├── LICENSE.md
├── README.md
├── config.json
├── core
├── __init__.py
├── __pycache__
│ ├── __init__.cpython-38.pyc
│ ├── dnslookup.cpython-38.pyc
│ ├── domainfuzzer.cpython-38.pyc
│ ├── env.cpython-38.pyc
│ └── logger.cpython-38.pyc
├── dnslookup.py
├── domainfuzzer.py
├── env.py
└── logger.py
├── fierce_improved.txt
├── patchnotes.txt
├── plugins
├── README.md
├── __init__.py
├── __pycache__
│ └── __init__.cpython-38.pyc
├── aws
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
├── censys
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
├── circl
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
├── citrix
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
├── crtsh
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
├── dnsdumpster
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
├── hackertarget
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
├── microsoft
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
├── securitytrails
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ │ ├── __init__.cpython-38.pyc
│ │ └── plugin.cpython-38.pyc
│ └── plugin.py
└── virustotal
│ ├── README.md
│ ├── __init__.py
│ ├── __pycache__
│ ├── __init__.cpython-38.pyc
│ └── plugin.cpython-38.pyc
│ └── plugin.py
├── requirements.txt
├── subdomain_megalist.txt
└── subfuz.py
/LICENSE.md:
--------------------------------------------------------------------------------
1 | SubFuz - A Subdomain Fuzzing Tool
2 | Copyright (C) 2019 Torstein Mauseth
3 |
4 | This program is free software: you can redistribute it and/or modify
5 | it under the terms of the GNU General Public License as published by
6 | the Free Software Foundation, either version 3 of the License, or
7 | (at your option) any later version.
8 |
9 | This program is distributed in the hope that it will be useful,
10 | but WITHOUT ANY WARRANTY; without even the implied warranty of
11 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 | GNU General Public License for more details.
13 |
14 | You should have received a copy of the GNU General Public License
15 | along with this program. If not, see .
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SubFuz - A Subdomain Fuzzer
2 | SubFuz is a fuzzing tool used for enumerating subdomains through multiple methods.
3 | This tool has various buildt in enumeration methods, at the same time as plugin support to enrich your result from different 3rd party sources. SubFuz accepts internationalized domain name (IDN) allowing you to scan domains like пример.example, 例.example, мысал.example - as well as use UTF-8 based words in your fuzzing dictionary.
4 |
5 | When SubFuz identifies a valid subdomain, it will perform mutation techniques on the subdomain to find similar, adjacent or deeper subdomains. As an example, if web.exampe.com was discovered, SubFuz will then check DNS to see if there's a web01.example.com, web02.example.com and so on. SubFuz will also append any words listed in the config option "deep_domains", testing for things such as admin.web.example.com, api.web.example.com and so on.
6 |
7 | ### Requirements
8 | [](https://www.python.org/downloads/)
9 |
10 | Currently tested on Linux with python 3.10
11 | ```
12 | sudo apt-get install python3 python3-pip
13 | git clone https://github.com/netsecurity-as/subfuz/
14 | cd subfuz
15 | python3 -m pip install -r requirements.txt
16 | ```
17 |
18 | ### Usage
19 | ```
20 | $ python3 subfuz.py -h
21 | usage: subfuz.py [-h] [-d TARGET] [-l TARGET_LIST] [-w DICTIONARY]
22 | [-o LOG_FILENAME] [-csv CSV_FILENAME] [-deep DEEP] [-dns DNS]
23 | [-protocol PROTOCOL] [-record RECORD] [-p P] [-z Z] [-r R]
24 | [-t T] [-zone] [-ptr] [-quiet] [-all]
25 |
26 | required arguments:
27 | -d TARGET Specify domain to fuzz, or..
28 | -l TARGET_LIST Specify list of domains to fuzz
29 |
30 | optional arguments:
31 | -w DICTIONARY Specify fuzzing dictionary to use
32 | -o LOG_FILENAME Write output to a file
33 | -csv CSV_FILENAME Write output to a csv file. Use - for stdout
34 | -deep DEEP Specify fuzzing dictionary for deep subdomain testing
35 | -dns DNS Override DNS server to query [ None ]
36 | -protocol PROTOCOL Override DNS protocol [ None ]
37 | -record RECORD Override DNS query record [ None ]
38 | -p P DNS timeout [ 3 ] sec
39 | -z Z DNS request throttle [ 0 ] ms
40 | -r R DNS retries if failed [ 3 ]
41 | -t T Threads active [ 5 ]
42 | -zone Disable Zone Transfer testing
43 | -ptr Disable PTR check on related domains on the current /24 network
44 | -quiet Suppress terminal output
45 |
46 |
47 | plugins:
48 | -all Enable all plugins
49 | -
50 | ```
51 |
52 | ### Configuration
53 | See configuration [**config.json**](/config.json) to customizing default options, enabling / disabling plugins.
54 |
55 | | Parameter | Default | Description |
56 | | ------ | ------ | ------ |
57 | | threads | 5 | Number of paralell threads to run scans with |
58 | | dns_fallback | 8.8.8.8 | Fallback DNS server to resolve queries |
59 | | dns_fallback_protocol | UDP | Fallback protocol to resolv with |
60 | | dns_fallback_record | ANY | Fallback record type to resolv with |
61 | | dns_override | null | Permanently override DNS server |
62 | | dns_override_protocol | null | Permanently override DNS protocol |
63 | | dns_override_record | null | Permanently override DNS record |
64 | | throttle | 0 | Ratelimit each thread by x milliseconds |
65 | | timeout | 3 | DNS query timeout |
66 | | retry | 3 | Amount of retries on failed queries |
67 | | deep_domains | N/A | Additional Tests performed on located subdomains.e.g. admin.subdomain.domain.com
68 | | txt_record_search | N/A | Display and log matching TXT records |
69 |
70 | ### Plugins
71 | For plugin developement or contributions, see [/plugins/README.md](/plugins/README.md) for how to get started.
72 | SubFuz is currently extended with the following plugins:
73 |
74 | | Plugin | README | Author |
75 | | ------ | ------ | ------ |
76 | | virustotal | [/plugins/virustotal/README.md](plugins/virustotal/README.md) | [Eplox](https://github.com/Eplox/) |
77 | | crtsh | [/plugins/crtsh/README.md](plugins/crtsh/README.md) | [Eplox](https://github.com/Eplox/) |
78 | | censys | [/plugins/censys/README.md](plugins/censys/README.md) | [Eplox](https://github.com/Eplox/) |
79 | | hackertarget | hackertarget.com | [Vegar](https://github.com/VegarLH)
80 | | microsoft | [/plugins/microsoft/README.md](plugins/microsoft/README.md) | [Eplox](https://github.com/Eplox/) |
81 | | citrix | [/plugins/citrix/README.md](plugins/citrix/README.md) | [hahnium](https://github.com/hahnium) |
82 | | aws | [/plugins/aws/README.md](plugins/aws/README.md) | [hahnium](https://github.com/hahnium) |
83 | | circl | [/plugins/circl/README.md](plugins/circl/README.md) | [hahnium](https://github.com/hahnium) |
84 | | dnsdumpster | [/plugins/dnsdumpster/README.md](plugins/dnsdumpster/README.md) | [hahnium](https://github.com/hahnium) |
85 |
86 | ### Recommendations
87 | Grab the domain fuzzing lists from Daniel Miessler repository: https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS
88 |
89 | Included DNS wordlist is based on this source.
90 |
91 | ### License
92 | This project is licensed under the [GPL license](/LICENSE.md).
93 |
94 | [](https://www.gnu.org/licenses/gpl-3.0)
95 |
--------------------------------------------------------------------------------
/config.json:
--------------------------------------------------------------------------------
1 | {
2 | "config":{
3 | "threads": 5,
4 | "dns_fallback": "8.8.8.8",
5 | "dns_fallback_protocol": "UDP",
6 | "dns_fallback_record": "ANY",
7 | "dns_override": null,
8 | "dns_override_protocol": null,
9 | "dns_override_record": null,
10 | "throttle": 0,
11 | "timeout": 3,
12 | "retry": 3,
13 | "deep_domains":["admin", "api", "app", "backup", "beta", "blog", "cdn", "client", "cpanel", "customer",
14 | "demo", "dev", "devapp", "email", "gw", "intra", "mail", "new", "old", "owa", "phpmyadmin",
15 | "prod", "remote", "security", "stage", "store", "support", "test", "webconf", "webmail",
16 | "www"],
17 | "txt_record_search":["v=spf","v=DKIM", "v=DMARC"],
18 | "error_file":"error.log"
19 | },
20 | "plugins":{
21 | "_comment": "name of plugin config must be equal to constant 'NAME' for the plugin",
22 | "_comment2": "set enable to true for subfuz to include listed plugin.",
23 | "virustotal":{
24 | "enable": false,
25 | "api-key":""
26 | },
27 | "crtsh":{
28 | "enable": true
29 | },
30 | "censys":{
31 | "enable": false,
32 | "uid": "",
33 | "secret": "",
34 | "max_records": 100
35 | },
36 | "hackertarget":{
37 | "enable": true
38 | },
39 | "microsoft": {
40 | "enable": true
41 | },
42 | "citrix": {
43 | "enable": true
44 | },
45 | "aws": {
46 | "enable": true
47 | },
48 | "circl": {
49 | "enable": false,
50 | "user": "",
51 | "pass": ""
52 | },
53 | "dnsdumpster": {
54 | "enable": true
55 | },
56 | "securitytrails": {
57 | "enable": false,
58 | "apikey": ""
59 | }
60 | }
61 | }
--------------------------------------------------------------------------------
/core/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__init__.py
--------------------------------------------------------------------------------
/core/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/core/__pycache__/dnslookup.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/dnslookup.cpython-38.pyc
--------------------------------------------------------------------------------
/core/__pycache__/domainfuzzer.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/domainfuzzer.cpython-38.pyc
--------------------------------------------------------------------------------
/core/__pycache__/env.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/env.cpython-38.pyc
--------------------------------------------------------------------------------
/core/__pycache__/logger.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/core/__pycache__/logger.cpython-38.pyc
--------------------------------------------------------------------------------
/core/dnslookup.py:
--------------------------------------------------------------------------------
1 | import dns.name
2 | import dns.message
3 | import dns.query
4 | import dns.flags
5 | import dns.rdatatype
6 | import dns.reversename
7 | from socket import gethostbyname_ex
8 |
9 |
10 | # acceptable request types:
11 | """ ['A', 'A6', 'AAAA', 'AFSDB', 'ANY', 'APL', 'AVC', 'AXFR', 'CAA', 'CDNSKEY', 'CDS', 'CERT', 'CNAME',
12 | 'CSYNC', 'DHCID', 'DLV', 'DNAME', 'DNSKEY', 'DS', 'EUI48', 'EUI64', 'GPOS', 'HINFO', 'HIP', 'IPSECKEY',
13 | 'ISDN', 'IXFR', 'KEY', 'KX', 'LOC', 'MAILA', 'MAILB', 'MB', 'MD', 'MF', 'MG', 'MINFO', 'MR', 'MX',
14 | 'NAPTR', 'NONE', 'NS', 'NSAP', 'NSAP_PTR', 'NSEC', 'NSEC3', 'NSEC3PARAM', 'NULL', 'NXT', 'OPT', 'PTR',
15 | 'PX', 'RP', 'RRSIG', 'RT', 'SIG', 'SOA', 'SPF', 'SRV', 'SSHFP', 'TA', 'TKEY', 'TLSA', 'TSIG', 'TXT',
16 | 'UNSPEC', 'URI', 'WKS', 'X25'] """
17 |
18 | class ProtocolError(Exception):
19 | pass
20 |
21 | def lookup(domain, type='ANY', nameserver='8.8.8.8', protocol='UDP', dnstimeout=2):
22 | domain = domain.encode('idna').decode('utf-8')
23 | if type == 'PTR':
24 | domain = dns.reversename.from_address(domain).to_text()
25 | nameserver = gethostbyname_ex(nameserver.encode('idna'))[2][0]
26 | ADDITIONAL_RDCLASS = 65535
27 | try:
28 | request = dns.message.make_query(domain, getattr(dns.rdatatype, type))
29 | except Exception:
30 | return False
31 | request.flags |= dns.flags.AD
32 | request.find_rrset(request.additional, dns.name.root, ADDITIONAL_RDCLASS, dns.rdatatype.OPT, create=True, force_unique=True)
33 |
34 | try:
35 | if protocol == 'TCP':
36 | return dns.query.tcp(request, nameserver, timeout=dnstimeout).answer
37 | elif protocol == 'UDP':
38 | return dns.query.udp(request, nameserver, timeout=dnstimeout).answer
39 | else:
40 | raise ProtocolError("Invalid Protocol", -1)
41 | except Exception:
42 | return False
43 |
44 |
--------------------------------------------------------------------------------
/core/domainfuzzer.py:
--------------------------------------------------------------------------------
1 | from core.dnslookup import lookup
2 | from core.logger import Output, col
3 | from threading import Thread, Lock
4 | from core.env import SIGINT_handler
5 | from socket import gethostbyname_ex
6 | import time, signal, math
7 | import random, string, sys, re
8 | import dns.zone
9 | import traceback
10 |
11 | class ScanList():
12 | def __init__(self, args):
13 | if args.dictionary:
14 | try:
15 | #self.unscanned = map(unicode.strip, io.open(args.dictionary, encoding='utf-8', mode='r').readlines())
16 | with open(args.dictionary, encoding='UTF-8') as f:
17 | self.unscanned = [line.rstrip() for line in f]
18 | except IOError as e:
19 | print(traceback.print_exc())
20 | print (e)
21 | sys.exit()
22 | else:
23 | self.unscanned = []
24 | self.unscanned.insert(0,'')
25 | self.scanned = []
26 | self.found = []
27 | self.n_unscanned = len(self.unscanned)
28 | self.n_scanned = len(self.scanned)
29 | self.items = []
30 | self.subnets = []
31 | self.ptr_unscanned_ip = []
32 | self.ptr_scanned = 0
33 | self.scan_failed = []
34 | self.failcounter = 0
35 |
36 |
37 | class SubFuz():
38 | def __init__(self, domain, config, args, PLUGINS_DIR, CORE_DIR):
39 | self.handler = SIGINT_handler()
40 | signal.signal(signal.SIGINT, self.handler.signal_handler)
41 | self.log = Output(args.log_filename, args.csv_filename, config['config']['error_file'], args.quiet)
42 | self.domain = domain.encode('idna').decode('utf-8')
43 | self.throttle = args.z / 1000.0
44 | self.threads = args.t
45 | self.zone = args.zone
46 | self.retry = config['config']['retry']
47 | if args.csv_filename: self.csv = True
48 | else: self.csv = False
49 | if args.deep:
50 | with open(args.deep, encoding='UTF-8') as f:
51 | self.deep_domains = [line.rstrip() for line in f]
52 | #self.deep_domains = map(unicode.strip, io.open(args.deep, encoding='utf-8', mode='r').readlines())
53 | else: self.deep_domains = config["config"]["deep_domains"]
54 | self.timeout = args.p
55 | if args.dns: self.dns = args.dns
56 | else: self.dns = config['config']['dns_fallback']
57 | if args.protocol: self.protocol = args.protocol
58 | else: self.protocol = config['config']['dns_fallback_protocol']
59 | self.protocol = self.protocol.upper()
60 | if args.record: self.record = args.record
61 | else: self.record = config['config']['dns_fallback_record']
62 | self.args = args
63 | self.config = config
64 | # TODO move wildcards to ScanList
65 | self.a_wildcard = self.aaaa_wildcard = self.txt_wildcard = self.mx_wildcard = self.cname_wildcard = []
66 | self.sl = ScanList(args)
67 | # Mutex lock required to avoid issues with multiple threads working on the same object.
