aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Makefile23
-rw-r--r--UDP/README52
-rw-r--r--UDP/config15
-rwxr-xr-xUDP/index94
-rwxr-xr-xauth.lst1
-rw-r--r--elchos/admin.lst0
-rw-r--r--elchos/auth.lst0
-rwxr-xr-xelchos/commands/ftpget58
-rwxr-xr-xelchos/commands/identify22
-rwxr-xr-xelchos/commands/io25
-rwxr-xr-xelchos/commands/ips2
-rwxr-xr-xelchos/commands/list_downloads8
-rwxr-xr-xelchos/commands/onion3
-rwxr-xr-xelchos/commands/reboot3
-rwxr-xr-xelchos/commands/refresh_shares4
-rwxr-xr-xelchos/commands/shares2
-rwxr-xr-xelchos/commands/update_search3
-rw-r--r--elchos/config.py78
-rw-r--r--etc/conf.d/reaktor2
-rwxr-xr-xetc/init.d/reaktor-debian102
-rw-r--r--etc/supervisor/Reaktor.conf6
-rw-r--r--etc/systemd/system/Reaktor.service14
-rw-r--r--repos/bxfr/bxfr.py238
-rw-r--r--repos/bxfr/bxfr_api.py238
-rwxr-xr-xrepos/consolidate_dns/index86
-rwxr-xr-xrepos/revip/revip48
-rwxr-xr-xtitlebot/commands/clear12
-rwxr-xr-xtitlebot/commands/down2
-rwxr-xr-xtitlebot/commands/help12
-rwxr-xr-xtitlebot/commands/highest30
-rwxr-xr-xtitlebot/commands/list27
-rwxr-xr-xtitlebot/commands/new19
-rw-r--r--titlebot/commands/poll.py23
l---------titlebot/commands/top1
-rwxr-xr-xtitlebot/commands/undo31
-rwxr-xr-xtitlebot/commands/up33
-rw-r--r--titlebot/titlebot.py79
37 files changed, 0 insertions, 1396 deletions
diff --git a/Makefile b/Makefile
deleted file mode 100644
index 2241dba..0000000
--- a/Makefile
+++ /dev/null
@@ -1,23 +0,0 @@
-submodules = gxfr dnsrecon bxfr whatweb
-security_modules = subdomains revip whatweb
-
-all: init all-mods
-
-init: init-submodules $(submodules)
-init-submodules:
- cd ..;git submodule init; git submodule update
-$(submodules):
- cd repos/$@ ; git checkout master;git pull
-
-all-mods: $(addprefix public_commands/,$(security_modules))
-public_commands/%:commands/%
- ln -s ../$< $@
-
-debian-autostart:
- useradd reaktor ||:
- cp startup/init.d/reaktor-debian /etc/init.d/reaktor
- cp startup/conf.d/reaktor /etc/default/
- update-rc.d reaktor defaults
-supervisor-autostart:
- useradd reaktor ||:
- cp startup/supervisor/Reaktor.conf /etc/supervisor/conf.d/
diff --git a/UDP/README b/UDP/README
deleted file mode 100644
index 587c804..0000000
--- a/UDP/README
+++ /dev/null
@@ -1,52 +0,0 @@
-# Specifications
-From 2011-09-16:
-## Use Case
- [
- {
- "port": 1337,
- "pattern": "XXYY",
- "comment" : "does the right thing",
- "action" : {
- "POST": {
- "url" : "xyz",
- "data" : "abc"
- }
- }
- }
- ]
-## Head definition
- {
- "bind_addr" : "127.0.0.1",
- "port" : 1234,
- "pattern" : "XXZZ",
- "action" : { },
- }
-bind is an optional entry which lets the user define a bind address for the server.
-terminator is optional which lets the user define the EOM terminator.
