 | hy 2055 | hz 2056 | ib 2057 | ic 2058 | if 2059 | ig 2060 | ih 2061 | ii 2062 | ij 2063 | ik 2064 | ip 2065 | iu 2066 | iv 2067 | iw 2068 | iy 2069 | iz 2070 | ja 2071 | jb 2072 | jc 2073 | jd 2074 | jf 2075 | jg 2076 | jh 2077 | ji 2078 | jj 2079 | jk 2080 | jl 2081 | jn 2082 | jq 2083 | jr 2084 | js 2085 | jt 2086 | ju 2087 | jv 2088 | jw 2089 | jx 2090 | jy 2091 | jz 2092 | ka 2093 | kc 2094 | kd 2095 | kf 2096 | kj 2097 | kk 2098 | kl 2099 | ko 2100 | kq 2101 | kt 2102 | ku 2103 | kv 2104 | kx 2105 | ld 2106 | le 2107 | lf 2108 | lg 2109 | lh 2110 | lj 2111 | ll 2112 | lm 2113 | ln 2114 | lo 2115 | lp 2116 | lq 2117 | lw 2118 | lx 2119 | lz 2120 | mb 2121 | mf 2122 | mj 2123 | nb 2124 | nk 2125 | nn 2126 | nq 2127 | nw 2128 | nx 2129 | oa 2130 | ob 2131 | oc 2132 | od 2133 | oe 2134 | of 2135 | og 2136 | oi 2137 | oj 2138 | ol 2139 | on 2140 | oo 2141 | op 2142 | oq 2143 | os 2144 | ot 2145 | ou 2146 | ow 2147 | ox 2148 | oy 2149 | oz 2150 | pb 2151 | pd 2152 | pj 2153 | pp 2154 | pq 2155 | pu 2156 | pv 2157 | px 2158 | pz 2159 | qb 2160 | qc 2161 | qd 2162 | qe 2163 | qf 2164 | qg 2165 | qh 2166 | qi 2167 | qj 2168 | qk 2169 | ql 2170 | qm 2171 | qn 2172 | qo 2173 | qp 2174 | qq 2175 | qr 2176 | qs 2177 | qt 2178 | qu 2179 | qv 2180 | qw 2181 | qx 2182 | qy 2183 | qz 2184 | rb 2185 | rf 2186 | rg 2187 | rh 2188 | rj 2189 | rk 2190 | rl 2191 | rm 2192 | rn 2193 | rp 2194 | rq 2195 | rr 2196 | rt 2197 | rv 2198 | rx 2199 | ry 2200 | rz 2201 | sf 2202 | sp 2203 | sq 2204 | su 2205 | sx 2206 | ta 2207 | tb 2208 | te 2209 | ti 2210 | tl 2211 | tq 2212 | tu 2213 | ty 2214 | ub 2215 | uc 2216 | ud 2217 | ue 2218 | uf 2219 | uh 2220 | ui 2221 | uj 2222 | ul 2223 | un 2224 | uo 2225 | up 2226 | uq 2227 | ur 2228 | uu 2229 | uv 2230 | uw 2231 | ux 2232 | vb 2233 | vd 2234 | vf 2235 | vh 2236 | vj 2237 | vk 2238 | vl 2239 | vo 2240 | vp 2241 | vq 2242 | vr 2243 | vs 2244 | vv 2245 | vw 2246 | vx 2247 | vy 2248 | vz 2249 | wb 2250 | wc 2251 | wd 2252 | we 2253 | wg 2254 | wh 2255 | wj 2256 | wk 2257 | wl 2258 | wm 2259 | wn 2260 | wo 2261 | wp 2262 | wq 2263 | wr 2264 | wt 2265 | wu 2266 | wx 2267 | wz 2268 | xa 2269 | xb 2270 | xc 2271 | xd 2272 | xe 2273 | xf 2274 | xg 2275 | xh 2276 | xj 2277 | xk 2278 | xl 2279 | xm 2280 | xn 2281 | xo 2282 | xq 2283 | xr 2284 | xs 2285 | xt 2286 | xu 2287 | xv 2288 | xw 2289 | xx 2290 | xy 2291 | xz 2292 | ya 2293 | yb 2294 | yc 2295 | yd 2296 | yf 2297 | yg 2298 | yh 2299 | yi 2300 | yj 2301 | yk 2302 | yl 2303 | ym 2304 | yn 2305 | yo 2306 | yp 2307 | yq 2308 | yr 2309 | ys 2310 | yv 2311 | yw 2312 | yx 2313 | yy 2314 | yz 2315 | zb 2316 | zc 2317 | zd 2318 | ze 2319 | zf 2320 | zg 2321 | zh 2322 | zi 2323 | zj 2324 | zk 2325 | zl 2326 | zn 2327 | zo 2328 | zp 2329 | zq 2330 | zr 2331 | zs 2332 | zt 2333 | zu 2334 | zv 2335 | zx 2336 | zy 2337 | zz 2338 | activesync1 2339 | portal1 2340 | portal2 2341 | mail3 2342 | dns01 2343 | dns02 2344 | dns03 2345 | home1 2346 | home2 2347 | archivos 2348 | aula 2349 | aulas 2350 | backups 2351 | bart 2352 | biblioteca 2353 | blackboard 2354 | carro 2355 | cart 2356 | cas 2357 | catalogo 2358 | catalogue 2359 | e-post 2360 | chimera 2361 | chronos 2362 | controller 2363 | cpanel 2364 | cpan 2365 | csg 2366 | dbs 2367 | demon 2368 | demostration 2369 | diana 2370 | domaincontroller 2371 | domain-controller 2372 | eaccess 2373 | ejemplos 2374 | enrutador 2375 | eventos 2376 | examples 2377 | finance 2378 | ftpd 2379 | gilford 2380 | guia 2381 | guide 2382 | hera 2383 | heracles 2384 | hercules 2385 | hotspot 2386 | hypernova 2387 | imap3 2388 | imap3d 2389 | imapd 2390 | imaps 2391 | imgs 2392 | imogen 2393 | inmuebles 2394 | interno 2395 | ip6 2396 | ipv6 2397 | jabber 2398 | jupiter 2399 | laboratories 2400 | laboratorio 2401 | lisa 2402 | logon 2403 | meta 2404 | meta01 2405 | meta02 2406 | meta03 2407 | meta1 2408 | meta2 2409 | meta3 2410 | miembros 2411 | minerva 2412 | mob 2413 | moodle 2414 | movil 2415 | mx0 2416 | nelson 2417 | neon 2418 | netmail 2419 | ns03 2420 | ora 2421 | osx 2422 | pcanywhere 2423 | pendrell 2424 | photo 2425 | postgresql 2426 | postman 2427 | postmaster 2428 | ppp 2429 | preprod 2430 | pre-prod 2431 | prod 2432 | restricted 2433 | robinhood 2434 | sample 2435 | samples 2436 | sandbox 2437 | seguro 2438 | servicios 2439 | socios 2440 | squirrel 2441 | squirrelmail 2442 | uat 2443 | uploads 2444 | ventas 2445 | virtual 2446 | vpn3 2447 | web0 2448 | web01 2449 | web02 2450 | web03 2451 | web1 2452 | web2 2453 | web3 2454 | webct 2455 | weblog 2456 | webmin 2457 | ww0 2458 | ww01 2459 | ww02 2460 | ww03 2461 | ww1 2462 | ww2 2463 | ww3 2464 | www03 2465 | xanthus 2466 | -------------------------------------------------------------------------------- /patchnotes.txt: -------------------------------------------------------------------------------- 1 | Subfus 3.0.0 22.12.2021 2 | - Migrated to Python3 3 | - Fixed several plugins 4 | ---------------------------- 5 | Subfus 2.2.2 04.09.2020 6 | - Fixed issue with nameservers not resolving 7 | - Fixed error logging for nameserver resolving 8 | - Fixed proper closing of error log 9 | - Version check on run 10 | ---------------------------- 11 | Subfus 2.2.1 02.09.2020 12 | - Bug with CSV errors when not defining a CSV 13 | - Remove depricate warnign for beatifulsoap 14 | - Removed Spyse plugin 15 | - Error handing when incorrect or missing JSON config 16 | ---------------------------- 17 | SubFuz 2.2.0 20.02.2019 18 | - CSV output now contains 19 | Subdomain, Record Type, Result, Resolved IP, TopDomain 20 | - Adjusted crt.sh plugin to match changes on crt.sh 21 | - Removed duplicate prints 22 | ---------------------------- 23 | SubFuz 2.1.1 10.09.2019 24 | - Fixed bug in UTF-8 handling of top-domains 25 | - Fixed bug in circl plugin 26 | - Fixed bug in error logging with UTF-8 symbols 27 | ---------------------------- 28 | SubFuz 2.1.0 05.24.2019 29 | - Improvement for the dns_server function in domainfuzzer.py, enabling better accuracy for dns server selection 30 | - Preferred lookup changed back to UDP after optimizing in lookup methods 31 | - Fixed bug with "Fail" counter 32 | - Verbose logging option added 33 | - Added default enabled error logging - See config.json (logging amount will be increased in the future) 34 | self.log.error_queue.append('error message') 35 | ---------------------------- 36 | SubFuz 2.0.10 05.23.2019 37 | - Changing default preferred lookup to TCP 38 | - Fixed bug related to failed lookups and lookup counter 39 | ---------------------------- 40 | SubFuz 2.0.9 01.04.2019 41 | - Fixed issue in virustotal plugin related to previous core functionality changes 42 | - Fixed error which occurs in a scenario where you feed subfuz with a file containing empty line under "-l" 43 | ---------------------------- 44 | SubFuz 2.0.8 03.21.2019 45 | - Now passing the subfuz class into plugins, allowing plugins to interact with core functionality 46 | - Minor adjustment to current plugins to allow new functionality 47 | - Removed a word in the subdomain_megalist.txt which caused errors for subfuz in Windows. 48 | line 22811: secci'\udaf4'econd 49 | - utf-8 bugfix related to mail enums 50 | ---------------------------- 51 | SubFuz 2.0.7 03.07.2019 52 | - Remove upper/lower case domain duplicates from results 53 | - Changed fail counter to display only amount of failed hits after x-amount of retries specified by config, rather than each failed request 54 | - Exception added for invalid UTF-8 Characters causing thread to crash 55 | - Added exception for wildcard checks 56 | - Bux fixed related to MX wildcard parsing 57 | ---------------------------- 58 | SubFuz < 2.0.7 59 | - Ton of minor and major fixes, did not keep track of changes until now 60 | -------------------------------------------------------------------------------- /plugins/README.md: -------------------------------------------------------------------------------- 1 | 2 | # Plugins 3 | 4 | Plugin folders can be named anything you like, beside that, there are a couple of items that need to be correctly named. 5 | 6 | * plugin_folder - Any name is fine 7 | * plugin.py - The file which will be called by subfuz 8 | * __init\__.py - File must exist in order to load the plugin 9 | 10 | plugin.py must contain the following information: 11 | ``` 12 | NAME = '' 13 | ARG_HELP = '' 14 | 15 | 16 | def execute(**kwargs): 17 | domain = kwargs['domain'] 18 | config = kwargs['config'] 19 | subfuz = kwargs['subfuz'] 20 | 21 | credentials = config['api-key'] 22 | 23 | # Exit / end plugin with 24 | return ['domain.com', 'subdomain.domain2.com'] 25 | return None 26 | 27 | ``` 28 | See the plugin [virustotal](virustotal/plugin.py) as sample 29 | or [microsoft](microsoft/plugin.py) for interaction with subfuz core -------------------------------------------------------------------------------- /plugins/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/__init__.py -------------------------------------------------------------------------------- /plugins/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/aws/README.md: -------------------------------------------------------------------------------- 1 | ## About 2 | Object storage built to store and retrieve any amount of data from anywhere 3 | https://aws.amazon.com/s3/ 4 | ## Config 5 | ``` 6 | "aws":{ 7 | "enable": true 8 | }, 9 | ``` 10 | -------------------------------------------------------------------------------- /plugins/aws/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/aws/__init__.py -------------------------------------------------------------------------------- /plugins/aws/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/aws/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/aws/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/aws/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/aws/plugin.py: -------------------------------------------------------------------------------- 1 | from core.env import SIGINT_handler 2 | import signal 3 | from core.logger import Output 4 | from core.dnslookup import lookup 5 | import requests 6 | 7 | NAME = 'aws' 8 | ARG_HELP = 'Amazon S3 bucket lookup' 9 | 10 | handler = SIGINT_handler() 11 | signal.signal(signal.SIGINT, handler.signal_handler) 12 | 13 | def execute(**kwargs): 14 | if handler.SIGINT: 15 | Output().warn("Aborted plugin: %s" % NAME, False) 16 | return None 17 | try: 18 | subfuz = kwargs['subfuz'] 19 | domain = kwargs['domain'].split('.') 20 | aws_target = [domain[-2] + '.s3.amazonaws.com'][0] 21 | query = requests.get('https://' + aws_target) 22 | if query.status_code == 404: 23 | return None 24 | elif query.status_code == 200: 25 | Output().good('Bucket %s is open' % aws_target,False) 26 | ans = lookup(aws_target, 'ANY', '8.8.8.8', 'UDP', subfuz.timeout) 27 | if ans: 28 | subfuz.parse_record(ans, aws_target) 29 | Output().neutral("AWS bucket found", False) 30 | except: 31 | raise 32 | -------------------------------------------------------------------------------- /plugins/censys/README.md: -------------------------------------------------------------------------------- 1 | ## Usage 2 | Plugin for Censys API [https://censys.io/api](https://censys.io/api) 3 | 4 | Max pages option is there to prevent you from accidentally reaching your monthly query limit. 5 | 6 | ## Config 7 | ``` 8 | "censys":{ 9 | "enable": true, 10 | "uid": "", 11 | "secret": "", 12 | "max_page": 3 13 | }, 14 | ``` -------------------------------------------------------------------------------- /plugins/censys/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/censys/__init__.py -------------------------------------------------------------------------------- /plugins/censys/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/censys/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/censys/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/censys/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/censys/plugin.py: -------------------------------------------------------------------------------- 1 | from censys.search import CensysCertificates 2 | from core.env import SIGINT_handler 3 | import signal 4 | from core.logger import Output 5 | 6 | NAME = 'censys' 7 | ARG_HELP = 'censys subdomain certificates' 8 | 9 | handler = SIGINT_handler() 10 | signal.signal(signal.SIGINT, handler.signal_handler) 11 | 12 | class CENSYSError(Exception): 13 | """Base class for censys exceptions""" 14 | pass 15 | 16 | def execute(domain, config, **kwargs): 17 | if handler.SIGINT: 18 | Output().warn("Aborted plugin: %s" % NAME, False) 19 | return None 20 | try: 21 | c = CensysCertificates(api_id=config['uid'], api_secret=config['secret']) 22 | fields = [ 23 | "parsed.names", 24 | "parsed.subject.common_name", 25 | "parsed.extensions.subject_alt_name.dns_names" 26 | ] 27 | results = [] 28 | for page in c.search(domain, fields, max_records=config['max_records']): 29 | results.append(page) 30 | #Flatten json to array 31 | list = [] 32 | for x in results: 33 | if x.get('parsed.namesn'): 34 | list += (x.get('parsed.names')) 35 | 36 | if x.get('parsed.subject.common_name'): 37 | list += x.get('parsed.subject.common_name') 38 | 39 | if x.get('parsed.extensions.subject_alt_name.dns_names'): 40 | list += x.get('parsed.extensions.subject_alt_name.dns_names') 41 | 42 | subdomains = [] 43 | for x in list: 44 | subdomains.append(x.lstrip('*').lstrip('.')) 