68 | self.mutex = Lock()
69 |
70 | self.f1 = '{:50}'
71 | self.f2 = '{:8}'
72 | self.f3 = '{:10}'
73 | self.f4 = '{:46}'
74 |
75 | self.log.normal("Scanning: %s" % domain, True)
76 |
77 | def check_dns_server(self):
78 | # If dns override is not specified
79 | dns_servers = []
80 | if not self.args.dns:
81 | ns_record = lookup(self.domain, 'NS', self.config['config']['dns_fallback'], self.protocol, self.timeout)
82 | if not ns_record:
83 | ns_record = lookup(".".join(self.domain.split('.')[-2:]), 'NS', self.config['config']['dns_fallback'], self.protocol, self.timeout)
84 | # TODO very ugly way of doing it, https://publicsuffix.org/list/public_suffix_list.dat is on the to-do list
85 | # currently doesn't handle target domain inputs like subdomain.domain.co.uk or similar domains very well yet.
86 | if not ns_record: # Exit early if ns_record is not found.
87 | self.log.fatal('Unable to lookup NS server', True)
88 | return False
89 | nameservers = [x for x in ns_record if x.rdtype == 2]
90 | if nameservers:
91 | self.log.normal('Name Servers:', True)
92 | # For every NS record found
93 | for y in nameservers[0]:
94 | dns_server_name = y.target.to_text()
95 | # get DNS server IP
96 | try:
97 | print(dns_server_name)
98 | dns_servers.append(
99 | [lookup(dns_server_name,'A', self.config['config']['dns_fallback'], self.protocol, self.timeout)[0][0].address, y.target.to_text()])
100 | except:
101 | self.log.fatal(self.f4.format(dns_server_name) + '{:15}'.format('Unable to resolv DNS server'), True)
102 | else:
103 | self.log.warn('No Name Servers found for %s' % self.domain, True)
104 | return False
105 | else:
106 | dns_servers.append([self.args.dns, self.args.dns])
107 | # Zone transfer
108 | for dns_server in dns_servers:
109 | nameserver = gethostbyname_ex(dns_server[0].encode('idna'))[2][0]
110 | if self.zone:
111 | try:
112 | z = dns.zone.from_xfr(dns.query.xfr(nameserver, self.domain, timeout=10, lifetime=10))
113 | self.log.good(self.f4.format(dns_server[1]) + '{:15}'.format(dns_server[0]) + ' - Zone Transfer allowed.', True)
114 | #names = z.nodes.keys()
115 | #for n in names:
116 | # self.log.normal(z[n].to_text(n), True)
117 | except:
118 | self.log.warn(
119 | self.f4.format(dns_server[1]) + '{:15}'.format(dns_server[0]) + ' - Zone Transfer not allowed.', True)
120 | else:
121 | self.log.neutral(self.f4.format(dns_server[1]) + '{:15}'.format(dns_server[0]), True)
122 |
123 | # Testing for open TCP and UDP ports for DNS servers, and what type of records are permitted.
124 | # TCP - ANY
125 | dns_result = []
126 | start = time.time()
127 | tany = lookup(self.domain, 'ANY', dns_server[0], 'TCP', self.timeout)
128 | end = time.time()
129 | if tany:
130 | if [x for x in tany if x.rdtype == 1 or x.rdtype == 28 or x.rdtype == 5 or x.rdtype == 15 or x.rdtype == 16]:
131 | dns_result.append(['TCP', dns_server[0], 'ANY', end - start])
132 | # TCP - A
133 | start = time.time()
134 | ta = lookup(self.domain, 'A', dns_server[0], 'TCP', self.timeout)
135 | end = time.time()
136 | if ta:
137 | if [x for x in ta if x.rdtype == 1]:
138 | dns_result.append(['TCP', dns_server[0], 'A', end - start])
139 | # UDP - ANY
140 | start = time.time()
141 | uany = lookup(self.domain, 'ANY', dns_server[0], 'UDP', self.timeout)
142 | end = time.time()
143 | if uany:
144 | if [x for x in uany if x.rdtype == 1 or x.rdtype == 28 or x.rdtype == 5 or x.rdtype == 15 or x.rdtype == 16]:
145 | dns_result.append(['UDP', dns_server[0], 'ANY', end - start])
146 | # UDP - A
147 | start = time.time()
148 | ua = lookup(self.domain, 'A', dns_server[0], 'UDP', self.timeout)
149 | end = time.time()
150 | if ua:
151 | if [x for x in ua if x.rdtype == 1]:
152 | dns_result.append(['UDP', dns_server[0], 'A', end - start])
153 |
154 |
155 | # Figure out the best combination to use
156 | dns_result = sorted(dns_result, key=lambda x: (x[3], x[1], x[0], x[2]))
157 | a = [i for i in dns_result if i[0] == 'UDP' and i[2] == 'ANY']
158 | b = [i for i in dns_result if i[0] == 'TCP' and i[2] == 'ANY']
159 | c = [i for i in dns_result if i[0] == 'UDP' and i[2] == 'A']
160 | d = [i for i in dns_result if i[0] == 'TCP' and i[2] == 'A']
161 |
162 | if a: # ANY + UDP
163 | self.dns, self.protocol, self.record, delay = a[0][1], a[0][0], a[0][2], a[0][3]
164 | elif b: # ANY + TCP
165 | self.dns, self.protocol, self.record, delay = b[0][1], b[0][0], b[0][2], b[0][3]
166 | elif c: # A + UDP
167 | self.dns, self.protocol, self.record, delay = c[0][1], c[0][0], c[0][2], c[0][3]
168 | elif d: # A + TCP
169 | self.dns, self.protocol, self.record, delay = d[0][1], d[0][0], d[0][2], d[0][3]
170 | else: #fallback
171 | self.dns, self.protocol, self.record, delay = self.config['config']['dns_fallback'], self.config['config']['dns_fallback_protocol'], self.config['config']['dns_fallback_record'], 0
172 | self.log.warn('Unable to find information about %s, falling back to DNS %s, Proto %s, Type %s ' % (self.domain, self.dns, self.protocol, self.record), True)
173 |
174 | # Compensate for override
175 | override_dns = self.args.dns
176 | override_record = self.args.record
177 | override_protocol = self.args.protocol
178 | if override_record: self.record = override_record
179 | if override_dns: self.dns = override_dns
180 | if override_protocol: self.protocol = override_protocol
181 | self.log.neutral('Using nameserver %s, query type %s over %s with RTT of %.4f seconds' % (self.dns, self.record, self.protocol, delay), True)
182 | return True
183 |
184 | def check_wildcard(self, domain_addr):
185 | try:
186 | wildcard = ''.join(random.choice(string.ascii_lowercase) for _ in range(15))
187 | ans = lookup( (wildcard + '.' + domain_addr), self.record, self.dns, self.protocol, self.timeout)
188 | if ans:
189 | wc = False
190 | d = domain_addr #.encode('utf-8')
191 | for r in ans:
192 | if r.rdtype == 1: # A RECORD
193 | item = []
194 | for x in r.items:
195 | item.append(x.to_text())
196 | self.a_wildcard += item
197 | self.log.warn(self.f1.format("Wildcard A record found for %s: " % d) + ", ".join(item), True)
198 | wc = True
199 |
200 | if r.rdtype == 5: # CNAME RECORD
201 | item = []
202 | for x in r.items:
203 | item.append(x.to_text())
204 | self.cname_wildcard += item
205 | self.log.warn(self.f1.format("Wildcard CNAME record found for %s: " % d) + ", ".join(item), True)
206 | wc = True
207 |
208 | if r.rdtype == 16: # TXT RECORD
209 | item = []
210 | for x in r.items:
211 | item.append(x.to_text())
212 | self.txt_wildcard += item
213 | self.log.warn(self.f1.format("Wildcard TXT record found for %s: " % d) + ", ".join(item), True)
214 | wc = True
215 |
216 | if r.rdtype == 28: # AAAA RECORD
217 | item = []
218 | for x in r.items:
219 | item.append(x.to_text())
220 | self.aaaa_wildcard += item
221 | self.log.warn(self.f1.format("Wildcard AAAA record found for %s: " % d) + ", ".join(item), True)
222 | wc = True
223 |
224 | if r.rdtype == 15: # MX RECORD
225 | item = []
226 | for x in r.items:
227 | item.append(x.to_text())
228 | self.mx_wildcard += item
229 | self.log.warn(self.f1.format("Wildcard MX record found for %s: " % d) + ", ".join(item), True)
230 | wc = True
231 | if wc == True: return True
232 | #if not wc:
233 | # return False
234 | except Exception as e:
235 | self.log.fatal(('Wildcard check on %s.' % domain_addr), False)
236 | print(traceback.print_exc())
237 | print (e)
238 | return False
239 |
240 |
241 | def execute_plugins(self, plugins, self_class):
242 | for name, value in self.args._get_kwargs():
243 | for plugin in plugins:
244 | if self.handler.SIGINT:
245 | return
246 | if (value is True or self.args.all) and name is plugin.NAME:
247 | try:
248 | plugin_conf = self.config['plugins'][plugin.NAME]
249 | self.log.good('Executing plugin: %s' % name, True)
250 | subdomains = plugin.execute(domain = self.domain, config = plugin_conf, subfuz = self_class)
251 | if subdomains:
252 | self.log.neutral("%d subdomains found" % len(subdomains), False)
253 | for d in subdomains:
254 | self.new_targets(d.lower())
255 | except Exception as e:
256 | print(traceback.print_exc())
257 | self.log.fatal(str(e), True)
258 | # TODO: domains causes output clutter that is wildcard related.
259 |
260 |
261 | def scan(self):
262 | self.log.normal('\n\n' + self.f1.format('Domain Name') + self.f2.format('Record') + 'Value', True)
263 | self.log.normal('------------------------------------------------------', True)
264 | threads = []
265 | for i in range(self.threads):
266 | t = Thread(target=self.scan_worker)
267 | threads.append(t)
268 | t.start()
269 | while any(t.is_alive() for t in threads):
270 | self.status_print()
271 | time.sleep(0.05)
272 | self.status_print(True)
273 | return
274 |
275 | def status_print(self, end=False):
276 | if sys.stdout.isatty() and not self.args.quiet:
277 | self.log.printer()
278 | total = self.sl.n_unscanned + self.sl.n_scanned
279 | percentage = math.ceil(self.sl.n_scanned + 0.0) / total * 100
280 | sys.stdout.write("Status: " + col.cyan + "%d/%d " % (self.sl.n_scanned, total) + col.end + "domains tested. "
281 | + col.brown + "%.2f%%" % percentage + col.end + " done. failed: " + col.red + "%d" %
282 | self.sl.failcounter + col.end + " \r")
283 | if end: sys.stdout.write('\n\n')
284 | sys.stdout.flush()
285 | return
286 |
287 |
288 | def append_target(self, subdomain):
289 | try:
290 | if subdomain not in self.sl.scanned and subdomain not in self.sl.unscanned:
291 | self.sl.unscanned.insert(0,subdomain.rstrip('.'))
292 | self.sl.n_unscanned += 1
293 | #print (subdomain.rstrip('.'))
294 | except Exception as e:
295 | self.log.fatal(('Inserting target %s.' % subdomain), False)
296 | print(traceback.print_exc())
297 | print (e)
298 |
299 |
300 | def new_targets(self, new_domain):
301 | if not self.domain == new_domain.rstrip('.') and self.domain in new_domain:
302 | if not self.check_wildcard(new_domain):
303 | try:
304 | self.mutex.acquire()
305 | subdomain = new_domain.split('.')[0].rstrip('0123456789')
306 | #print(subdomain)
307 | self.append_target(subdomain) # this is here for adding new targets found from plugins
308 | for d in reversed(range(0, 21)):
309 | self.append_target('%s%02d' % (subdomain, d))
310 | self.append_target('%s%d' % (subdomain, d))
311 | for s in self.deep_domains:
312 | self.append_target(s + '.' + subdomain)
313 | except Exception as e:
314 | self.log.fatal(('Adding new target %s, %s' % (new_domain, subdomain)), False)
315 | print(traceback.print_exc())
316 | print (e)
317 | finally:
318 | self.mutex.release()
319 |
320 |
321 | def parse_record(self, ans, query):
322 | wildcard = False
323 | try:
324 | for r in ans:
325 | if r.rdtype == 1: # A RECORD
326 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna')
327 | for x in r.items:
328 | item = x.to_text()
329 | if item in self.a_wildcard:
330 | wildcard = True
331 | else:
332 | self.sl.items.append([d, item])
333 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('A') + self.f3.format(item))
334 | self.log.csv_queue.append("%s,A,%s,%s,%s" % (d, item,item,self.domain))
335 |
336 |
337 | if r.rdtype == 5: # CNAME RECORD
338 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna')
339 | for x in r.items:
340 | item = x.to_text()
341 | if item in self.cname_wildcard:
342 | wildcard = True
343 | else:
344 | self.sl.items.append([d, item])
345 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('CNAME') + self.f3.format(item.rstrip('.')))