-
-## Actions
-### POST
-"POST" : {
- "url" : "http://euer.krebsco.de/",
- "data" : "{ \"something\" : \"else\" }"
- }
-
-### PROCESS
-Process is taken from //hyper/process/test/bc.json - rev:a7fd3f
-
-stdout/stderr are optional and if left away data will be written to real stdout/stderr
-in the process in envp => "payload" will be allocated for the given payload from the network
-
- "PROCESS" : {
- {
- "path": "/usr/bin/bc",
- "argv": [
- "bc"
- ],
- "envp": {
- "was": "geht",
- },
- "stdout": "uri:///path/to/somewhere",
- "stderr": "uri:///path/to/somewhere"
- }
- }
diff --git a/UDP/config b/UDP/config
deleted file mode 100644
index 623c721..0000000
--- a/UDP/config
+++ /dev/null
@@ -1,15 +0,0 @@
-[
- {
- "comment" : "listener for licht.shack",
- "bind_addr" : "0.0.0.0",
- "port" : 2342,
- "pattern" : "",
- "action" : {
- "PROCESS" : {
- "path" : "/krebs/Reaktor/udp_commands/licht_resolver",
- "argv" : [ ],
- "envp" : { }
- }
- }
- }
-]
diff --git a/UDP/index b/UDP/index
deleted file mode 100755
index ffe3d6b..0000000
--- a/UDP/index
+++ /dev/null
@@ -1,94 +0,0 @@
-#!/usr/bin/python
-
-import asyncore, socket
-import logging,subprocess
-import re
-import json
-log = logging.getLogger('ubot')
-
-def enable_syslog(logger):
- import logging.handlers as handlers
- from logging import Formatter
- hdlr = handlers.SysLogHandler(
- facility=handlers.SysLogHandler.LOG_DAEMON)
- formatter = Formatter(
- '%(filename)s: %(levelname)s: %(message)s')
- hdlr.setFormatter(formatter)
- logger.addHandler(hdlr)
-
-from twisted.internet.protocol import DatagramProtocol
-from twisted.internet import reactor
-from twisted.application.internet import MulticastServer
-from socket import SOL_SOCKET,SO_BROADCAST
-class ubot(DatagramProtocol):
-# def startProtocol(self):
-# log.info("Starting Listener for Multicast")
-# self.transport.joinGroup("255.255.255.255")
-
- """ UDP Bot """
- def startProtocol(self):
- log.info("starting Protocol at host (%s)" % self.bind_addr)
- #self.transport.
- if self.bind_addr != "255.255.255.255":
- self.transport.joinGroup(self.bind_addr)
- else:
- self.transport.socket.setsockopt(SOL_SOCKET,SO_BROADCAST,True)
- def __init__(self, pattern,action,bind_addr,**kwargs):
- #DatagramProtocol.__init__(self)
- self.data = ''
- self.pattern = pattern
- self.action = action
- self.bind_addr = bind_addr
-
- def datagramReceived(self,datagram,addr):
- self.data = datagram
- log.debug('<< %s' % self.data)
- if self.find_pattern():
- self.start_action()
-
- def find_pattern(self):
- """ returns true if own pattern is found"""
- log.debug("Pattern is %s" %self.pattern)
- ret = re.search(self.pattern,self.data)
- if ret:
- log.info("Match \"%s\" with pattern \"%s\"" % ((ret.string.strip()),self.pattern))
- else:
- log.info("No Match")
- return ret
-
-
- def start_action(self):
- """ runs all the defined actions"""
- log.debug("Actions: %s" % str(self.action))
- self.start_process()
- self.start_post()
-
- def start_process(self):
- try:
- act = self.action["PROCESS"]
- proc = []
- proc.append(act["path"])
- proc.extend(act["argv"])
-
- env = act["envp"]
- env["payload"] = json.dumps(self.data)