45 | subdomains = sorted(set(subdomains)) 46 | return subdomains 47 | except Exception as E: 48 | print (E) 49 | raise 50 | -------------------------------------------------------------------------------- /plugins/circl/README.md: -------------------------------------------------------------------------------- 1 | ## About 2 | CIRCL Passive DNS is a database storing historical DNS records from various resources including malware analysis or partners 3 | https://www.circl.lu/services/passive-dns 4 | ## Config 5 | ``` 6 | "cirlc":{ 7 | "enable": false, 8 | "user": "", 9 | "pass": "" 10 | }, 11 | ``` 12 | -------------------------------------------------------------------------------- /plugins/circl/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/circl/__init__.py -------------------------------------------------------------------------------- /plugins/circl/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/circl/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/circl/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/circl/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/circl/plugin.py: -------------------------------------------------------------------------------- 1 | from core.env import SIGINT_handler 2 | import signal 3 | from core.logger import Output 4 | import requests 5 | import json 6 | 7 | NAME = 'circl' 8 | ARG_HELP = 'CIRCL Passive DNS is a database storing historical records' 9 | 10 | handler = SIGINT_handler() 11 | signal.signal(signal.SIGINT, handler.signal_handler) 12 | 13 | class CError(Exception): 14 | """Base class for Circl.lu exceptions""" 15 | pass 16 | 17 | def execute(**kwargs): 18 | if handler.SIGINT: 19 | Output().warn("Aborted plugin: %s" % NAME, False) 20 | return None 21 | try: 22 | domain = kwargs['domain'] 23 | config = kwargs['config'] 24 | auth = requests.auth.HTTPBasicAuth(config['user'], config['pass']) 25 | r = requests.get('https://www.circl.lu/pdns/query/' + domain, auth=auth) 26 | if r.status_code == 200 and r.text: 27 | json_page = '[' + r.text.replace('}\n{','},{') + ']' 28 | data = json.loads(json_page) 29 | d = [] 30 | for x in data: 31 | d.append(x['rdata']) 32 | return set(d) 33 | elif r.status_code == 200: 34 | #empty response, nothing found 35 | return 36 | elif r.status_code == 401: 37 | raise CError('circl: Unauthorized') 38 | elif r.status_code == 403: 39 | raise CError('circl: Not authorized to access resource') 40 | elif r.status_code == 429: 41 | raise CError('circl: Quota exhausted') 42 | else: 43 | raise CError('circl: Unexpected error, status code: %d' % r.status_code ) 44 | except: 45 | raise 46 | -------------------------------------------------------------------------------- /plugins/citrix/README.md: -------------------------------------------------------------------------------- 1 | ## About 2 | Citrix service used to share files. 3 | https://www.citrix.com/lp/sharefile/ 4 | 5 | ## Config 6 | ``` 7 | "citrix":{ 8 | "enable": true 9 | }, 10 | ``` -------------------------------------------------------------------------------- /plugins/citrix/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/citrix/__init__.py -------------------------------------------------------------------------------- /plugins/citrix/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/citrix/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/citrix/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/citrix/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/citrix/plugin.py: -------------------------------------------------------------------------------- 1 | from core.env import SIGINT_handler 2 | import signal 3 | from core.logger import Output 4 | from core.dnslookup import lookup 5 | import requests 6 | 7 | NAME = 'citrix' 8 | ARG_HELP = 'Citrix Sharefile domain lookup' 9 | 10 | handler = SIGINT_handler() 11 | signal.signal(signal.SIGINT, handler.signal_handler) 12 | 13 | def execute(**kwargs): 14 | if handler.SIGINT: 15 | Output().warn("Aborted plugin: %s" % NAME, False) 16 | return None 17 | try: 18 | domain = kwargs['domain'].split('.') 19 | config = kwargs['config'] 20 | subfuz = kwargs['subfuz'] 21 | citrix_targets = [domain[-2] + '.sharefile.com'] 22 | redirect = requests.get('https://' + citrix_targets[0]) 23 | if 'secure.sharefile.com' not in redirect.url: 24 | authlogin = redirect.url.split('/')[2] 25 | ans = lookup(authlogin, 'ANY', '8.8.8.8', 'UDP', subfuz.timeout) 26 | if ans: 27 | subfuz.parse_record(ans, authlogin) 28 | Output().neutral("Citrix sharefile found", False) 29 | except: 30 | raise 31 | -------------------------------------------------------------------------------- /plugins/crtsh/README.md: -------------------------------------------------------------------------------- 1 | ## Usage 2 | Plugin is fetching subdomains by wildcard search at [https://crt.sh](https://crt.sh) 3 | 4 | ## Config 5 | ``` 6 | "crtsh":{ 7 | "enable": true 8 | }, 9 | ``` -------------------------------------------------------------------------------- /plugins/crtsh/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/crtsh/__init__.py -------------------------------------------------------------------------------- /plugins/crtsh/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/crtsh/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/crtsh/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/crtsh/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/crtsh/plugin.py: -------------------------------------------------------------------------------- 1 | import json, requests 2 | from core.env import SIGINT_handler 3 | import signal 4 | from core.logger import Output 5 | 6 | NAME = 'crtsh' 7 | ARG_HELP = 'crt.sh subdomain certificates' 8 | 9 | handler = SIGINT_handler() 10 | signal.signal(signal.SIGINT, handler.signal_handler) 11 | 12 | class CRTError(Exception): 13 | """Base class for crt.sh exceptions""" 14 | pass 15 | 16 | def execute(domain, **kwargs): 17 | if handler.SIGINT: 18 | Output().warn("Aborted plugin: %s" % NAME, False) 19 | return None 20 | try: 21 | query = 'https://crt.sh/?q=' + domain.rstrip() + '&output=json' 22 | r = requests.get(query) 23 | if r.status_code == 200: 24 | data = json.loads(r.content) 25 | d = [] 26 | for x in data: 27 | d.append(x['name_value'].strip('*').strip('.')) 28 | return set(d) 29 | else: 30 | raise CRTError('crtsh plugin: Unexpected Error') 31 | except: 32 | raise 33 | -------------------------------------------------------------------------------- /plugins/dnsdumpster/README.md: -------------------------------------------------------------------------------- 1 | ## About 2 | Query dnsdumpster.com from HackerTarget 3 | https://dnsdumpster.com/ 4 | ## Config 5 | ``` 6 | "dnsdumpster":{ 7 | "enable": true 8 | }, 9 | ``` 10 | -------------------------------------------------------------------------------- /plugins/dnsdumpster/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/dnsdumpster/__init__.py -------------------------------------------------------------------------------- /plugins/dnsdumpster/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/dnsdumpster/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/dnsdumpster/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/dnsdumpster/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/dnsdumpster/plugin.py: -------------------------------------------------------------------------------- 1 | from core.env import SIGINT_handler 2 | import signal 3 | from core.logger import Output 4 | import requests 5 | import warnings 6 | warnings.filterwarnings("ignore") 7 | from bs4 import BeautifulSoup 8 | 9 | 10 | 11 | NAME = 'dnsdumpster' 12 | ARG_HELP = 'Dnsdumpster by hackertarget' 13 | 14 | handler = SIGINT_handler() 15 | signal.signal(signal.SIGINT, handler.signal_handler) 16 | 17 | def execute(**kwargs): 18 | if handler.SIGINT: 19 | Output().warn("Aborted plugin: %s" % NAME, False) 20 | return None 21 | try: 22 | domain = kwargs['domain'] 23 | csrf_page = requests.get('https://dnsdumpster.com') 24 | soup = BeautifulSoup(csrf_page.content) 25 | csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'}).get('value') 26 | query = requests.post('https://dnsdumpster.com', data = {'csrfmiddlewaretoken' : csrf_token, 'targetip' : domain, 'user':'free'},headers={'referer' : 'https://dnsdumpster.com/'}, cookies={ 'csrftoken' : csrf_token}) 27 | soup = BeautifulSoup(query.content) 28 | sites = soup.findAll("td",attrs={"class": "col-md-4"}) 29 | d = [] 30 | for site in sites: 31 | site.text.split(domain)[0].rstrip('\n').rstrip(' ') 32 | d.append(site.text.split(domain)[0] + domain) 33 | return d 34 | except: 35 | raise 36 | -------------------------------------------------------------------------------- /plugins/hackertarget/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/hackertarget/__init__.py -------------------------------------------------------------------------------- /plugins/hackertarget/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/hackertarget/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/hackertarget/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/hackertarget/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/hackertarget/plugin.py: -------------------------------------------------------------------------------- 1 | import requests, io 2 | from core.env import SIGINT_handler 3 | import signal 4 | from core.logger import Output 5 | 6 | NAME = 'hackertarget' 7 | ARG_HELP = 'hackertarget subdomains' 8 | 9 | handler = SIGINT_handler() 10 | signal.signal(signal.SIGINT, handler.signal_handler) 11 | 12 | class HTError(Exception): 13 | """Base class for hackertarget exceptions""" 14 | pass 15 | 16 | def execute(domain, **kwargs): 17 | if handler.SIGINT: 18 | Output().warn("Aborted plugin: %s" % NAME, False) 19 | return None 20 | try: 21 | query = 'https://api.hackertarget.com/hostsearch/?q=' + domain.rstrip() 22 | r = requests.get(query) 23 | bRep = r.text #response