346 | if self.csv:
347 | cname_ans = lookup(d, 'A')
348 | for line in cname_ans:
349 | if line.rdtype == 1:
350 | for dns_entry in line.items:
351 | self.log.csv_queue.append("%s,CNAME,%s,%s,%s" % (d, item.rstrip('.'), dns_entry.to_text(), self.domain))
352 |
353 |
354 | if r.rdtype == 12: # PTR RECORD
355 | #d = r.name.to_text().rstrip('.').decode('utf-8').decode('idna')
356 | for x in r.items:
357 | item = x.to_text()
358 | if self.domain.split('.')[-2] in item:
359 | if not [y for y in self.sl.items if item.rstrip('.') in y if query in y[1]]:
360 | self.sl.items.append([item, query])
361 | self.log.log_queue.append(self.f1.format(item.rstrip('.') +' ') + self.f2.format('PTR') + self.f3.format(query))
362 | self.log.csv_queue.append("%s,PTR,%s,%s,%s" % (item.rstrip('.'), query,query,self.domain))
363 | else:
364 | wildcard = True
365 |
366 | if r.rdtype == 16: # TXT RECORD
367 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna')
368 | for x in r.items:
369 | item = x.to_text()
370 | if item in self.txt_wildcard:
371 | wildcard = True
372 | else:
373 | if [t for t in self.config['config']['txt_record_search'] if t in item]:
374 | self.sl.items.append([d, item])
375 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('TXT') + self.f3.format(item))
376 | self.log.csv_queue.append("%s,TXT,%s,,%s" % (d, item,self.domain))
377 |
378 | if r.rdtype == 28: # AAAA RECORD
379 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna')
380 | for x in r.items:
381 | item = x.to_text()
382 | if item in self.aaaa_wildcard:
383 | wildcard = True
384 | else:
385 | self.sl.items.append([d, item])
386 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('AAAA') + self.f3.format(item))
387 | self.log.csv_queue.append("%s,AAAA,%s,%s,%s" % (d, item, item, self.domain))
388 |
389 | if r.rdtype == 15: # MX RECORD
390 | d = r.name.to_text().rstrip('.').encode('utf-8').decode('idna')
391 | for x in r.items:
392 | item = x.to_text()
393 | if item in self.mx_wildcard:
394 | wildcard = True
395 | else:
396 | self.sl.items.append([d, item])
397 | self.log.log_queue.append(self.f1.format(d +' ') + self.f2.format('MX') + self.f3.format(item.split(' ')[1].rstrip('.')))
398 | if self.csv:
399 | mx_value = item.split(' ')[1].rstrip('.')
400 | mx_ans = lookup(mx_value, 'A')
401 | for line in mx_ans:
402 | if line.rdtype == 1:
403 | for dns_entry in line.items:
404 | self.log.csv_queue.append("%s,MX,%s,%s,%s" % (d, mx_value, dns_entry.to_text(), self.domain))
405 |
406 | new = ['mail._domainkey', '_dmarc', 'default._domainkey', 'selector1._domainkey', 'selector2._domainkey', 's1._domainkey', 's2._domainkey']
407 | for n in new:
408 | if d == self.domain:
409 | self.append_target(n)
410 | else:
411 | self.append_target(n + '.' + d.replace(self.domain, '').strip('.'))
412 | except Exception as e:
413 | self.log.fatal(('Parsing records for: %s with answer %s' % (query, ans)), False)
414 | print(traceback.print_exc())
415 | print (e)
416 | return wildcard
417 |
418 |
419 | def scan_worker(self):
420 | while True:
421 | if self.handler.SIGINT:
422 | return
423 | self.mutex.acquire()
424 | try:
425 | if self.record == 'PTR':
426 | tests = ['PTR']
427 | subdomain = self.sl.ptr_unscanned_ip.pop(0)
428 | self.sl.ptr_scanned += 1
429 | else:
430 | subdomain = self.sl.unscanned.pop(0)
431 | #print(subdomain)
432 | if self.args.record: tests = [self.record]
433 | elif self.record == 'A':
434 | if subdomain == '': tests = ['A', 'TXT', 'MX']
435 | else: tests = ['A']
436 | else: tests = ['ANY']
437 | except:
438 | if len(self.sl.unscanned) == 0:
439 | return
440 | finally:
441 | self.mutex.release()
442 | time.sleep(self.throttle)
443 | # if domain already has been scanned (remove duplicates)
444 | # else, add domain to "scanned" list.
445 | if subdomain in self.sl.scanned:
446 | continue
447 | else:
448 | self.sl.scanned.append(subdomain)
449 | for t in tests:
450 | if self.record == 'PTR':
451 | d = subdomain
452 | else:
453 | d = (subdomain + u'.' + self.domain).lower().lstrip('.')
454 | try:
455 | ans = lookup(d, t, self.dns, self.protocol, self.timeout)
456 | if ans:
457 | wildcard = self.parse_record(ans, d)
458 | if ans and not wildcard and d != self.domain and self.record != 'PTR':
459 | self.new_targets(d)
460 | self.sl.found.append(d)
461 | elif ans == False and self.record != 'PTR':
462 | hit = [x for x in self.sl.scan_failed if x[0] == subdomain]
463 | if hit:
464 | z = self.sl.scan_failed.index(hit[0])
465 | self.sl.scan_failed[z][1] += 1
466 | if hit[0][1] > self.retry:
467 | self.sl.failcounter += 1
468 | if self.args.verbose:
469 | self.log.status('Failed lookup on %s' % d + ' ' * 20, False)
470 | self.log.error_queue.append('Failed lookup on %s' % d )
471 | continue
472 | else:
473 | self.sl.scan_failed.append([subdomain, 1])
474 | self.sl.scanned.remove(subdomain)
475 | self.sl.unscanned.insert(0,subdomain)
476 | if ans != False and self.record != 'PTR' and ((t == 'ANY' or t == 'A') or t == self.args.record):
477 | # basically don't count queries that's TXT or MX if querying a server doesn't respond to ANY
478 | self.sl.n_scanned += 1
479 | self.sl.n_unscanned -= 1
480 | except Exception as e:
481 | try:
482 | self.log.fatal(('Domain Query failed on %s.' % d), False)
483 | except:
484 | pass
485 | print(traceback.print_exc())
486 | print (e)
487 |
488 |
489 | def subnets(self):
490 | # Parse through results and check for similar IP's and assign them to "subnets"
491 | # TODO: For god's sake, I'm hardly able to understand this myself.
492 | for z in self.sl.items:
493 | if re.search("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$", z[1]):
494 | ip = ".".join([z[1].split('.')[i] for i in [0, 1, 2]]) + '.0-255'
495 | hit = [x for x in self.sl.subnets if x[0] == ip]
496 | if hit:
497 | z = self.sl.subnets.index(hit[0])
498 | self.sl.subnets[z][1] += 1
499 | else:
500 | self.sl.subnets.append([ip, 1])
501 | self.sl.subnets.sort()
502 |
503 |
504 | def ptr_scan(self):
505 | while self.sl.subnets:
506 | subnet = self.sl.subnets.pop(0)
507 | subnet = subnet[0][:subnet[0].rfind('.') + 1]
508 | for i in range(0, 256):
509 | self.sl.ptr_unscanned_ip.append(subnet + str(i))
510 | n_ip = len(self.sl.ptr_unscanned_ip)
511 | if self.args.ptr and n_ip > 0:
512 | self.log.good('Checking PTR records for related subnets', False)
513 | self.record = 'PTR'
514 | threads = []
515 | for i in range(self.threads):
516 | t = Thread(target=self.scan_worker)
517 | threads.append(t)
518 | t.start()
519 | while any(t.is_alive() for t in threads):
520 | if sys.stdout.isatty() and not self.args.quiet:
521 | self.log.printer()
522 | percentage = math.ceil(self.sl.ptr_scanned + 0.0)/n_ip*100
523 | sys.stdout.write("Status: " + col.cyan + "%d/%d " % (self.sl.ptr_scanned, n_ip) + col.end + "IP's tested."
524 | + col.brown + " %.2f%%" % percentage + col.end + " done. \r")
525 | sys.stdout.flush()
526 | time.sleep(0.05)
527 | # just to ensure everything is out
528 | self.log.printer()
529 | if not self.args.quiet: sys.stdout.write(' ' * 64 + '\n')
530 |
531 |
532 | def stats(self):
533 | if self.sl.ptr_scanned == 0:
534 | self.log.warn('No PTR records found for %s.' % self.domain, False)
535 | self.log.normal('\n\nA total of %d domains records was found.' % len(self.sl.items), True)
536 | self.subnets()
537 | if self.sl.subnets:
538 | self.log.normal('IP range detected:', True)
539 | for x in self.sl.subnets:
540 | self.log.normal(' %s - %d hits' % (x[0], x[1]), True)
541 | else:
542 | self.log.normal("No subnets was discovered.", True)
543 | if not self.args.quiet: print ("\nDONE")
544 |
545 |
546 | def close(self):
547 | del(self.log)
548 |
549 | def __exit__(self):
550 | self.close()
551 |
552 | def __del__(self):
553 | self.close()
554 |
--------------------------------------------------------------------------------
/core/env.py:
--------------------------------------------------------------------------------
1 | import os
2 | import sys
3 | from core.logger import Output, col
4 |
5 | def setup_core_paths(subfuz):
6 | global DF_DIR
7 | global DF_FILE
8 | DF_FILE = os.path.realpath(subfuz)
9 | DF_DIR = os.path.dirname(subfuz)
10 | return (DF_FILE, DF_DIR)
11 |
12 | class SIGINT_handler():
13 | def __init__(self):
14 | self.SIGINT = False
15 |
16 | def signal_handler(self, signal, frame):
17 | print (' ' * 60)
18 | Output().warn('CTRL+C pressed, aborting.', False)
19 | self.SIGINT = True
20 |
21 |
--------------------------------------------------------------------------------
/core/logger.py:
--------------------------------------------------------------------------------
1 | import sys, os
2 |
3 | """
4 | import logger
5 | # define output files
6 | l = logger.Output('test.txt', 'test.csv')
7 | # log sample
8 | l.good('test', True)
9 | # append to printer queue and print
10 | l.log_queue.append('test.com')
11 | l.csv_queue.append('1.2.3.4,A,test.com')
12 | l.printer()
13 | # del / close object to close up the output files
14 | del(l)
15 | """
16 |
17 | class col:
18 | #TODO, move terminal check to env.py, also create a colour scheme for windows terminals
19 | if sys.stdout.isatty() and not os.name == 'nt':
20 | green = '\033[32m'
21 | blue = '\033[94m'
22 | red = '\033[31m'
23 | yellow = '\033[93m'
24 | brown = '\033[33m'
25 | cyan = '\033[96m'
26 | end = '\033[0m'
27 | else:
28 | green = ''
29 | blue = ''
30 | red = ''
31 | yellow = ''
32 | brown = ''
33 | cyan = ''
34 | end = ''
35 |
36 | class Output():
37 | def __init__(self, log_filename=False, csv_filename=False, error_filename=False, quiet=False):
38 | self.log_queue = []
39 | self.csv_queue = []
40 | self.error_queue = []
41 | self.already_prined = []
42 | self.logfile = False
43 | self.csvfile = False
44 | self.errorfile = False
45 | self.quiet = quiet
46 | if log_filename:
47 | try:
48 | self.logfile = open(log_filename, "a+")
49 | except:
50 | self.fatal("Could not open output file: %s" % log_filename, False)
51 | sys.exit(1)
52 | if csv_filename:
53 | try:
54 | if csv_filename == "-":
55 | self.csvfile = sys.stdout
56 | else:
57 | self.csvfile = open(csv_filename, "a+")
58 | except:
59 | self.fatal("Could not open output file: %s" % csv_filename, False)
60 | sys.exit(1)
61 | if error_filename:
62 | try:
63 | self.errorfile = open(error_filename, "a+")
64 | except:
65 | self.fatal("Could not open output file: %s" % error_filename, False)
66 | sys.exit(1)
67 |
68 | def printer(self):
69 | while self.log_queue:
70 | n_line = self.log_queue.pop(0)
71 | if n_line not in self.already_prined:
72 | self.already_prined.append(n_line)
73 | self.normal(n_line, True)
74 | while self.csv_queue:
75 | c_line = self.csv_queue.pop(0)
76 | if c_line not in self.already_prined:
77 | self.already_prined.append(c_line)
78 | self.csv(c_line)
79 | while self.error_queue:
80 | self.error(self.error_queue.pop(0))
81 |
82 | def csv(self, message):
83 | if self.csvfile:
84 | self.csvfile.write(message + '\n')
85 |
86 | def error(self, message):
87 | if self.errorfile:
88 | try:
89 | self.errorfile.write(message + '\n')
90 | except:
91 | print('ERROR - unable to write to file: ' + message)
92 |
93 | def normal(self, message, log):
94 | if not self.quiet: print(message)
95 | if self.logfile and log:
96 | self.logfile.write(message + '\n')
97 |
98 | def status(self, message, log):
99 | if not self.quiet: print(col.blue + "[*] " + col.end + message)
100 | if self.logfile and log:
101 | self.logfile.write("[*] " + message + '\n')
102 |
103 | def good(self, message, log):
104 | if not self.quiet: print(col.green + "[+] " + col.end + message)
105 | if self.logfile and log:
106 | self.logfile.write("[+] " + message + '\n')
107 |
108 | def neutral(self, message, log):
109 | if not self.quiet: print(col.yellow + "[X] " + col.end + message)
110 | if self.logfile and log:
111 | self.logfile.write("[X] " + message + '\n')
112 |
113 | def warn(self, message, log):
114 | if not self.quiet: print(col.red + "[-] " + col.end + message)
115 | if self.logfile and log:
116 | self.logfile.write("[-] " + message + '\n')
117 |
118 | def fatal(self, message, log):
119 | if not self.quiet: print("\n" + col.red + "FATAL: " + message + col.end)
120 | if self.logfile and log:
121 | self.logfile.write("FATAL: " + message + '\n')
122 |
123 | def close(self):
124 | if self.csvfile: self.csvfile.close()
125 | if self.logfile: self.logfile.close()
126 | if self.errorfile: self.errorfile.close()
127 |
128 | def __exit__(self):
129 | self.close()
130 |
131 | def __del__(self):
132 | self.close()
133 |
134 |
135 |
--------------------------------------------------------------------------------
/fierce_improved.txt:
--------------------------------------------------------------------------------
1 | nyheiter
2 | nyheter
3 | postfix
4 | postfix01
5 | nyhet
6 | api
7 | bruk
8 | sprak
9 | intern
10 | valg
11 | sport
12 | vsport
13 | exch
14 | exch01
15 | exch02
16 | exch03
17 | exch-01
18 | exch-02
19 | exch-03
20 | exch1
21 | exch2
22 | exch3
23 | exch-1
24 | exch-2
25 | exch-3
26 | exchange
27 | darkweb
28 | a55
29 | phpmyadmin
30 | sslproxy
31 | einaros
32 | jarleb
33 | kundeportal
34 | cis
35 | kundewebtest
36 | webtest
37 | kundeweb
38 | konferanse
39 | lcsgateway
40 | tilgang
41 | xtra
42 | galleri
43 | signin
44 | 0
45 | 01
46 | 02
47 | 03
48 | 1
49 | 10
50 | 11
51 | 12
52 | 13
53 | 14
54 | 15
55 | 16
56 | 17
57 | 18
58 | 19
59 | 2
60 | 20
61 | 3
62 | 3com
63 | 4
64 | 5
65 | 6
66 | 7
67 | 8
68 | 9
69 | ILMI
70 | a
71 | a.auth-ns
72 | a01
73 | a02
74 | a1
75 | a2
76 | abc
77 | about
78 | ac
79 | academico
80 | acceso
81 | access
82 | accounting
83 | accounts
84 | acid
85 | activestat
86 | ad
87 | adam
88 | adkit
89 | admin
90 | admin2
91 | administracion
92 | administrador
93 | administrator
94 | administrators
95 | admins
96 | ads
97 | adserver
98 | adsl
99 | ae
100 | af
101 | affiliate
102 | affiliates
103 | afiliados
104 | ag
105 | agenda
106 | agent
107 | ai
108 | aix
109 | ajax
110 | ak
111 | akamai
112 | al
113 | alabama
114 | alaska
115 | albuquerque
116 | alerts
117 | alpha
118 | alterwind
119 | am
120 | amarillo
121 | americas
122 | an
123 | anaheim
124 | analyzer
125 | announce
126 | announcements
127 | antivirus
128 | ao
129 | ap
130 | apache
131 | apollo
132 | app
133 | app01
134 | app1
135 | apple
136 | application
137 | applications
138 | apps
139 | appserver
140 | aq
141 | ar
142 | archie
143 | arcsight
144 | argentina
145 | arizona
146 | arkansas
147 | arlington
148 | as
149 | as400
150 | asia
151 | asterix
152 | at
153 | athena
154 | atlanta
155 | atlas
156 | att
157 | au
158 | auction
159 | austin
160 | auth
161 | auto
162 | av
163 | aw
164 | ayuda
165 | az
166 | b
167 | b.auth-ns
168 | b01
169 | b02
170 | b1
171 | b2
172 | b2b
173 | b2c
174 | ba
175 | back
176 | backend
177 | backup
178 | baker
179 | bakersfield
180 | balance
181 | balancer
182 | baltimore
183 | banking
184 | bayarea
185 | bb
186 | bbdd
187 | bbs
188 | bd
189 | bdc
190 | be
191 | bea
192 | beta
193 | bf
194 | bg
195 | bh
196 | bi
197 | billing
198 | biz
199 | biztalk
200 | bj
201 | black
202 | blackberry
203 | blog
204 | blogs
205 | blue
206 | bm
207 | bn
208 | bnc
209 | bo
210 | bob
211 | bof
212 | boise
213 | bolsa
214 | border
215 | boston
216 | boulder
217 | boy
218 | br
219 | bravo
220 | brazil
221 | britian
222 | broadcast
223 | broker
224 | bronze
225 | brown
226 | bs
227 | bsd
228 | bsd0
229 | bsd01
230 | bsd02
231 | bsd1
232 | bsd2
233 | bt
234 | bug
235 | buggalo
236 | bugs
237 | bugzilla
238 | build
239 | bulletins
240 | burn
241 | burner
242 | buscador
243 | buy
244 | bv
245 | bw
246 | by
247 | bz
248 | c
249 | c.auth-ns
250 | ca
251 | cache
252 | cafe
253 | calendar
254 | california
255 | call
256 | calvin
257 | canada
258 | canal
259 | canon
260 | careers
261 | catalog
262 | cc
263 | cd
264 | cdburner
265 | cdn
266 | cert
267 | certificates
268 | certify
269 | certserv
270 | certsrv
271 | cf
272 | cg
273 | cgi
274 | ch
275 | channel
276 | channels
277 | charlie
278 | charlotte
279 | chat
280 | chats
281 | chatserver
282 | check
283 | checkpoint
284 | chi
285 | chicago
286 | ci
287 | cims
288 | cincinnati
289 | cisco
290 | citrix
291 | ck
292 | cl
293 | class
294 | classes
295 | classifieds
296 | classroom
297 | cleveland
298 | clicktrack
299 | client
300 | clientes
301 | clients
302 | club
303 | clubs
304 | cluster
305 | clusters
306 | cm
307 | cmail
308 | cms
309 | cn
310 | co
311 | cocoa
312 | code
313 | coldfusion
314 | colombus
315 | colorado
316 | columbus
317 | com
318 | commerce
319 | commerceserver
320 | communigate
321 | community
322 | compaq
323 | compras
324 | con
325 | concentrator
326 | conf
327 | conference
328 | conferencing
329 | confidential
330 | connect
331 | connecticut
332 | consola
333 | console
334 | consult
335 | consultant
336 | consultants
337 | consulting
338 | consumer
339 | contact
340 | content
341 | contracts
342 | core
343 | core0
344 | core01
345 | corp
346 | corpmail
347 | corporate
348 | correo
349 | correoweb
350 | cortafuegos
351 | counterstrike
352 | courses
353 | cr
354 | cricket
355 | crm
356 | crs
357 | cs
358 | cso
359 | css
360 | ct
361 | cu
362 | cust1
363 | cust10
364 | cust100
365 | cust101
366 | cust102
367 | cust103
368 | cust104
369 | cust105
370 | cust106
371 | cust107
372 | cust108
373 | cust109
374 | cust11
375 | cust110
376 | cust111
377 | cust112
378 | cust113
379 | cust114
380 | cust115
381 | cust116
382 | cust117
383 | cust118
384 | cust119
385 | cust12
386 | cust120
387 | cust121
388 | cust122
389 | cust123
390 | cust124
391 | cust125
392 | cust126
393 | cust13
394 | cust14
395 | cust15
396 | cust16
397 | cust17
398 | cust18
399 | cust19
400 | cust2
401 | cust20
402 | cust21
403 | cust22
404 | cust23
405 | cust24
406 | cust25
407 | cust26
408 | cust27
409 | cust28
410 | cust29
411 | cust3
412 | cust30
413 | cust31
414 | cust32
415 | cust33
416 | cust34
417 | cust35
418 | cust36
419 | cust37
420 | cust38
421 | cust39
422 | cust4
423 | cust40
424 | cust41
425 | cust42
426 | cust43
427 | cust44
428 | cust45
429 | cust46
430 | cust47
431 | cust48
432 | cust49
433 | cust5
434 | cust50
435 | cust51
436 | cust52
437 | cust53
438 | cust54
439 | cust55
440 | cust56
441 | cust57
442 | cust58
443 | cust59
444 | cust6
445 | cust60
446 | cust61
447 | cust62
448 | cust63
449 | cust64
450 | cust65
451 | cust66
452 | cust67
453 | cust68
454 | cust69
455 | cust7
456 | cust70
457 | cust71
458 | cust72
459 | cust73
460 | cust74
461 | cust75
462 | cust76
463 | cust77
464 | cust78
465 | cust79
466 | cust8
467 | cust80
468 | cust81
469 | cust82
470 | cust83
471 | cust84
472 | cust85
473 | cust86
474 | cust87
475 | cust88
476 | cust89
477 | cust9
478 | cust90
479 | cust91
480 | cust92
481 | cust93
482 | cust94
483 | cust95
484 | cust96
485 | cust97
486 | cust98
487 | cust99
488 | customer
489 | customers
490 | cv
491 | cvs
492 | cx
493 | cy
494 | cz
495 | d
496 | dallas
497 | data
498 | database
499 | database01
500 | database02
501 | database1
502 | database2
503 | databases
504 | datastore
505 | datos
506 | david
507 | db
508 | db0
509 | db01
510 | db02
511 | db1
512 | db2
513 | dc
514 | de
515 | dealers
516 | dec
517 | def
518 | default
519 | defiant
520 | delaware
521 | dell
522 | delta
523 | delta1
524 | demo
525 | demonstration
526 | demos
527 | denver
528 | depot
529 | des
530 | desarrollo
531 | descargas
532 | design
533 | designer
534 | detroit
535 | dev
536 | dev0
537 | dev01
538 | dev1
539 | devel
540 | develop
541 | developer
542 | developers
543 | development
544 | device
545 | devserver
546 | devsql
547 | dhcp
548 | dial
549 | dialup
550 | digital
551 | dilbert
552 | dir
553 | direct
554 | directory
555 | disc
556 | discovery
557 | discuss
558 | discussion
559 | discussions
560 | disk
561 | disney
562 | distributer
563 | distributers
564 | dj
565 | dk
566 | dm
567 | dmail
568 | dmz
569 | dnews
570 | dns
571 | dns-2
572 | dns0
573 | dns1
574 | dns2
575 | dns3
576 | do
577 | docs
578 | documentacion
579 | documentos
580 | domain
581 | domains
582 | dominio
583 | domino
584 | dominoweb
585 | doom
586 | download
587 | downloads
588 | downtown
589 | dragon
590 | drupal
591 | dsl
592 | dyn
593 | dynamic
594 | dynip
595 | dz
596 | e
597 | e-com
598 | e-commerce
599 | e0
600 | eagle
601 | earth
602 | east
603 | ec
604 | echo
605 | ecom
606 | ecommerce
607 | edi
608 | edu
609 | education
610 | edward
611 | ee
612 | eg
613 | eh
614 | ejemplo
615 | elpaso
616 | email
617 | employees
618 | empresa
619 | empresas
620 | en
621 | enable
622 | eng
623 | eng01
624 | eng1
625 | engine
626 | engineer
627 | engineering
628 | enterprise
629 | epsilon
630 | er
631 | erp
632 | es
633 | esd
634 | esm
635 | espanol
636 | estadisticas
637 | esx
638 | et
639 | eta
640 | europe
641 | events
642 | example
643 | exec
644 | extern
645 | external
646 | extranet
647 | f
648 | f5
649 | falcon
650 | farm
651 | faststats
652 | fax
653 | feedback
654 | feeds
655 | fi
656 | field
657 | file
658 | files
659 | fileserv
660 | fileserver
661 | filestore
662 | filter
663 | find
664 | finger
665 | firewall
666 | fix
667 | fixes
668 | fj
669 | fk
670 | fl
671 | flash
672 | florida
673 | flow
674 | fm
675 | fo
676 | foobar
677 | formacion
678 | foro
679 | foros
680 | fortworth
681 | forum
682 | forums
683 | foto
684 | fotos
685 | foundry
686 | fox
687 | foxtrot
688 | fr
689 | france
690 | frank
691 | fred
692 | freebsd
693 | freebsd0
694 | freebsd01
695 | freebsd02
696 | freebsd1
697 | freebsd2
698 | freeware
699 | fresno
700 | front
701 | frontdesk
702 | fs
703 | fsp
704 | ftp
705 | ftp-
706 | ftp0
707 | ftp2
708 | ftp_
709 | ftpserver
710 | fw
711 | fw-1
712 | fw1
713 | fwsm
714 | fwsm0
715 | fwsm01
716 | fwsm1
717 | g
718 | ga
719 | galeria
720 | galerias
721 | galleries
722 | gallery
723 | games
724 | gamma
725 | gandalf
726 | gate
727 | gatekeeper
728 | gateway
729 | gauss
730 | gd
731 | ge
732 | gemini
733 | general
734 | george
735 | georgia
736 | germany
737 | gf
738 | gg
739 | gh
740 | gi
741 | gl
742 | glendale
743 | gm
744 | gmail
745 | gn
746 | go
747 | gold
748 | goldmine
749 | golf
750 | gopher
751 | gp
752 | gq
753 | gr
754 | green
755 | group
756 | groups
757 | groupwise
758 | gs
759 | gsx
760 | gt
761 | gu
762 | guest
763 | gw
764 | gw1
765 | gy
766 | h
767 | hal
768 | halflife
769 | hawaii
770 | hello
771 | help
772 | helpdesk
773 | helponline
774 | henry
775 | hermes
776 | hi
777 | hidden
778 | hk
779 | hm
780 | hn
781 | hobbes
782 | hollywood
783 | home
784 | homebase
785 | homer
786 | honeypot
787 | honolulu
788 | host
789 | host1
790 | host3
791 | host4
792 | host5
793 | hotel
794 | hotjobs
795 | houstin
796 | houston
797 | howto
798 | hp
799 | hpov
800 | hr
801 | ht
802 | http
803 | https
804 | hu
805 | hub
806 | humanresources
807 | i
808 | ia
809 | ias
810 | ibm
811 | ibmdb
812 | id
813 | ida
814 | idaho
815 | ids
816 | ie
817 | iis
818 | il
819 | illinois
820 | im
821 | images