- log.info("Starting Process: %s (env: %s)" % (proc,env))
- subprocess.Popen(proc,env=env)
- except Exception as e:
- log.error(e)
- def start_post(self):
- pass
-
-def load_conf(conf_file):
- return json.load(open(conf_file))
-
-
-if __name__ == "__main__":
- import os
- #enable_syslog(log)
- HERE = os.path.dirname(os.path.realpath(__file__))
- lol = logging.DEBUG if os.environ.get('debug',False) else logging.INFO
- logging.basicConfig(level=lol)
- for i in load_conf("%s/config" %HERE):
- reactor.listenMulticast(i["port"], ubot(**i))
- reactor.run()
diff --git a/auth.lst b/auth.lst
deleted file mode 100755
index 8b13789..0000000
--- a/auth.lst
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/elchos/admin.lst b/elchos/admin.lst
deleted file mode 100644
index e69de29..0000000
--- a/elchos/admin.lst
+++ /dev/null
diff --git a/elchos/auth.lst b/elchos/auth.lst
deleted file mode 100644
index e69de29..0000000
--- a/elchos/auth.lst
+++ /dev/null
diff --git a/elchos/commands/ftpget b/elchos/commands/ftpget
deleted file mode 100755
index 74e76f8..0000000
--- a/elchos/commands/ftpget
+++ /dev/null
@@ -1,58 +0,0 @@
-#!/bin/sh
-# usage: $0 [-d] uri sharename[/subdirs]
-exec 2>&1
-set -euf
-ncdc_user=hooker
-usage(){
- cat <<EOF
-usage: $0 [-d] uri share[/subdirs]
- -d -- uri is a directory to be mirrored
- share -- vag[0-n]
-
-EOF
-}
-examples(){
- cat <<EOF
-examples: ftpget -d http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/0.8 vag0/firefox_releases
- -> 0.8 directory is stored to /media/vag0/firefox_releases
-
- ftpget -d http://speedtest.qsc.de/10MB.qsc vag0/
- -> 10MB.qsc is stored to /media/vag0/10MB.qsc
-EOF
-}
-if test "${1:--h}" == '-h' -o "${1:-}" == '--help';then
- usage
- examples
- exit 0
-fi
-if test ${1:-} == '-d' ;then
- is_dir=true
- shift
-fi
-
-target="${1:-}"
-if !( echo "$target" | egrep -q '^(ftps*://|https*://)' );then
- exit 23
-fi
-
-share=$( printf "%s" "${2?provide share name}" |head -1 | sed 's#\.\./##')
-sharepath=/media/${share%%/*}
-realshare="/media/$share"
-test ! -e "$sharepath" && echo "$sharepath does not exist!" && exit 23
-
-sudo -u $ncdc_user /usr/bin/mkdir -p "$realshare"
-
-if test -z ${is_dir:-};then
- cmd="lftpget \"$target\""
-else
- cmd="lftp -e \"mirror;exit\" $target"
-fi
-
- if ! sudo -u $ncdc_user /usr/bin/tmux has-session -t dl >/dev/null 2>&1 ;then
- sudo -u $ncdc_user /usr/bin/tmux new-session -s dl -d -c "$realshare" "$cmd"
- else
- sudo -u $ncdc_user /usr/bin/tmux new-window -t dl -c "$realshare" "$cmd"
- fi
-#sudo -u $ncdc_user /usr/bin/tmux new-window -t dl
-#cd "$realshare" ;sudo -u hooker /usr/bin/lftpget "$target"
-echo "download started, check with 'list_downloads'"
diff --git a/elchos/commands/identify b/elchos/commands/identify
deleted file mode 100755
index c2fb2c5..0000000
--- a/elchos/commands/identify
+++ /dev/null
@@ -1,22 +0,0 @@
-#!/usr/bin/env python
-import imp
-import os,sys
-
-def load_config(filename):
- dirname = os.path.dirname(filename)
- modname, ext = os.path.splitext(os.path.basename(filename))
- file, pathname, description = imp.find_module(modname, [ dirname ])
- return imp.load_module(modname, file, pathname, description)
-