body 24 | if r.status_code == 200: 25 | if "error check your search parameter" not in bRep: 26 | d = [] 27 | lines = bRep.split("\n") 28 | for x in lines: 29 | subdom = x.split(',') 30 | d.append(subdom[0]) 31 | return set(d) 32 | else: 33 | raise HTError('hackertarget plugin: Unexpected Error') 34 | except: 35 | raise 36 | -------------------------------------------------------------------------------- /plugins/microsoft/README.md: -------------------------------------------------------------------------------- 1 | ## Usage 2 | Plugin will attempt to resolve tenant addresses for microsoft 3 | 4 | ## Config 5 | ``` 6 | "microsoft":{ 7 | "enable": true 8 | }, 9 | ``` -------------------------------------------------------------------------------- /plugins/microsoft/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/microsoft/__init__.py -------------------------------------------------------------------------------- /plugins/microsoft/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/microsoft/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/microsoft/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/microsoft/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/microsoft/plugin.py: -------------------------------------------------------------------------------- 1 | from core.env import SIGINT_handler 2 | import signal 3 | from core.logger import Output 4 | from core.dnslookup import lookup 5 | 6 | NAME = 'microsoft' 7 | ARG_HELP = 'Microsoft tenant domain lookup' 8 | 9 | handler = SIGINT_handler() 10 | signal.signal(signal.SIGINT, handler.signal_handler) 11 | 12 | def execute(**kwargs): 13 | if handler.SIGINT: 14 | Output().warn("Aborted plugin: %s" % NAME, False) 15 | return None 16 | try: 17 | domain = kwargs['domain'].split('.') 18 | config = kwargs['config'] 19 | subfuz = kwargs['subfuz'] 20 | ms_targets = [domain[-2] + '.sharepoint.com', 21 | domain[-2] + '-my.sharepoint.com', 22 | domain[-2] + '-myfiles.sharepoint.com', 23 | domain[-2] + '-files.sharepoint.com', 24 | domain[-2] + '.onmicrosoft.com', 25 | '%s-%s.mail.protection.outlook.com' % (domain[-2], domain[-1]), 26 | 'selector1-%s-%s._domainkey.%s.onmicrosoft.com' % (domain[-2], domain[-1], domain[-2]), 27 | 'selector2-%s-%s._domainkey.%s.onmicrosoft.com' % (domain[-2], domain[-1], domain[-2])] 28 | i = 0 29 | for ms in ms_targets: 30 | ans = lookup(ms, 'ANY', '8.8.8.8', 'UDP', subfuz.timeout) 31 | if ans: 32 | i += 1 33 | subfuz.parse_record(ans, ms) 34 | Output().neutral("%d subdomains found" %i, False) 35 | except: 36 | raise 37 | -------------------------------------------------------------------------------- /plugins/securitytrails/README.md: -------------------------------------------------------------------------------- 1 | ## Usage 2 | Get a API key and add to config 3 | 4 | https://securitytrails.com/ 5 | 6 | ## Config 7 | ``` 8 | "securitytrails":{ 9 | "enable": false, 10 | "apikey":"" 11 | }, 12 | ``` -------------------------------------------------------------------------------- /plugins/securitytrails/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/securitytrails/__init__.py -------------------------------------------------------------------------------- /plugins/securitytrails/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/securitytrails/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/securitytrails/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/securitytrails/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/securitytrails/plugin.py: -------------------------------------------------------------------------------- 1 | import json, requests 2 | from core.env import SIGINT_handler 3 | import signal 4 | from core.logger import Output 5 | 6 | NAME = 'securitytrails' 7 | ARG_HELP = 'securitytrails subdomain' 8 | 9 | handler = SIGINT_handler() 10 | signal.signal(signal.SIGINT, handler.signal_handler) 11 | 12 | class securitytrailsError(Exception): 13 | """Base class for securitytrails exceptions""" 14 | pass 15 | 16 | def execute(domain, config, **kwargs): 17 | if handler.SIGINT: 18 | Output().warn("Aborted plugin: %s" % NAME, False) 19 | return None 20 | try: 21 | d = [] 22 | query = "https://api.securitytrails.com/v1/domain/%s/subdomains?apikey=%s" % (domain.rstrip(),config['apikey']) 23 | r = requests.get(query) 24 | if r.status_code == 200: 25 | data = json.loads(r.content) 26 | for x in data['subdomains']: 27 | subdomain = x + "." + domain.rstrip() 28 | d.append(subdomain) 29 | elif r.status_code == 400: 30 | raise securitytrailsError('400 - Bad request') 31 | elif r.status_code == 401: 32 | raise securitytrailsError('401 - Unauthorized') 33 | elif r.status_code == 403: 34 | raise securitytrailsError('403 - Forbidden') 35 | elif r.status_code == 429: 36 | raise securitytrailsError('429 - Too many requests') 37 | elif r.status_code == 500: 38 | raise securitytrailsError('500 - Internal Server Error') 39 | else: 40 | raise securitytrailsError('securitytrails plugin: Unexpected Error') 41 | return d 42 | except: 43 | raise 44 | -------------------------------------------------------------------------------- /plugins/virustotal/README.md: -------------------------------------------------------------------------------- 1 | ## Usage 2 | Get a API key and add to config 3 | 4 | https://developers.virustotal.com/reference 5 | 6 | ## Config 7 | ``` 8 | "virustotal":{ 9 | "enable": true, 10 | "api-key":"" 11 | }, 12 | ``` -------------------------------------------------------------------------------- /plugins/virustotal/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/virustotal/__init__.py -------------------------------------------------------------------------------- /plugins/virustotal/__pycache__/__init__.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/virustotal/__pycache__/__init__.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/virustotal/__pycache__/plugin.cpython-38.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/virustotal/__pycache__/plugin.cpython-38.pyc -------------------------------------------------------------------------------- /plugins/virustotal/plugin.py: -------------------------------------------------------------------------------- 1 | import json, requests 2 | from core.env import SIGINT_handler 3 | import signal 4 | from core.logger import Output 5 | 6 | NAME = 'virustotal' 7 | ARG_HELP = 'VirusTotal subdomain certificates' 8 | 9 | handler = SIGINT_handler() 10 | signal.signal(signal.SIGINT, handler.signal_handler) 11 | 12 | class VTError(Exception): 13 | """Base class for Virus Total exceptions""" 14 | pass 15 | 16 | def execute(domain, config, **kwargs): 17 | if handler.SIGINT: 18 | Output().warn("Aborted plugin: %s" % NAME, False) 19 | return None 20 | try: 21 | query = "https://www.virustotal.com/vtapi/v2/domain/report?apikey=%s&domain=%s" % (config['api-key'], domain.rstrip()) 22 | r = requests.get(query) 23 | if r.status_code == 200: 24 | data = json.loads(r.content) 25 | if 'subdomains' in data: 26 | # data should always be returned as a array 27 | return data['subdomains'] 28 | else: 29 | return None 30 | elif r.status_code == 403: 31 | raise VTError('Virustotal plugin: API Unauthorized') 32 | else: 33 | raise VTError('Virustotal plugin: Unexpected Error') 34 | except: 35 | raise 36 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | dnspython 2 | requests 3 | BeautifulSoup4 4 | censys -------------------------------------------------------------------------------- /subfuz.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: utf-8 -*- 3 | import importlib, os, argparse, json, sys, requests 4 | from core import env 5 | from core.domainfuzzer import SubFuz 6 | #from core.logger import Output, col 7 | 8 | banner = ''' ___ _____ 9 | ________ _\_ |___/ ____\_ __________ 10 | / ___/ | \ __ \ __\ | \___ / 11 | \___ \| | / \_\ \ | | | // / 12 | /____ >____/|___ /__| |____//_____ \\ 13 | \/ \/ \/\n 14 | ''' 15 | 16 | VERSION = "3.0.0" 17 | 18 | (SF_FILE, SF_DIR) = env.setup_core_paths(os.path.realpath(__file__)) 19 | PLUGINS_DIR = os.path.join(SF_DIR, "plugins") 20 | CORE_DIR = os.path.join(SF_DIR, "core") 21 | 22 | 23 | def check_version(): 24 | try: 25 | ver = requests.get("https://raw.githubusercontent.com/netsecurity-as/subfuz/master/patchnotes.txt", timeout=1).content 26 | ver = ver.split('\n')[0].split(' ')[1] 27 | if ver != VERSION: 28 | print ('\nWARNING\nSubfuz is out of date.\nRunning version: %s\nLatest version: %s\n\n' % (ver,VERSION)) 29 | except: 30 | return 31 | 32 | def initialize(): 33 | check_version() 34 | try: 35 | with open('config.json') as json_data_file: 36 | config = json.load(json_data_file) 37 | except ValueError: 38 | print ("Bad Json Structure in config.json") 39 | sys.exit() 40 | except IOError: 41 | print ("config.json not found.") 