822 | imail
823 | imap
824 | imap4
825 | img
826 | img0
827 | img01
828 | img02
829 | in
830 | inbound
831 | inc
832 | include
833 | incoming
834 | india
835 | indiana
836 | indianapolis
837 | info
838 | informix
839 | inside
840 | install
841 | int
842 | internal
843 | international
844 | internet
845 | intl
846 | intranet
847 | invalid
848 | investor
849 | investors
850 | io
851 | iota
852 | iowa
853 | iplanet
854 | ipmonitor
855 | ipsec
856 | ipsec-gw
857 | iq
858 | ir
859 | irc
860 | ircd
861 | ircserver
862 | ireland
863 | iris
864 | irvine
865 | irving
866 | is
867 | isa
868 | isaserv
869 | isaserver
870 | ism
871 | israel
872 | isync
873 | it
874 | italy
875 | ix
876 | j
877 | japan
878 | java
879 | je
880 | jedi
881 | jm
882 | jo
883 | jobs
884 | john
885 | jp
886 | jrun
887 | juegos
888 | juliet
889 | juliette
890 | juniper
891 | k
892 | kansas
893 | kansascity
894 | kappa
895 | kb
896 | ke
897 | kentucky
898 | kerberos
899 | keynote
900 | kg
901 | kh
902 | ki
903 | kilo
904 | king
905 | km
906 | kn
907 | knowledgebase
908 | knoxville
909 | koe
910 | korea
911 | kp
912 | kr
913 | ks
914 | kw
915 | ky
916 | kz
917 | l
918 | la
919 | lab
920 | laboratory
921 | labs
922 | lambda
923 | lan
924 | laptop
925 | laserjet
926 | lasvegas
927 | launch
928 | lb
929 | lc
930 | ldap
931 | legal
932 | leo
933 | li
934 | lib
935 | library
936 | lima
937 | lincoln
938 | link
939 | linux
940 | linux0
941 | linux01
942 | linux02
943 | linux1
944 | linux2
945 | lista
946 | lists
947 | listserv
948 | listserver
949 | live
950 | lk
951 | load
952 | loadbalancer
953 | local
954 | localhost
955 | log
956 | log0
957 | log01
958 | log02
959 | log1
960 | log2
961 | logfile
962 | logfiles
963 | logger
964 | logging
965 | loghost
966 | login
967 | logs
968 | london
969 | longbeach
970 | losangeles
971 | lotus
972 | louisiana
973 | lr
974 | ls
975 | lt
976 | lu
977 | luke
978 | lv
979 | ly
980 | lyris
981 | m
982 | ma
983 | mac
984 | mac1
985 | mac10
986 | mac11
987 | mac2
988 | mac3
989 | mac4
990 | mac5
991 | mach
992 | macintosh
993 | madrid
994 | mail
995 | mail2
996 | mailer
997 | mailgate
998 | mailhost
999 | mailing
1000 | maillist
1001 | maillists
1002 | mailroom
1003 | mailserv
1004 | mailsite
1005 | mailsrv
1006 | main
1007 | maine
1008 | maint
1009 | mall
1010 | manage
1011 | management
1012 | manager
1013 | manufacturing
1014 | map
1015 | mapas
1016 | maps
1017 | marketing
1018 | marketplace
1019 | mars
1020 | marvin
1021 | mary
1022 | maryland
1023 | massachusetts
1024 | master
1025 | max
1026 | mc
1027 | mci
1028 | md
1029 | mdaemon
1030 | me
1031 | media
1032 | member
1033 | members
1034 | memphis
1035 | mercury
1036 | merlin
1037 | messages
1038 | messenger
1039 | mg
1040 | mgmt
1041 | mh
1042 | mi
1043 | miami
1044 | michigan
1045 | mickey
1046 | midwest
1047 | mike
1048 | milwaukee
1049 | minneapolis
1050 | minnesota
1051 | mirror
1052 | mis
1053 | mississippi
1054 | missouri
1055 | mk
1056 | ml
1057 | mm
1058 | mn
1059 | mngt
1060 | mo
1061 | mobile
1062 | mom
1063 | monitor
1064 | monitoring
1065 | montana
1066 | moon
1067 | moscow
1068 | movies
1069 | mozart
1070 | mp
1071 | mp3
1072 | mpeg
1073 | mpg
1074 | mq
1075 | mr
1076 | mrtg
1077 | ms
1078 | ms-exchange
1079 | ms-sql
1080 | msexchange
1081 | mssql
1082 | mssql0
1083 | mssql01
1084 | mssql1
1085 | mt
1086 | mta
1087 | mtu
1088 | mu
1089 | multimedia
1090 | music
1091 | mv
1092 | mw
1093 | mx
1094 | my
1095 | mysql
1096 | mysql0
1097 | mysql01
1098 | mysql1
1099 | mz
1100 | n
1101 | na
1102 | name
1103 | names
1104 | nameserv
1105 | nameserver
1106 | nas
1107 | nashville
1108 | nat
1109 | nc
1110 | nd
1111 | nds
1112 | ne
1113 | nebraska
1114 | neptune
1115 | net
1116 | netapp
1117 | netdata
1118 | netgear
1119 | netmeeting
1120 | netscaler
1121 | netscreen
1122 | netstats
1123 | network
1124 | nevada
1125 | new
1126 | meet
1127 | newhampshire
1128 | newjersey
1129 | newmexico
1130 | neworleans
1131 | news
1132 | newsfeed
1133 | newsfeeds
1134 | newsgroups
1135 | newton
1136 | newyork
1137 | newzealand
1138 | nf
1139 | ng
1140 | nh
1141 | ni
1142 | nigeria
1143 | nj
1144 | nl
1145 | nm
1146 | nms
1147 | nntp
1148 | no
1149 | node
1150 | nokia
1151 | nombres
1152 | nora
1153 | north
1154 | northcarolina
1155 | northdakota
1156 | northeast
1157 | northwest
1158 | noticias
1159 | novell
1160 | november
1161 | np
1162 | nr
1163 | ns
1164 | ns-
1165 | ns0
1166 | ns01
1167 | ns02
1168 | ns1
1169 | ns2
1170 | ns3
1171 | ns4
1172 | ns5
1173 | ns_
1174 | nt
1175 | nt4
1176 | nt40
1177 | ntmail
1178 | ntp
1179 | ntserver
1180 | nu
1181 | null
1182 | nv
1183 | ny
1184 | nz
1185 | o
1186 | oakland
1187 | ocean
1188 | odin
1189 | office
1190 | offices
1191 | oh
1192 | ohio
1193 | ok
1194 | oklahoma
1195 | oklahomacity
1196 | old
1197 | om
1198 | omaha
1199 | omega
1200 | omicron
1201 | online
1202 | ontario
1203 | open
1204 | openbsd
1205 | openview
1206 | operations
1207 | ops
1208 | ops0
1209 | ops01
1210 | ops02
1211 | ops1
1212 | ops2
1213 | opsware
1214 | or
1215 | oracle
1216 | orange
1217 | order
1218 | orders
1219 | oregon
1220 | orion
1221 | orlando
1222 | oscar
1223 | out
1224 | outbound
1225 | outgoing
1226 | outlook
1227 | outside
1228 | ov
1229 | owa
1230 | owa01
1231 | owa02
1232 | owa1
1233 | owa2
1234 | ows
1235 | oxnard
1236 | p
1237 | pa
1238 | page
1239 | pager
1240 | pages
1241 | paginas
1242 | papa
1243 | paris
1244 | parners
1245 | partner
1246 | partners
1247 | patch
1248 | patches
1249 | paul
1250 | payroll
1251 | pbx
1252 | pc
1253 | pc01
1254 | pc1
1255 | pc10
1256 | pc101
1257 | pc11
1258 | pc12
1259 | pc13
1260 | pc14
1261 | pc15
1262 | pc16
1263 | pc17
1264 | pc18
1265 | pc19
1266 | pc2
1267 | pc20
1268 | pc21
1269 | pc22
1270 | pc23
1271 | pc24
1272 | pc25
1273 | pc26
1274 | pc27
1275 | pc28
1276 | pc29
1277 | pc3
1278 | pc30
1279 | pc31
1280 | pc32
1281 | pc33
1282 | pc34
1283 | pc35
1284 | pc36
1285 | pc37
1286 | pc38
1287 | pc39
1288 | pc4
1289 | pc40
1290 | pc41
1291 | pc42
1292 | pc43
1293 | pc44
1294 | pc45
1295 | pc46
1296 | pc47
1297 | pc48
1298 | pc49
1299 | pc5
1300 | pc50
1301 | pc51
1302 | pc52
1303 | pc53
1304 | pc54
1305 | pc55
1306 | pc56
1307 | pc57
1308 | pc58
1309 | pc59
1310 | pc6
1311 | pc60
1312 | pc7
1313 | pc8
1314 | pc9
1315 | pcmail
1316 | pda
1317 | pdc
1318 | pe
1319 | pegasus
1320 | pennsylvania
1321 | peoplesoft
1322 | personal
1323 | pf
1324 | pg
1325 | pgp
1326 | ph
1327 | phi
1328 | philadelphia
1329 | phoenix
1330 | phoeniz
1331 | phone
1332 | phones
1333 | photos
1334 | pi
1335 | pics
1336 | pictures
1337 | pink
1338 | pipex-gw
1339 | pittsburgh
1340 | pix
1341 | pk
1342 | pki
1343 | pl
1344 | plano
1345 | platinum
1346 | pluto
1347 | pm
1348 | pm1
1349 | pn
1350 | po
1351 | policy
1352 | polls
1353 | pop
1354 | pop3
1355 | portal
1356 | portals
1357 | portfolio
1358 | portland
1359 | post
1360 | postales
1361 | postoffice
1362 | ppp1
1363 | ppp10
1364 | ppp11
1365 | ppp12
1366 | ppp13
1367 | ppp14
1368 | ppp15
1369 | ppp16
1370 | ppp17
1371 | ppp18
1372 | ppp19
1373 | ppp2
1374 | ppp20
1375 | ppp21
1376 | ppp3
1377 | ppp4
1378 | ppp5
1379 | ppp6
1380 | ppp7
1381 | ppp8
1382 | ppp9
1383 | pptp
1384 | pr
1385 | prensa
1386 | press
1387 | printer
1388 | printserv
1389 | printserver
1390 | priv
1391 | privacy
1392 | private
1393 | problemtracker
1394 | products
1395 | profiles
1396 | project
1397 | projects
1398 | promo
1399 | proxy
1400 | prueba
1401 | pruebas
1402 | ps
1403 | psi
1404 | pss
1405 | pt
1406 | pub
1407 | public
1408 | pubs
1409 | purple
1410 | pw
1411 | py
1412 | q
1413 | qa
1414 | qmail
1415 | qotd
1416 | quake
1417 | quebec
1418 | queen
1419 | quotes
1420 | r
1421 | r01
1422 | r02
1423 | r1
1424 | r2
1425 | ra
1426 | radio
1427 | radius
1428 | rapidsite
1429 | raptor
1430 | ras
1431 | rc
1432 | rcs
1433 | rd
1434 | re
1435 | read
1436 | realserver
1437 | recruiting
1438 | red
1439 | redhat
1440 | ref
1441 | reference
1442 | reg
1443 | register
1444 | registro
1445 | registry
1446 | regs
1447 | relay
1448 | rem
1449 | remote
1450 | remstats
1451 | reports
1452 | research
1453 | reseller
1454 | reserved
1455 | resumenes
1456 | rho
1457 | rhodeisland
1458 | ri
1459 | ris
1460 | rmi
1461 | ro
1462 | robert
1463 | romeo
1464 | root
1465 | rose
1466 | route
1467 | router
1468 | router1
1469 | rs
1470 | rss
1471 | rtelnet
1472 | rtr
1473 | rtr01
1474 | rtr1
1475 | ru
1476 | rune
1477 | rw
1478 | rwhois
1479 | s
1480 | s1
1481 | s2
1482 | sa
1483 | sac
1484 | sacramento
1485 | sadmin
1486 | safe
1487 | sales
1488 | saltlake
1489 | sam
1490 | san
1491 | sanantonio
1492 | sandiego
1493 | sanfrancisco
1494 | sanjose
1495 | saskatchewan
1496 | saturn
1497 | sb
1498 | sbs
1499 | sc
1500 | scanner
1501 | schedules
1502 | scotland
1503 | scotty
1504 | sd
1505 | se
1506 | search
1507 | seattle
1508 | sec
1509 | secret
1510 | secure
1511 | secured
1512 | securid
1513 | security
1514 | sendmail
1515 | seri
1516 | serv
1517 | serv2
1518 | server
1519 | server1
1520 | servers
1521 | service
1522 | services
1523 | servicio
1524 | servidor
1525 | setup
1526 | sg
1527 | sh
1528 | shared
1529 | sharepoint
1530 | shareware
1531 | shipping
1532 | shop
1533 | shoppers
1534 | shopping
1535 | si
1536 | siebel
1537 | sierra
1538 | sigma
1539 | signup
1540 | silver
1541 | sim
1542 | sirius
1543 | site
1544 | sj
1545 | sk
1546 | skywalker
1547 | sl
1548 | slackware
1549 | slmail
1550 | sm
1551 | smc
1552 | sms
1553 | smtp
1554 | smtphost
1555 | sn
1556 | sniffer
1557 | snmp
1558 | snmpd
1559 | snoopy
1560 | snort
1561 | so
1562 | socal
1563 | software
1564 | sol
1565 | solaris
1566 | solutions
1567 | soporte
1568 | source
1569 | sourcecode
1570 | sourcesafe
1571 | south
1572 | southcarolina
1573 | southdakota
1574 | southeast
1575 | southwest
1576 | spain
1577 | spam
1578 | spider
1579 | spiderman
1580 | splunk
1581 | spock
1582 | spokane
1583 | springfield
1584 | sprint
1585 | sqa
1586 | sql
1587 | sql0
1588 | sql01
1589 | sql1
1590 | sql7
1591 | sqlserver
1592 | squid
1593 | sr
1594 | ss
1595 | ssh
1596 | ssl
1597 | ssl0
1598 | ssl01
1599 | ssl1
1600 | st
1601 | staff
1602 | stage
1603 | staging
1604 | start
1605 | stat
1606 | static
1607 | statistics
1608 | stats
1609 | stlouis
1610 | stock
1611 | storage
1612 | store
1613 | storefront
1614 | streaming
1615 | stronghold
1616 | strongmail
1617 | studio
1618 | submit
1619 | subversion
1620 | sun
1621 | sun0
1622 | sun01
1623 | sun02
1624 | sun1
1625 | sun2
1626 | superman
1627 | supplier
1628 | suppliers
1629 | support
1630 | sv
1631 | sw
1632 | sw0
1633 | sw01
1634 | sw1
1635 | sweden
1636 | switch
1637 | switzerland
1638 | sy
1639 | sybase
1640 | sydney
1641 | sysadmin
1642 | sysback
1643 | syslog
1644 | syslogs
1645 | system
1646 | sz
1647 | t
1648 | tacoma
1649 | taiwan
1650 | talk
1651 | tampa
1652 | tango
1653 | tau
1654 | tc
1655 | tcl
1656 | td
1657 | team
1658 | tech
1659 | technology
1660 | techsupport
1661 | telephone
1662 | telephony
1663 | telnet
1664 | temp
1665 | tennessee
1666 | terminal
1667 | terminalserver
1668 | termserv
1669 | test
1670 | test2k
1671 | testbed
1672 | testing
1673 | testlab
1674 | testlinux
1675 | testserver
1676 | testsite
1677 | testsql
1678 | testxp
1679 | texas
1680 | tf
1681 | tftp
1682 | tg
1683 | th
1684 | thailand
1685 | theta
1686 | thor
1687 | tienda
1688 | tiger
1689 | time
1690 | titan
1691 | tivoli
1692 | tj
1693 | tk
1694 | tm
1695 | tn
1696 | to
1697 | tokyo
1698 | toledo
1699 | tom
1700 | tool