-config = load_config(os.environ['config_filename'])
-
-with open(config.admin_file) as f:
- for line in f:
- nick,secret = line.split()
- if sys.argv[1] == secret:
- print("identified you as %s!"%nick)
- with open(config.auth_file,'a+') as g:
- g.write(os.environ['_prefix'] +"\n")
- sys.exit(0)
-
-print("unable to identify you, sorry")
diff --git a/elchos/commands/io b/elchos/commands/io
deleted file mode 100755
index eb04ae9..0000000
--- a/elchos/commands/io
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/usr/bin/zsh
-printf '%-10s %-7s %-7s %-7s %-7s\n' IFACE rxkB/s txkB/s rxTotal txTotal
-sar -n DEV 1 3 | grep Average: | grep -v IFACE | grep -v ' lo ' | while read line;do
- dev=$(echo $line | awk '{print $2}')
- rxkb=$(echo $line | awk '{print $5}')
- txkb=$(echo $line | awk '{print $6}')
- total_bytes_r=$(cat /proc/net/dev | grep ${dev}: | awk '{print $2}')
- total_bytes_t=$(cat /proc/net/dev | grep ${dev}: | awk '{print $10}')
-
- printf '%-10s %-7s %-7s %-7s %-7s\n' $dev $rxkb $txkb $((total_bytes_r / (1024*1024))) $((total_bytes_t / (1024*1024)))
-done
-printf "%-10s %-7s %-7s\n" "DSK" "rxkB/s" "txkB/s"
-sar -p -d 1 3 | grep Average: | grep -v ' DEV ' |while read line;
-do
- dsk=$(echo $line | awk '{print $2}')
- rd_sec=$(echo $line | awk '{print $4}')
- wr_sec=$(echo $line | awk '{print $5}')
- if echo $dsk | egrep -q '(sd|hd|vd)';then
- # TODO for some reason 0.00 can only be interpreted correctly as arithmetic
- # expession by zsh
- #
- # rd is counted in blocks (which is 512 bytes)
- printf "%-10s %-7.2f %-7.2f\n" "/dev/$dsk" "$((rd_sec*2))" "$((wr_sec*2))"
- fi
-done
diff --git a/elchos/commands/ips b/elchos/commands/ips
deleted file mode 100755
index 17c3965..0000000
--- a/elchos/commands/ips
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-ip addr | grep 'inet ' | awk '{print $2}' | grep -v 127.0.0.1 | grep .
diff --git a/elchos/commands/list_downloads b/elchos/commands/list_downloads
deleted file mode 100755
index f53067d..0000000
--- a/elchos/commands/list_downloads
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-ncdc_user=hooker
-count=$(sudo -u $ncdc_user /usr/bin/tmux list-windows -t dl 2>/dev/null| wc -l)
-
-test $count -eq 0 && echo "no downloads running" && exit 0
-for i in $(seq 0 $(($count-1)));do
- sudo -u $ncdc_user /usr/bin/tmux capture-pane -t dl:$i -p | grep -v '^$' | tail -n 1
-done
diff --git a/elchos/commands/onion b/elchos/commands/onion
deleted file mode 100755
index 1a20299..0000000
--- a/elchos/commands/onion
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-sudo -u tor /krebs/bin/tor-get-hidden-service.sh || echo "no hidden service configured"
diff --git a/elchos/commands/reboot b/elchos/commands/reboot
deleted file mode 100755
index a264831..0000000
--- a/elchos/commands/reboot
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-echo "system is going down"
-sudo /usr/bin/reboot
diff --git a/elchos/commands/refresh_shares b/elchos/commands/refresh_shares
deleted file mode 100755
index 1005998..0000000
--- a/elchos/commands/refresh_shares
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/bin/sh
-ncdc_user=hooker
-sudo /krebs/bin/refresh-shares.ship 2>&1