42 | sys.exit() 43 | 44 | override = config['config']['dns_override'] 45 | protocol = config['config']['dns_override_protocol'] 46 | record = config['config']['dns_override_record'] 47 | timeout = config['config']['timeout'] 48 | threads = config['config']['threads'] 49 | throttle = config['config']['throttle'] 50 | retry = config['config']['retry'] 51 | 52 | PLUGINS = [] 53 | _PLUGINS = [] 54 | # TODO: find a more elegant way to load plugin names with unique names rather than "plugin.py" 55 | for path, dir, file in os.walk(PLUGINS_DIR): 56 | for d in dir: 57 | if d != '__pycache__': 58 | PLUGINS.append('plugins.' + d + '.plugin') 59 | for plugin in PLUGINS: 60 | try: 61 | _PLUGINS.append(importlib.import_module(plugin)) 62 | except OSError: 63 | print ('Failed to load plugin %s', plugin) 64 | 65 | 66 | 67 | example_text = ''' 68 | Example usage: 69 | python subfuz.py -d example.com -w domain_dictionary.txt -all 70 | 71 | SubFuz %s 72 | Author: Torstein Mauseth @ Netsecurity 73 | ''' % VERSION 74 | parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawTextHelpFormatter) 75 | parser._action_groups.pop() 76 | required_args = parser.add_argument_group('required arguments') 77 | optional_args = parser.add_argument_group('optional arguments') 78 | plugin_args = parser.add_argument_group('plugins') 79 | 80 | 81 | required_args.add_argument('-d', help='Specify domain to fuzz, or..', dest='target') 82 | required_args.add_argument('-l', help='Specify list of domains to fuzz', dest='target_list') 83 | optional_args.add_argument('-w', help='Specify fuzzing dictionary to use', dest='dictionary') 84 | optional_args.add_argument('-o', help='Write output to a file', dest='log_filename', required=False, default=False) 85 | optional_args.add_argument('-csv', help='Write output to a csv file. Use - for stdout', dest='csv_filename', required=False, default=False) 86 | optional_args.add_argument('-deep', help='Specify fuzzing dictionary for deep subdomain testing', required=False, default=False) 87 | optional_args.add_argument('-dns', default=None, help='{:32}'.format('Override DNS server to query')+ '{:5}'.format('[ %s ]' % override)) 88 | optional_args.add_argument('-protocol', default=protocol, help='{:32}'.format('Override DNS protocol') + '{:5}'.format('[ %s ]' % protocol)) 89 | optional_args.add_argument('-record', default=record, help='{:32}'.format('Override DNS query record') + '{:5}'.format('[ %s ]' % protocol)) 90 | optional_args.add_argument('-p', type=int, default=timeout, help='{:32}'.format('DNS timeout') + '{:5}'.format('[ %d ] sec'% timeout)) 91 | optional_args.add_argument('-z', type=int, default=throttle, help='{:32}'.format('DNS request throttle') + '{:5}'.format('[ %d ] ms' % throttle)) 92 | optional_args.add_argument('-r', type=int, default=retry, help='{:32}'.format('DNS retries if failed') + '{:5}'.format('[ %d ]' % retry)) 93 | optional_args.add_argument('-t', type=int, default=threads, help='{:32}'.format('Threads active') + '{:5}'.format('[ %d ]' % threads)) 94 | optional_args.add_argument('-zone', action='store_false', help="Disable Zone Transfer testing") 95 | optional_args.add_argument('-ptr', action='store_false', help="Disable PTR check on related domains on the current /24 network") 96 | optional_args.add_argument('-quiet', action='store_true', help="Suppress terminal output") 97 | optional_args.add_argument('-verbose', action='store_true', help="Verbose output") 98 | 99 | # Load plugins as optional arguments 100 | plugin_args.add_argument('-all', action='store_true', help='Enable all plugins') 101 | for plugin in _PLUGINS: 102 | try: 103 | if config['plugins'][plugin.NAME]['enable'] is True: 104 | plugin_args.add_argument('-' + plugin.NAME, action='store_true', help=plugin.ARG_HELP) 105 | except: 106 | pass 107 | 108 | args = parser.parse_args() 109 | # verify that one of the required arguments has been set. 110 | if not bool(args.target) ^ bool(args.target_list): 111 | parser.print_help() 112 | sys.exit() 113 | if args.quiet and not bool(args.csv_filename) ^ bool(args.log_filename): 114 | print('Quiet mode must be used with either -o and/or -csv ') 115 | sys.exit() 116 | 117 | return (config, args, _PLUGINS) 118 | 119 | 120 | 121 | if __name__ == "__main__": 122 | config, args, plugins = initialize() 123 | if not args.quiet: print (banner) 124 | if args.target_list: 125 | try: 126 | with open(args.target_list, encoding='UTF-8') as f: 127 | targets = [line.rstrip() for line in f] 128 | #targets = map(unicode.strip, io.open(args.target_list, encoding='utf-8', mode='r').readlines()) 129 | #targets = filter(None, targets) 130 | except: 131 | print ("Could not open output file: %s" % args.target_list) 132 | sys.exit() 133 | elif args.target: 134 | targets = [args.target] 135 | for domain in targets: 136 | sf = SubFuz(domain, config, args, PLUGINS_DIR, CORE_DIR) 137 | if sf.check_dns_server() == False: 138 | continue 139 | sf.check_wildcard(sf.domain) 140 | sf.execute_plugins(plugins, sf) 141 | sf.scan() 142 | sf.subnets() 143 | sf.ptr_scan() 144 | sf.stats() 145 | if sf.handler.SIGINT: 146 | break 147 | del(sf) 148 | --------------------------------------------------------------------------------