1701 | tools
1702 | toplayer
1703 | toronto
1704 | tour
1705 | tp
1706 | tr
1707 | tracker
1708 | train
1709 | training
1710 | transfers
1711 | trinidad
1712 | trinity
1713 | ts
1714 | ts1
1715 | tt
1716 | tucson
1717 | tulsa
1718 | tunnel
1719 | tv
1720 | tw
1721 | tx
1722 | tz
1723 | u
1724 | ua
1725 | uddi
1726 | ug
1727 | uk
1728 | um
1729 | uniform
1730 | union
1731 | unitedkingdom
1732 | unitedstates
1733 | unix
1734 | unixware
1735 | update
1736 | updates
1737 | upload
1738 | ups
1739 | upsilon
1740 | uranus
1741 | urchin
1742 | us
1743 | usa
1744 | usenet
1745 | user
1746 | users
1747 | ut
1748 | utah
1749 | utilities
1750 | uy
1751 | uz
1752 | v
1753 | va
1754 | vader
1755 | vantive
1756 | vault
1757 | vc
1758 | ve
1759 | vega
1760 | vegas
1761 | vend
1762 | vendors
1763 | venus
1764 | vermont
1765 | vg
1766 | vi
1767 | victor
1768 | video
1769 | videos
1770 | viking
1771 | violet
1772 | vip
1773 | virginia
1774 | vista
1775 | vm
1776 | vmserver
1777 | vmware
1778 | vn
1779 | vnc
1780 | voice
1781 | voicemail
1782 | voip
1783 | voyager
1784 | vpn
1785 | vpn0
1786 | vpn01
1787 | vpn02
1788 | vpn1
1789 | vpn2
1790 | vt
1791 | vu
1792 | w
1793 | w1
1794 | w2
1795 | w3
1796 | wa
1797 | wais
1798 | wallet
1799 | wam
1800 | wan
1801 | wap
1802 | warehouse
1803 | washington
1804 | wc3
1805 | web
1806 | webaccess
1807 | webadmin
1808 | webalizer
1809 | webboard
1810 | webcache
1811 | webcam
1812 | webcast
1813 | webdev
1814 | webdocs
1815 | webfarm
1816 | webhelp
1817 | weblib
1818 | weblogic
1819 | webmail
1820 | webmaster
1821 | webproxy
1822 | webring
1823 | webs
1824 | webserv
1825 | webserver
1826 | webservices
1827 | website
1828 | websites
1829 | websphere
1830 | websrv
1831 | websrvr
1832 | webstats
1833 | webstore
1834 | websvr
1835 | webtrends
1836 | welcome
1837 | west
1838 | westvirginia
1839 | wf
1840 | whiskey
1841 | white
1842 | whois
1843 | wi
1844 | wichita
1845 | wiki
1846 | wililiam
1847 | win
1848 | win01
1849 | win02
1850 | win1
1851 | win2
1852 | win2000
1853 | win2003
1854 | win2k
1855 | win2k3
1856 | windows
1857 | windows01
1858 | windows02
1859 | windows1
1860 | windows2
1861 | windows2000
1862 | windows2003
1863 | windowsxp
1864 | wingate
1865 | winnt
1866 | winproxy
1867 | wins
1868 | winserve
1869 | winxp
1870 | wire
1871 | wireless
1872 | wisconsin
1873 | wlan
1874 | wordpress
1875 | work
1876 | world
1877 | write
1878 | ws
1879 | ws1
1880 | ws10
1881 | ws11
1882 | ws12
1883 | ws13
1884 | ws2
1885 | ws3
1886 | ws4
1887 | ws5
1888 | ws6
1889 | ws7
1890 | ws8
1891 | ws9
1892 | wusage
1893 | wv
1894 | ww
1895 | www
1896 | www-
1897 | www-01
1898 | www-02
1899 | www-1
1900 | www-2
1901 | www-int
1902 | www0
1903 | www01
1904 | www02
1905 | www1
1906 | www2
1907 | www3
1908 | www_
1909 | wwwchat
1910 | wwwdev
1911 | wwwmail
1912 | wy
1913 | wyoming
1914 | x
1915 | x-ray
1916 | xi
1917 | xlogan
1918 | xmail
1919 | xml
1920 | xp
1921 | y
1922 | yankee
1923 | ye
1924 | yellow
1925 | young
1926 | yt
1927 | yu
1928 | z
1929 | z-log
1930 | za
1931 | zebra
1932 | zera
1933 | zeus
1934 | zlog
1935 | zm
1936 | zulu
1937 | zw
1938 | mx1
1939 | mx2
1940 | mx3
1941 | mx4
1942 | mx5
1943 | mx6
1944 | mx7
1945 | mx8
1946 | mx9
1947 | mx10
1948 | mx01
1949 | mx02
1950 | mx03
1951 | mx04
1952 | mx05
1953 | mx06
1954 | mx07
1955 | mx08
1956 | mx09
1957 | mx11
1958 | mx12
1959 | aa
1960 | ab
1961 | ah
1962 | aj
1963 | ax
1964 | ay
1965 | bc
1966 | bk
1967 | bl
1968 | bp
1969 | bq
1970 | bu
1971 | bx
1972 | cb
1973 | ce
1974 | cj
1975 | cp
1976 | cq
1977 | cw
1978 | da
1979 | dd
1980 | df
1981 | dg
1982 | dh
1983 | di
1984 | dl
1985 | dn
1986 | dp
1987 | dq
1988 | dr
1989 | ds
1990 | dt
1991 | du
1992 | dv
1993 | dw
1994 | dx
1995 | dy
1996 | ea
1997 | eb
1998 | ed
1999 | ef
2000 | ei
2001 | ej
2002 | ek
2003 | el
2004 | em
2005 | eo
2006 | ep
2007 | eq
2008 | eu
2009 | ev
2010 | ew
2011 | ex
2012 | ey
2013 | ez
2014 | fa
2015 | fb
2016 | fc
2017 | fd
2018 | fe
2019 | ff
2020 | fg
2021 | fh
2022 | fn
2023 | fp
2024 | fq
2025 | ft
2026 | fu
2027 | fv
2028 | fx
2029 | fy
2030 | fz
2031 | gb
2032 | gc
2033 | gj
2034 | gk
2035 | gv
2036 | gx
2037 | gz
2038 | ha
2039 | hb
2040 | hc
2041 | hd
2042 | he
2043 | hf
2044 | hg
2045 | hh
2046 | hj
2047 | hl
2048 | ho
2049 | hq
2050 | hs
2051 | hv
2052 | hw
2053 | hx
2054 | hy
2055 | hz
2056 | ib
2057 | ic
2058 | if
2059 | ig
2060 | ih
2061 | ii
2062 | ij
2063 | ik
2064 | ip
2065 | iu
2066 | iv
2067 | iw
2068 | iy
2069 | iz
2070 | ja
2071 | jb
2072 | jc
2073 | jd
2074 | jf
2075 | jg
2076 | jh
2077 | ji
2078 | jj
2079 | jk
2080 | jl
2081 | jn
2082 | jq
2083 | jr
2084 | js
2085 | jt
2086 | ju
2087 | jv
2088 | jw
2089 | jx
2090 | jy
2091 | jz
2092 | ka
2093 | kc
2094 | kd
2095 | kf
2096 | kj
2097 | kk
2098 | kl
2099 | ko
2100 | kq
2101 | kt
2102 | ku
2103 | kv
2104 | kx
2105 | ld
2106 | le
2107 | lf
2108 | lg
2109 | lh
2110 | lj
2111 | ll
2112 | lm
2113 | ln
2114 | lo
2115 | lp
2116 | lq
2117 | lw
2118 | lx
2119 | lz
2120 | mb
2121 | mf
2122 | mj
2123 | nb
2124 | nk
2125 | nn
2126 | nq
2127 | nw
2128 | nx
2129 | oa
2130 | ob
2131 | oc
2132 | od
2133 | oe
2134 | of
2135 | og
2136 | oi
2137 | oj
2138 | ol
2139 | on
2140 | oo
2141 | op
2142 | oq
2143 | os
2144 | ot
2145 | ou
2146 | ow
2147 | ox
2148 | oy
2149 | oz
2150 | pb
2151 | pd
2152 | pj
2153 | pp
2154 | pq
2155 | pu
2156 | pv
2157 | px
2158 | pz
2159 | qb
2160 | qc
2161 | qd
2162 | qe
2163 | qf
2164 | qg
2165 | qh
2166 | qi
2167 | qj
2168 | qk
2169 | ql
2170 | qm
2171 | qn
2172 | qo
2173 | qp
2174 | qq
2175 | qr
2176 | qs
2177 | qt
2178 | qu
2179 | qv
2180 | qw
2181 | qx
2182 | qy
2183 | qz
2184 | rb
2185 | rf
2186 | rg
2187 | rh
2188 | rj
2189 | rk
2190 | rl
2191 | rm
2192 | rn
2193 | rp
2194 | rq
2195 | rr
2196 | rt
2197 | rv
2198 | rx
2199 | ry
2200 | rz
2201 | sf
2202 | sp
2203 | sq
2204 | su
2205 | sx
2206 | ta
2207 | tb
2208 | te
2209 | ti
2210 | tl
2211 | tq
2212 | tu
2213 | ty
2214 | ub
2215 | uc
2216 | ud
2217 | ue
2218 | uf
2219 | uh
2220 | ui
2221 | uj
2222 | ul
2223 | un
2224 | uo
2225 | up
2226 | uq
2227 | ur
2228 | uu
2229 | uv
2230 | uw
2231 | ux
2232 | vb
2233 | vd
2234 | vf
2235 | vh
2236 | vj
2237 | vk
2238 | vl
2239 | vo
2240 | vp
2241 | vq
2242 | vr
2243 | vs
2244 | vv
2245 | vw
2246 | vx
2247 | vy
2248 | vz
2249 | wb
2250 | wc
2251 | wd
2252 | we
2253 | wg
2254 | wh
2255 | wj
2256 | wk
2257 | wl
2258 | wm
2259 | wn
2260 | wo
2261 | wp
2262 | wq
2263 | wr
2264 | wt
2265 | wu
2266 | wx
2267 | wz
2268 | xa
2269 | xb
2270 | xc
2271 | xd
2272 | xe
2273 | xf
2274 | xg
2275 | xh
2276 | xj
2277 | xk
2278 | xl
2279 | xm
2280 | xn
2281 | xo
2282 | xq
2283 | xr
2284 | xs
2285 | xt
2286 | xu
2287 | xv
2288 | xw
2289 | xx
2290 | xy
2291 | xz
2292 | ya
2293 | yb
2294 | yc
2295 | yd
2296 | yf
2297 | yg
2298 | yh
2299 | yi
2300 | yj
2301 | yk
2302 | yl
2303 | ym
2304 | yn
2305 | yo
2306 | yp
2307 | yq
2308 | yr
2309 | ys
2310 | yv
2311 | yw
2312 | yx
2313 | yy
2314 | yz
2315 | zb
2316 | zc
2317 | zd
2318 | ze
2319 | zf
2320 | zg
2321 | zh
2322 | zi
2323 | zj
2324 | zk
2325 | zl
2326 | zn
2327 | zo
2328 | zp
2329 | zq
2330 | zr
2331 | zs
2332 | zt
2333 | zu
2334 | zv
2335 | zx
2336 | zy
2337 | zz
2338 | activesync1
2339 | portal1
2340 | portal2
2341 | mail3
2342 | dns01
2343 | dns02
2344 | dns03
2345 | home1
2346 | home2
2347 | archivos
2348 | aula
2349 | aulas
2350 | backups
2351 | bart
2352 | biblioteca
2353 | blackboard
2354 | carro
2355 | cart
2356 | cas
2357 | catalogo
2358 | catalogue
2359 | e-post
2360 | chimera
2361 | chronos
2362 | controller
2363 | cpanel
2364 | cpan
2365 | csg
2366 | dbs
2367 | demon
2368 | demostration
2369 | diana
2370 | domaincontroller
2371 | domain-controller
2372 | eaccess
2373 | ejemplos
2374 | enrutador
2375 | eventos
2376 | examples
2377 | finance
2378 | ftpd
2379 | gilford
2380 | guia
2381 | guide
2382 | hera
2383 | heracles
2384 | hercules
2385 | hotspot
2386 | hypernova
2387 | imap3
2388 | imap3d
2389 | imapd
2390 | imaps
2391 | imgs
2392 | imogen
2393 | inmuebles
2394 | interno
2395 | ip6
2396 | ipv6
2397 | jabber
2398 | jupiter
2399 | laboratories
2400 | laboratorio
2401 | lisa
2402 | logon
2403 | meta
2404 | meta01
2405 | meta02
2406 | meta03
2407 | meta1
2408 | meta2
2409 | meta3
2410 | miembros
2411 | minerva
2412 | mob
2413 | moodle
2414 | movil
2415 | mx0
2416 | nelson
2417 | neon
2418 | netmail
2419 | ns03
2420 | ora
2421 | osx
2422 | pcanywhere
2423 | pendrell
2424 | photo
2425 | postgresql
2426 | postman
2427 | postmaster
2428 | ppp
2429 | preprod
2430 | pre-prod
2431 | prod
2432 | restricted
2433 | robinhood
2434 | sample
2435 | samples
2436 | sandbox
2437 | seguro
2438 | servicios
2439 | socios
2440 | squirrel
2441 | squirrelmail
2442 | uat
2443 | uploads
2444 | ventas
2445 | virtual
2446 | vpn3
2447 | web0
2448 | web01
2449 | web02
2450 | web03
2451 | web1
2452 | web2
2453 | web3
2454 | webct
2455 | weblog
2456 | webmin
2457 | ww0
2458 | ww01
2459 | ww02
2460 | ww03
2461 | ww1
2462 | ww2
2463 | ww3
2464 | www03
2465 | xanthus
2466 |
--------------------------------------------------------------------------------
/patchnotes.txt:
--------------------------------------------------------------------------------
1 | Subfus 3.0.0 22.12.2021
2 | - Migrated to Python3
3 | - Fixed several plugins
4 | ----------------------------
5 | Subfus 2.2.2 04.09.2020
6 | - Fixed issue with nameservers not resolving
7 | - Fixed error logging for nameserver resolving
8 | - Fixed proper closing of error log
9 | - Version check on run
10 | ----------------------------
11 | Subfus 2.2.1 02.09.2020
12 | - Bug with CSV errors when not defining a CSV
13 | - Remove depricate warnign for beatifulsoap
14 | - Removed Spyse plugin
15 | - Error handing when incorrect or missing JSON config
16 | ----------------------------
17 | SubFuz 2.2.0 20.02.2019
18 | - CSV output now contains
19 | Subdomain, Record Type, Result, Resolved IP, TopDomain
20 | - Adjusted crt.sh plugin to match changes on crt.sh
21 | - Removed duplicate prints
22 | ----------------------------
23 | SubFuz 2.1.1 10.09.2019
24 | - Fixed bug in UTF-8 handling of top-domains
25 | - Fixed bug in circl plugin
26 | - Fixed bug in error logging with UTF-8 symbols
27 | ----------------------------
28 | SubFuz 2.1.0 05.24.2019
29 | - Improvement for the dns_server function in domainfuzzer.py, enabling better accuracy for dns server selection
30 | - Preferred lookup changed back to UDP after optimizing in lookup methods
31 | - Fixed bug with "Fail" counter
32 | - Verbose logging option added
33 | - Added default enabled error logging - See config.json (logging amount will be increased in the future)
34 | self.log.error_queue.append('error message')
35 | ----------------------------
36 | SubFuz 2.0.10 05.23.2019
37 | - Changing default preferred lookup to TCP
38 | - Fixed bug related to failed lookups and lookup counter
39 | ----------------------------
40 | SubFuz 2.0.9 01.04.2019
41 | - Fixed issue in virustotal plugin related to previous core functionality changes
42 | - Fixed error which occurs in a scenario where you feed subfuz with a file containing empty line under "-l"
43 | ----------------------------
44 | SubFuz 2.0.8 03.21.2019
45 | - Now passing the subfuz class into plugins, allowing plugins to interact with core functionality
46 | - Minor adjustment to current plugins to allow new functionality
47 | - Removed a word in the subdomain_megalist.txt which caused errors for subfuz in Windows.
