-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.py
137 lines (126 loc) · 4.48 KB
/
main.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
import argparse
from domain import Domain
def main():
parser = argparse.ArgumentParser(
description="Search for DNS records and check for simple domain-related vulnerabilities, such as zone transfers and takeovers. Also supports subdomain enumeration and recursive checks.",
prog='domRecon',
add_help=True
)
# must haves: one domain, a domain list, or help
required_group = parser.add_mutually_exclusive_group(required=True)
required_group.add_argument(
'-d',
'--domain',
dest='domain',
help='Target domain to check',
)
required_group.add_argument(
'-l',
'--domain-list',
dest='domain_list',
help='Text file with a list of target domains, with one domain on each line (WIP)',
)
# Checks
parser.add_argument(
'-a',
'--all',
action='store_true',
help='Run all checks. Equivalent to -z -t -e',
)
parser.add_argument(
'-z',
'--zone',
action='store_true',
help='Checks for zone transfer',
)
parser.add_argument(
'-t',
'--takeover',
action='store_true',
help='Checks for subdomain takeover',
)
parser.add_argument(
'-e',
'--email',
action='store_true',
help='Checks for email authentication misconfigurations (WIP)',
)
# subdomain related
parser.add_argument(
'-s',
'--subdomain',
action='store_true',
help='Construct list of subdomains candidates with both amass and bruteforce. Equivalent to -sa -sb',
)
parser.add_argument(
'-sa',
'--sub-amass',
action='store_true',
help='Construct list of subdomains candidates with amass',
)
parser.add_argument(
'-sb',
'--sub-brute',
action='store_true',
help='Construct list of subdomains candidates with bruteforce',
)
parser.add_argument(
'--amass-path',
default='amass',
help='Path to the amass binary, ex: /usr/local/bin/amass, defaults to "amass"',
)
parser.add_argument(
'--wordlist',
help='Path to the wordlist for bruteforcing subdomains, defaults to the included "commonspeak.txt"',
)
parser.add_argument(
'--massdns-path',
default='massdns',
help='Path of the massdns binary, ex: /usr/local/bin/massdns, defaults to "massdns"',
)
parser.add_argument(
'--sublist',
help='Path to your custom list of subdomains, with one domain on each line. Each domain will be resolved with massdns and passed on to further checks',
)
parser.add_argument(
'-r',
'--recurse',
action='store_true',
help='Run recursively for resolved subdomains, the -a -t -z -e options will be applied to discovered records. If no check options are specified, records are simply printed',
)
# other options
parser.add_argument(
'--ip6',
action='store_true',
help='Supports IPv6. If enabled, also checks for IPv6 addresses for domains. Also resolves AAAA records when enumerating subdomains.',
)
parser.add_argument(
'-j',
'--json',
action='store_true',
help='Print json format output. This effectively compiles all failed checks into json format. No warnings or passed checks are included.',
)
args = parser.parse_args()
if args.domain:
if args.all:
dom = Domain(args.domain, True, True, True, args.recurse, args.ip6)
else:
dom = Domain(args.domain, args.zone, args.takeover, args.email, args.recurse, args.ip6)
dom.check_service()
if args.all or args.zone or args.takeover or args.email:
dom.get_records()
dom.check_records()
if args.sublist or args.subdomain or args.sub_amass or args.sub_brute:
if args.sublist:
resolved = dom.resolve_subdomains(args.sublist, args.massdns_path)
else:
if args.subdomain:
candidates = dom.generate_subdomains(True, True, args.amass_path, args.wordlist)
else:
candidates = dom.generate_subdomains(args.sub_amass, args.sub_brute, args.amass_path, args.wordlist)
resolved = dom.resolve_subdomains(candidates, args.massdns_path)
dom.check_subdomains(resolved)
if args.json:
print(dom.print_json())
if __name__ == "__main__":
main()