48 | line 22811: secci'\udaf4'econd
49 | - utf-8 bugfix related to mail enums
50 | ----------------------------
51 | SubFuz 2.0.7 03.07.2019
52 | - Remove upper/lower case domain duplicates from results
53 | - Changed fail counter to display only amount of failed hits after x-amount of retries specified by config, rather than each failed request
54 | - Exception added for invalid UTF-8 Characters causing thread to crash
55 | - Added exception for wildcard checks
56 | - Bux fixed related to MX wildcard parsing
57 | ----------------------------
58 | SubFuz < 2.0.7
59 | - Ton of minor and major fixes, did not keep track of changes until now
60 |
--------------------------------------------------------------------------------
/plugins/README.md:
--------------------------------------------------------------------------------
1 |
2 | # Plugins
3 |
4 | Plugin folders can be named anything you like, beside that, there are a couple of items that need to be correctly named.
5 |
6 | * plugin_folder - Any name is fine
7 | * plugin.py - The file which will be called by subfuz
8 | * __init\__.py - File must exist in order to load the plugin
9 |
10 | plugin.py must contain the following information:
11 | ```
12 | NAME = ''
13 | ARG_HELP = ''
14 |
15 |
16 | def execute(**kwargs):
17 | domain = kwargs['domain']
18 | config = kwargs['config']
19 | subfuz = kwargs['subfuz']
20 |
21 | credentials = config['api-key']
22 |
23 | # Exit / end plugin with
24 | return ['domain.com', 'subdomain.domain2.com']
25 | return None
26 |
27 | ```
28 | See the plugin [virustotal](virustotal/plugin.py) as sample
29 | or [microsoft](microsoft/plugin.py) for interaction with subfuz core
--------------------------------------------------------------------------------
/plugins/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/__init__.py
--------------------------------------------------------------------------------
/plugins/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/aws/README.md:
--------------------------------------------------------------------------------
1 | ## About
2 | Object storage built to store and retrieve any amount of data from anywhere
3 | https://aws.amazon.com/s3/
4 | ## Config
5 | ```
6 | "aws":{
7 | "enable": true
8 | },
9 | ```
10 |
--------------------------------------------------------------------------------
/plugins/aws/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/aws/__init__.py
--------------------------------------------------------------------------------
/plugins/aws/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/aws/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/aws/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/aws/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/aws/plugin.py:
--------------------------------------------------------------------------------
1 | from core.env import SIGINT_handler
2 | import signal
3 | from core.logger import Output
4 | from core.dnslookup import lookup
5 | import requests
6 |
7 | NAME = 'aws'
8 | ARG_HELP = 'Amazon S3 bucket lookup'
9 |
10 | handler = SIGINT_handler()
11 | signal.signal(signal.SIGINT, handler.signal_handler)
12 |
13 | def execute(**kwargs):
14 | if handler.SIGINT:
15 | Output().warn("Aborted plugin: %s" % NAME, False)
16 | return None
17 | try:
18 | subfuz = kwargs['subfuz']
19 | domain = kwargs['domain'].split('.')
20 | aws_target = [domain[-2] + '.s3.amazonaws.com'][0]
21 | query = requests.get('https://' + aws_target)
22 | if query.status_code == 404:
23 | return None
24 | elif query.status_code == 200:
25 | Output().good('Bucket %s is open' % aws_target,False)
26 | ans = lookup(aws_target, 'ANY', '8.8.8.8', 'UDP', subfuz.timeout)
27 | if ans:
28 | subfuz.parse_record(ans, aws_target)
29 | Output().neutral("AWS bucket found", False)
30 | except:
31 | raise
32 |
--------------------------------------------------------------------------------
/plugins/censys/README.md:
--------------------------------------------------------------------------------
1 | ## Usage
2 | Plugin for Censys API [https://censys.io/api](https://censys.io/api)
3 |
4 | Max pages option is there to prevent you from accidentally reaching your monthly query limit.
5 |
6 | ## Config
7 | ```
8 | "censys":{
9 | "enable": true,
10 | "uid": "",
11 | "secret": "",
12 | "max_page": 3
13 | },
14 | ```
--------------------------------------------------------------------------------
/plugins/censys/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/censys/__init__.py
--------------------------------------------------------------------------------
/plugins/censys/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/censys/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/censys/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/censys/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/censys/plugin.py:
--------------------------------------------------------------------------------
1 | from censys.search import CensysCertificates
2 | from core.env import SIGINT_handler
3 | import signal
4 | from core.logger import Output
5 |
6 | NAME = 'censys'
7 | ARG_HELP = 'censys subdomain certificates'
8 |
9 | handler = SIGINT_handler()
10 | signal.signal(signal.SIGINT, handler.signal_handler)
11 |
12 | class CENSYSError(Exception):
13 | """Base class for censys exceptions"""
14 | pass
15 |
16 | def execute(domain, config, **kwargs):
17 | if handler.SIGINT:
18 | Output().warn("Aborted plugin: %s" % NAME, False)
19 | return None
20 | try:
21 | c = CensysCertificates(api_id=config['uid'], api_secret=config['secret'])
22 | fields = [
23 | "parsed.names",
24 | "parsed.subject.common_name",
25 | "parsed.extensions.subject_alt_name.dns_names"
26 | ]
27 | results = []
28 | for page in c.search(domain, fields, max_records=config['max_records']):
29 | results.append(page)
30 | #Flatten json to array
31 | list = []
32 | for x in results:
33 | if x.get('parsed.namesn'):
34 | list += (x.get('parsed.names'))
35 |
36 | if x.get('parsed.subject.common_name'):
37 | list += x.get('parsed.subject.common_name')
38 |
39 | if x.get('parsed.extensions.subject_alt_name.dns_names'):
40 | list += x.get('parsed.extensions.subject_alt_name.dns_names')
41 |
42 | subdomains = []
43 | for x in list:
44 | subdomains.append(x.lstrip('*').lstrip('.'))
45 | subdomains = sorted(set(subdomains))
46 | return subdomains
47 | except Exception as E:
48 | print (E)
49 | raise
50 |
--------------------------------------------------------------------------------
/plugins/circl/README.md:
--------------------------------------------------------------------------------
1 | ## About
2 | CIRCL Passive DNS is a database storing historical DNS records from various resources including malware analysis or partners
3 | https://www.circl.lu/services/passive-dns
4 | ## Config
5 | ```
6 | "cirlc":{
7 | "enable": false,
8 | "user": "",
9 | "pass": ""
10 | },
11 | ```
12 |
--------------------------------------------------------------------------------
/plugins/circl/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/circl/__init__.py
--------------------------------------------------------------------------------
/plugins/circl/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/circl/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/circl/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/circl/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/circl/plugin.py:
--------------------------------------------------------------------------------
1 | from core.env import SIGINT_handler
2 | import signal
3 | from core.logger import Output
4 | import requests
5 | import json
6 |
7 | NAME = 'circl'
8 | ARG_HELP = 'CIRCL Passive DNS is a database storing historical records'
9 |
10 | handler = SIGINT_handler()
11 | signal.signal(signal.SIGINT, handler.signal_handler)
12 |
13 | class CError(Exception):
14 | """Base class for Circl.lu exceptions"""
15 | pass
16 |
17 | def execute(**kwargs):
18 | if handler.SIGINT:
19 | Output().warn("Aborted plugin: %s" % NAME, False)
20 | return None
21 | try:
22 | domain = kwargs['domain']
23 | config = kwargs['config']
24 | auth = requests.auth.HTTPBasicAuth(config['user'], config['pass'])
25 | r = requests.get('https://www.circl.lu/pdns/query/' + domain, auth=auth)
26 | if r.status_code == 200 and r.text:
27 | json_page = '[' + r.text.replace('}\n{','},{') + ']'
28 | data = json.loads(json_page)
29 | d = []
30 | for x in data:
31 | d.append(x['rdata'])
32 | return set(d)
33 | elif r.status_code == 200:
34 | #empty response, nothing found
35 | return
36 | elif r.status_code == 401:
37 | raise CError('circl: Unauthorized')
38 | elif r.status_code == 403:
39 | raise CError('circl: Not authorized to access resource')
40 | elif r.status_code == 429:
41 | raise CError('circl: Quota exhausted')
42 | else:
43 | raise CError('circl: Unexpected error, status code: %d' % r.status_code )
44 | except:
45 | raise
46 |
--------------------------------------------------------------------------------
/plugins/citrix/README.md:
--------------------------------------------------------------------------------
1 | ## About
2 | Citrix service used to share files.
3 | https://www.citrix.com/lp/sharefile/
4 |
5 | ## Config
6 | ```
7 | "citrix":{
8 | "enable": true
9 | },
10 | ```
--------------------------------------------------------------------------------
/plugins/citrix/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/citrix/__init__.py
--------------------------------------------------------------------------------
/plugins/citrix/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/citrix/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/citrix/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/citrix/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/citrix/plugin.py:
--------------------------------------------------------------------------------
1 | from core.env import SIGINT_handler
2 | import signal
3 | from core.logger import Output
4 | from core.dnslookup import lookup
5 | import requests
6 |
7 | NAME = 'citrix'
8 | ARG_HELP = 'Citrix Sharefile domain lookup'
9 |
10 | handler = SIGINT_handler()
11 | signal.signal(signal.SIGINT, handler.signal_handler)
12 |
13 | def execute(**kwargs):
14 | if handler.SIGINT:
15 | Output().warn("Aborted plugin: %s" % NAME, False)
16 | return None
17 | try:
18 | domain = kwargs['domain'].split('.')
19 | config = kwargs['config']
20 | subfuz = kwargs['subfuz']
21 | citrix_targets = [domain[-2] + '.sharefile.com']
22 | redirect = requests.get('https://' + citrix_targets[0])
23 | if 'secure.sharefile.com' not in redirect.url:
24 | authlogin = redirect.url.split('/')[2]
25 | ans = lookup(authlogin, 'ANY', '8.8.8.8', 'UDP', subfuz.timeout)
26 | if ans:
27 | subfuz.parse_record(ans, authlogin)
28 | Output().neutral("Citrix sharefile found", False)
29 | except:
30 | raise
31 |
--------------------------------------------------------------------------------
/plugins/crtsh/README.md:
--------------------------------------------------------------------------------
1 | ## Usage
2 | Plugin is fetching subdomains by wildcard search at [https://crt.sh](https://crt.sh)
3 |
4 | ## Config
5 | ```
6 | "crtsh":{
7 | "enable": true
8 | },
9 | ```
--------------------------------------------------------------------------------
/plugins/crtsh/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/crtsh/__init__.py
--------------------------------------------------------------------------------
/plugins/crtsh/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/crtsh/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/crtsh/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/crtsh/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/crtsh/plugin.py:
--------------------------------------------------------------------------------
1 | import json, requests
2 | from core.env import SIGINT_handler
3 | import signal
4 | from core.logger import Output
5 |
6 | NAME = 'crtsh'
7 | ARG_HELP = 'crt.sh subdomain certificates'
8 |
9 | handler = SIGINT_handler()
10 | signal.signal(signal.SIGINT, handler.signal_handler)
11 |
12 | class CRTError(Exception):
13 | """Base class for crt.sh exceptions"""
14 | pass
15 |
16 | def execute(domain, **kwargs):
17 | if handler.SIGINT:
18 | Output().warn("Aborted plugin: %s" % NAME, False)
19 | return None
20 | try:
21 | query = 'https://crt.sh/?q=' + domain.rstrip() + '&output=json'
22 | r = requests.get(query)
23 | if r.status_code == 200:
24 | data = json.loads(r.content)
25 | d = []
26 | for x in data:
27 | d.append(x['name_value'].strip('*').strip('.'))
28 | return set(d)
29 | else:
30 | raise CRTError('crtsh plugin: Unexpected Error')
31 | except:
32 | raise
33 |
--------------------------------------------------------------------------------
/plugins/dnsdumpster/README.md:
--------------------------------------------------------------------------------
1 | ## About
2 | Query dnsdumpster.com from HackerTarget
3 | https://dnsdumpster.com/
4 | ## Config
5 | ```
6 | "dnsdumpster":{
7 | "enable": true
8 | },
9 | ```
10 |
--------------------------------------------------------------------------------
/plugins/dnsdumpster/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/dnsdumpster/__init__.py
--------------------------------------------------------------------------------
/plugins/dnsdumpster/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/dnsdumpster/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/dnsdumpster/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/dnsdumpster/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/dnsdumpster/plugin.py:
--------------------------------------------------------------------------------
1 | from core.env import SIGINT_handler
2 | import signal
3 | from core.logger import Output
4 | import requests
5 | import warnings
6 | warnings.filterwarnings("ignore")
7 | from bs4 import BeautifulSoup
8 |
9 |
10 |
11 | NAME = 'dnsdumpster'
12 | ARG_HELP = 'Dnsdumpster by hackertarget'
13 |
14 | handler = SIGINT_handler()
15 | signal.signal(signal.SIGINT, handler.signal_handler)
16 |
17 | def execute(**kwargs):
18 | if handler.SIGINT:
19 | Output().warn("Aborted plugin: %s" % NAME, False)
20 | return None
21 | try:
22 | domain = kwargs['domain']
23 | csrf_page = requests.get('https://dnsdumpster.com')
24 | soup = BeautifulSoup(csrf_page.content)
25 | csrf_token = soup.find('input', {'name': 'csrfmiddlewaretoken'}).get('value')
26 | query = requests.post('https://dnsdumpster.com', data = {'csrfmiddlewaretoken' : csrf_token, 'targetip' : domain, 'user':'free'},headers={'referer' : 'https://dnsdumpster.com/'}, cookies={ 'csrftoken' : csrf_token})
27 | soup = BeautifulSoup(query.content)
28 | sites = soup.findAll("td",attrs={"class": "col-md-4"})
29 | d = []
30 | for site in sites:
31 | site.text.split(domain)[0].rstrip('\n').rstrip(' ')
32 | d.append(site.text.split(domain)[0] + domain)
33 | return d
34 | except:
35 | raise
36 |
--------------------------------------------------------------------------------
/plugins/hackertarget/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/hackertarget/__init__.py
--------------------------------------------------------------------------------
/plugins/hackertarget/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/hackertarget/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/hackertarget/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/hackertarget/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/hackertarget/plugin.py:
--------------------------------------------------------------------------------
1 | import requests, io
2 | from core.env import SIGINT_handler
3 | import signal
4 | from core.logger import Output
5 |
6 | NAME = 'hackertarget'
7 | ARG_HELP = 'hackertarget subdomains'
8 |
9 | handler = SIGINT_handler()
10 | signal.signal(signal.SIGINT, handler.signal_handler)
11 |
12 | class HTError(Exception):
13 | """Base class for hackertarget exceptions"""
14 | pass
15 |
16 | def execute(domain, **kwargs):
17 | if handler.SIGINT:
18 | Output().warn("Aborted plugin: %s" % NAME, False)
19 | return None
20 | try:
21 | query = 'https://api.hackertarget.com/hostsearch/?q=' + domain.rstrip()
22 | r = requests.get(query)
23 | bRep = r.text #response body
24 | if r.status_code == 200:
25 | if "error check your search parameter" not in bRep:
26 | d = []
27 | lines = bRep.split("\n")
28 | for x in lines:
29 | subdom = x.split(',')
30 | d.append(subdom[0])
31 | return set(d)
32 | else:
33 | raise HTError('hackertarget plugin: Unexpected Error')
34 | except:
35 | raise
36 |
--------------------------------------------------------------------------------
/plugins/microsoft/README.md:
--------------------------------------------------------------------------------
1 | ## Usage
2 | Plugin will attempt to resolve tenant addresses for microsoft
3 |
4 | ## Config
5 | ```
6 | "microsoft":{
7 | "enable": true
8 | },
9 | ```
--------------------------------------------------------------------------------
/plugins/microsoft/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/microsoft/__init__.py
--------------------------------------------------------------------------------
/plugins/microsoft/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/microsoft/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/microsoft/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/microsoft/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/microsoft/plugin.py:
--------------------------------------------------------------------------------
1 | from core.env import SIGINT_handler
2 | import signal
3 | from core.logger import Output
4 | from core.dnslookup import lookup
5 |
6 | NAME = 'microsoft'
7 | ARG_HELP = 'Microsoft tenant domain lookup'
8 |
9 | handler = SIGINT_handler()
10 | signal.signal(signal.SIGINT, handler.signal_handler)
11 |
12 | def execute(**kwargs):
13 | if handler.SIGINT:
14 | Output().warn("Aborted plugin: %s" % NAME, False)
15 | return None
16 | try:
17 | domain = kwargs['domain'].split('.')
18 | config = kwargs['config']
19 | subfuz = kwargs['subfuz']
20 | ms_targets = [domain[-2] + '.sharepoint.com',
21 | domain[-2] + '-my.sharepoint.com',
22 | domain[-2] + '-myfiles.sharepoint.com',
23 | domain[-2] + '-files.sharepoint.com',
24 | domain[-2] + '.onmicrosoft.com',
25 | '%s-%s.mail.protection.outlook.com' % (domain[-2], domain[-1]),
26 | 'selector1-%s-%s._domainkey.%s.onmicrosoft.com' % (domain[-2], domain[-1], domain[-2]),
27 | 'selector2-%s-%s._domainkey.%s.onmicrosoft.com' % (domain[-2], domain[-1], domain[-2])]
28 | i = 0
29 | for ms in ms_targets:
30 | ans = lookup(ms, 'ANY', '8.8.8.8', 'UDP', subfuz.timeout)
31 | if ans:
32 | i += 1
33 | subfuz.parse_record(ans, ms)
34 | Output().neutral("%d subdomains found" %i, False)
35 | except:
36 | raise
37 |
--------------------------------------------------------------------------------
/plugins/securitytrails/README.md:
--------------------------------------------------------------------------------
1 | ## Usage
2 | Get a API key and add to config
3 |
4 | https://securitytrails.com/
5 |
6 | ## Config
7 | ```
8 | "securitytrails":{
9 | "enable": false,
10 | "apikey":""
11 | },
12 | ```
--------------------------------------------------------------------------------
/plugins/securitytrails/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/securitytrails/__init__.py
--------------------------------------------------------------------------------
/plugins/securitytrails/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/securitytrails/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/securitytrails/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/securitytrails/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/securitytrails/plugin.py:
--------------------------------------------------------------------------------
1 | import json, requests
2 | from core.env import SIGINT_handler
3 | import signal
4 | from core.logger import Output
5 |
6 | NAME = 'securitytrails'
7 | ARG_HELP = 'securitytrails subdomain'
8 |
9 | handler = SIGINT_handler()
10 | signal.signal(signal.SIGINT, handler.signal_handler)
11 |
12 | class securitytrailsError(Exception):
13 | """Base class for securitytrails exceptions"""
14 | pass
15 |
16 | def execute(domain, config, **kwargs):
17 | if handler.SIGINT:
18 | Output().warn("Aborted plugin: %s" % NAME, False)
19 | return None
20 | try:
21 | d = []
22 | query = "https://api.securitytrails.com/v1/domain/%s/subdomains?apikey=%s" % (domain.rstrip(),config['apikey'])
23 | r = requests.get(query)
24 | if r.status_code == 200:
25 | data = json.loads(r.content)
26 | for x in data['subdomains']:
27 | subdomain = x + "." + domain.rstrip()
28 | d.append(subdomain)
29 | elif r.status_code == 400:
30 | raise securitytrailsError('400 - Bad request')
31 | elif r.status_code == 401:
32 | raise securitytrailsError('401 - Unauthorized')
33 | elif r.status_code == 403:
34 | raise securitytrailsError('403 - Forbidden')
35 | elif r.status_code == 429:
36 | raise securitytrailsError('429 - Too many requests')
37 | elif r.status_code == 500:
38 | raise securitytrailsError('500 - Internal Server Error')
39 | else:
40 | raise securitytrailsError('securitytrails plugin: Unexpected Error')
41 | return d
42 | except:
43 | raise
44 |
--------------------------------------------------------------------------------
/plugins/virustotal/README.md:
--------------------------------------------------------------------------------
1 | ## Usage
2 | Get a API key and add to config
3 |
4 | https://developers.virustotal.com/reference
5 |
6 | ## Config
7 | ```
8 | "virustotal":{
9 | "enable": true,
10 | "api-key":""
11 | },
12 | ```
--------------------------------------------------------------------------------
/plugins/virustotal/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/virustotal/__init__.py
--------------------------------------------------------------------------------
/plugins/virustotal/__pycache__/__init__.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/virustotal/__pycache__/__init__.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/virustotal/__pycache__/plugin.cpython-38.pyc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/netsecurity-as/subfuz/9cdfd3bf027408267e35854a16a9e6f66c37568d/plugins/virustotal/__pycache__/plugin.cpython-38.pyc
--------------------------------------------------------------------------------
/plugins/virustotal/plugin.py:
--------------------------------------------------------------------------------
1 | import json, requests
2 | from core.env import SIGINT_handler
3 | import signal
4 | from core.logger import Output
5 |
6 | NAME = 'virustotal'
7 | ARG_HELP = 'VirusTotal subdomain certificates'
8 |
9 | handler = SIGINT_handler()
10 | signal.signal(signal.SIGINT, handler.signal_handler)
11 |
12 | class VTError(Exception):
13 | """Base class for Virus Total exceptions"""
14 | pass
15 |
16 | def execute(domain, config, **kwargs):
17 | if handler.SIGINT:
18 | Output().warn("Aborted plugin: %s" % NAME, False)
19 | return None
20 | try:
21 | query = "https://www.virustotal.com/vtapi/v2/domain/report?apikey=%s&domain=%s" % (config['api-key'], domain.rstrip())
22 | r = requests.get(query)
23 | if r.status_code == 200:
24 | data = json.loads(r.content)
25 | if 'subdomains' in data:
26 | # data should always be returned as a array
27 | return data['subdomains']
28 | else:
29 | return None
30 | elif r.status_code == 403:
31 | raise VTError('Virustotal plugin: API Unauthorized')
32 | else:
33 | raise VTError('Virustotal plugin: Unexpected Error')
34 | except:
35 | raise
36 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | dnspython
2 | requests
3 | BeautifulSoup4
4 | censys
--------------------------------------------------------------------------------
/subfuz.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: utf-8 -*-
3 | import importlib, os, argparse, json, sys, requests
4 | from core import env
5 | from core.domainfuzzer import SubFuz
6 | #from core.logger import Output, col
7 |
8 | banner = ''' ___ _____
9 | ________ _\_ |___/ ____\_ __________
10 | / ___/ | \ __ \ __\ | \___ /
11 | \___ \| | / \_\ \ | | | // /
12 | /____ >____/|___ /__| |____//_____ \\
13 | \/ \/ \/\n
14 | '''
15 |
16 | VERSION = "3.0.0"
17 |
18 | (SF_FILE, SF_DIR) = env.setup_core_paths(os.path.realpath(__file__))
19 | PLUGINS_DIR = os.path.join(SF_DIR, "plugins")
20 | CORE_DIR = os.path.join(SF_DIR, "core")
21 |
22 |
23 | def check_version():
24 | try:
25 | ver = requests.get("https://raw.githubusercontent.com/netsecurity-as/subfuz/master/patchnotes.txt", timeout=1).content
26 | ver = ver.split('\n')[0].split(' ')[1]
27 | if ver != VERSION:
28 | print ('\nWARNING\nSubfuz is out of date.\nRunning version: %s\nLatest version: %s\n\n' % (ver,VERSION))
29 | except:
30 | return
31 |
32 | def initialize():
33 | check_version()
34 | try:
35 | with open('config.json') as json_data_file:
36 | config = json.load(json_data_file)
37 | except ValueError:
38 | print ("Bad Json Structure in config.json")
39 | sys.exit()
40 | except IOError:
41 | print ("config.json not found.")
42 | sys.exit()
43 |
44 | override = config['config']['dns_override']
45 | protocol = config['config']['dns_override_protocol']
46 | record = config['config']['dns_override_record']
47 | timeout = config['config']['timeout']
48 | threads = config['config']['threads']
49 | throttle = config['config']['throttle']
50 | retry = config['config']['retry']
51 |
52 | PLUGINS = []
53 | _PLUGINS = []
54 | # TODO: find a more elegant way to load plugin names with unique names rather than "plugin.py"
55 | for path, dir, file in os.walk(PLUGINS_DIR):
56 | for d in dir:
57 | if d != '__pycache__':
58 | PLUGINS.append('plugins.' + d + '.plugin')
59 | for plugin in PLUGINS:
60 | try:
61 | _PLUGINS.append(importlib.import_module(plugin))
62 | except OSError:
63 | print ('Failed to load plugin %s', plugin)
64 |
65 |
66 |
67 | example_text = '''
68 | Example usage:
69 | python subfuz.py -d example.com -w domain_dictionary.txt -all
70 |
71 | SubFuz %s
72 | Author: Torstein Mauseth @ Netsecurity
73 | ''' % VERSION
74 | parser = argparse.ArgumentParser(epilog=example_text, formatter_class=argparse.RawTextHelpFormatter)
75 | parser._action_groups.pop()
76 | required_args = parser.add_argument_group('required arguments')
77 | optional_args = parser.add_argument_group('optional arguments')
78 | plugin_args = parser.add_argument_group('plugins')
79 |
80 |
81 | required_args.add_argument('-d', help='Specify domain to fuzz, or..', dest='target')
82 | required_args.add_argument('-l', help='Specify list of domains to fuzz', dest='target_list')
83 | optional_args.add_argument('-w', help='Specify fuzzing dictionary to use', dest='dictionary')
84 | optional_args.add_argument('-o', help='Write output to a file', dest='log_filename', required=False, default=False)
85 | optional_args.add_argument('-csv', help='Write output to a csv file. Use - for stdout', dest='csv_filename', required=False, default=False)
86 | optional_args.add_argument('-deep', help='Specify fuzzing dictionary for deep subdomain testing', required=False, default=False)
87 | optional_args.add_argument('-dns', default=None, help='{:32}'.format('Override DNS server to query')+ '{:5}'.format('[ %s ]' % override))
88 | optional_args.add_argument('-protocol', default=protocol, help='{:32}'.format('Override DNS protocol') + '{:5}'.format('[ %s ]' % protocol))
89 | optional_args.add_argument('-record', default=record, help='{:32}'.format('Override DNS query record') + '{:5}'.format('[ %s ]' % protocol))
90 | optional_args.add_argument('-p', type=int, default=timeout, help='{:32}'.format('DNS timeout') + '{:5}'.format('[ %d ] sec'% timeout))
91 | optional_args.add_argument('-z', type=int, default=throttle, help='{:32}'.format('DNS request throttle') + '{:5}'.format('[ %d ] ms' % throttle))
92 | optional_args.add_argument('-r', type=int, default=retry, help='{:32}'.format('DNS retries if failed') + '{:5}'.format('[ %d ]' % retry))
93 | optional_args.add_argument('-t', type=int, default=threads, help='{:32}'.format('Threads active') + '{:5}'.format('[ %d ]' % threads))
94 | optional_args.add_argument('-zone', action='store_false', help="Disable Zone Transfer testing")
95 | optional_args.add_argument('-ptr', action='store_false', help="Disable PTR check on related domains on the current /24 network")
96 | optional_args.add_argument('-quiet', action='store_true', help="Suppress terminal output")
97 | optional_args.add_argument('-verbose', action='store_true', help="Verbose output")
98 |
99 | # Load plugins as optional arguments
100 | plugin_args.add_argument('-all', action='store_true', help='Enable all plugins')
101 | for plugin in _PLUGINS:
102 | try:
103 | if config['plugins'][plugin.NAME]['enable'] is True:
104 | plugin_args.add_argument('-' + plugin.NAME, action='store_true', help=plugin.ARG_HELP)
105 | except:
106 | pass
107 |
108 | args = parser.parse_args()
109 | # verify that one of the required arguments has been set.
110 | if not bool(args.target) ^ bool(args.target_list):
111 | parser.print_help()
112 | sys.exit()
113 | if args.quiet and not bool(args.csv_filename) ^ bool(args.log_filename):
114 | print('Quiet mode must be used with either -o and/or -csv ')
115 | sys.exit()
116 |
117 | return (config, args, _PLUGINS)
118 |
119 |
120 |
121 | if __name__ == "__main__":
122 | config, args, plugins = initialize()
123 | if not args.quiet: print (banner)
124 | if args.target_list:
125 | try:
126 | with open(args.target_list, encoding='UTF-8') as f:
127 | targets = [line.rstrip() for line in f]
128 | #targets = map(unicode.strip, io.open(args.target_list, encoding='utf-8', mode='r').readlines())
129 | #targets = filter(None, targets)
130 | except:
131 | print ("Could not open output file: %s" % args.target_list)
132 | sys.exit()
133 | elif args.target:
134 | targets = [args.target]
135 | for domain in targets:
136 | sf = SubFuz(domain, config, args, PLUGINS_DIR, CORE_DIR)
137 | if sf.check_dns_server() == False:
138 | continue
139 | sf.check_wildcard(sf.domain)
140 | sf.execute_plugins(plugins, sf)
141 | sf.scan()
142 | sf.subnets()
143 | sf.ptr_scan()
144 | sf.stats()
145 | if sf.handler.SIGINT:
146 | break
147 | del(sf)
148 |
--------------------------------------------------------------------------------