-sudo -u $ncdc_user /krebs/bin/update-search.sh 2>&1
diff --git a/elchos/commands/shares b/elchos/commands/shares
deleted file mode 100755
index 1601d58..0000000
--- a/elchos/commands/shares
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/sh
-df -h | grep '/media/'
diff --git a/elchos/commands/update_search b/elchos/commands/update_search
deleted file mode 100755
index 1db1c1b..0000000
--- a/elchos/commands/update_search
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/bin/sh
-ncdc_user=hooker
-sudo -u $ncdc_user /krebs/bin/update-search.sh
diff --git a/elchos/config.py b/elchos/config.py
deleted file mode 100644
index eeeacd8..0000000
--- a/elchos/config.py
+++ /dev/null
@@ -1,78 +0,0 @@
-import socket
-name = socket.gethostname()
-cfg_file = "/krebs/config.sh"
-
-# TODO: shell config file cannot contain variables or anything fancy
-ret ={}
-
-import shlex
-## load config file, lex split every line, split at =
-with open(cfg_file) as f:
- for line in f:
- k,v = shlex.split(line)[0].split("=",1)
- ret[k] = v
-
-#irc_server = 'irc.freenode.net'
-irc_server = ret["IRC_SERVER"]
-
-debug = False
-
-state_dir='/krebs/painload/Reaktor'
-irc_alarm_timeout = 300
-irc_hammer_interval = 10
-irc_kill_timeout = 360
-irc_nickname = name
-irc_restart_timeout = 5
-irc_port = 6667
-irc_channels = [
- '#elchOS'
-]
-
-admin_file='admin.lst'
-auth_file='auth.lst'
-
-def default_command(cmd):
- return {
- 'capname': cmd,
- 'pattern': '^(?:' + name + '|\\*):\\s*' + cmd + '\\s*(?:\\s+(?P<args>.*))?$',
- 'argv': [ 'commands/' + cmd ] }
-
-def elch_command(cmd):
- return {
- 'capname': cmd,
- 'pattern': '^(?:' + name + '|\\*):\\s*' + cmd + '\\s*(?:\\s+(?P<args>.*))?$',
- 'argv': [ 'elchos/commands/' + cmd ] }
-
-public_commands = [
- default_command('caps'),
- default_command('hello'),
- default_command('uptime'),
- default_command('badcommand'),
- default_command('rev'),
- elch_command('search'),
- elch_command('list_downloads'),
- elch_command('io'),
- elch_command('ips'),
- elch_command('shares'),
- elch_command('onion'),
- default_command('nocommand'),
- # command not found
- { 'pattern': '^(?:' + name + '|\\*):.*',
- 'argv': [ 'commands/respond','You are made of stupid!'] },
- # "highlight"
- { 'pattern': '.*\\b' + name + '\\b.*',
- 'argv': [ 'commands/say', 'I\'m famous' ] },
- # identify via direct connect
- { 'capname': 'identify',
- 'pattern': 'identify' + '\\s*(?:\\s+(?P<args>.*))?$',
- 'argv' : [ 'commands/identify' ]}
-
-]
-
-commands = [
- default_command('reload'),
- elch_command('update_search'),
- elch_command('refresh_shares'),
- elch_command('ftpget'),
- elch_command('reboot')
-]
diff --git a/etc/conf.d/reaktor b/etc/conf.d/reaktor
deleted file mode 100644
index a4f3f8e..0000000
--- a/etc/conf.d/reaktor
+++ /dev/null
@@ -1,2 +0,0 @@
-export target="#krebsco"
-export host="irc.freenode.com"
diff --git a/etc/init.d/reaktor-debian b/etc/init.d/reaktor-debian
deleted file mode 100755
index a94384f..0000000
--- a/etc/init.d/reaktor-debian
+++ /dev/null
@@ -1,102 +0,0 @@
-#!/bin/sh
-# uses template from /etc/init.d/skeleton
-### BEGIN INIT INFO
-# Provides: reaktor
-# Required-Start:
-# Required-Stop:
-# Default-Start: 2 3 4 5
-# Default-Stop: 0 1 6
-# Short-Description: reaktor
-# Description: starts reaktor daemon
-#
-### END INIT INFO
-
-PATH=/sbin:/usr/sbin:/bin:/usr/bin
-NAME=reaktor
-USER=reaktor
-DESC="$NAME daemon"
-DAEMON=/usr/bin/python
-DAEMON_DIR="/krebs/Reaktor/IRC/"
-DAEMON_ARGS="${DAEMON_DIR}/asybot.py"
-PIDFILE=/var/run/$NAME.pid
-SCRIPTNAME=/etc/init.d/$NAME
-
-[ -x "$DAEMON" ] || exit 0
-[ -r /etc/default/$NAME ] && . /etc/default/$NAME
-. /lib/init/vars.sh
-. /lib/lsb/init-functions
-
-do_start()
-{
- # 0 if daemon has been started
- # 1 if daemon was already running
- # 2 if daemon could not be started
- start-stop-daemon -b -d $DAEMON_DIR/.. -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
- || return 1
- start-stop-daemon -b -d $DAEMON_DIR/.. -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \
- $DAEMON_ARGS \
- || return 2
-}
-
-do_stop()
-{
- # 0 if daemon has been stopped
- # 1 if daemon was already stopped
- # 2 if daemon could not be stopped
- start-stop-daemon --stop --retry=TERM/30/KILL/5 --pidfile $PIDFILE
- RETVAL="$?"
- [ "$RETVAL" = 2 ] && return 2
- rm -f $PIDFILE
- return "$RETVAL"
-}
-
-do_reload() {
- start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE
- return 0
-}
-
-case "$1" in
- start)
- [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
- do_start
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- stop)
- [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
- 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
- esac
- ;;
- status)
- status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
- ;;
- restart|force-reload)
- log_daemon_msg "Restarting $DESC" "$NAME"
- do_stop
- case "$?" in
- 0|1)
- do_start
- case "$?" in
- 0) log_end_msg 0 ;;
- 1) log_end_msg 1 ;;
- *) log_end_msg 1 ;;
- esac
- ;;
- *)
- # Failed to stop
- log_end_msg 1
- ;;
- esac
- ;;
- *)
- echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
- exit 3
- ;;
-esac
-
-:
diff --git a/etc/supervisor/Reaktor.conf b/etc/supervisor/Reaktor.conf
deleted file mode 100644
index 497066e..0000000
--- a/etc/supervisor/Reaktor.conf
+++ /dev/null
@@ -1,6 +0,0 @@
-[program:Reaktor]
-command=/usr/bin/python2.6 IRC/asybot.py
-environment=host='irc.freenode.net',target='#krebsco'
-redirect_stderr=true
-user=reaktor
-directory=/krebs/Reaktor
diff --git a/etc/systemd/system/Reaktor.service b/etc/systemd/system/Reaktor.service
deleted file mode 100644
index 6bb3e55..0000000
--- a/etc/systemd/system/Reaktor.service
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Reaktor for user %i
-After=network.target nss-lookup.target
-
-[Service]
-Type=normal
-#TODO - make reaktor path variable
-User=reaktor
-ExecStart=/krebs/painload/Reaktor/index
-Restart=always
-RestartSec=3
-
-[Install]
-WantedBy=multi-user.target
diff --git a/repos/bxfr/bxfr.py b/repos/bxfr/bxfr.py
deleted file mode 100644
index 8e6bd10..0000000
--- a/repos/bxfr/bxfr.py
+++ /dev/null
@@ -1,238 +0,0 @@
-#!/usr/bin/python -tt
-
-# gxfr replicates dns zone transfers by enumerating subdomains using advanced search engine queries and conducting dns lookups.
-# By Tim Tomes (LaNMaSteR53)
-# Available for download at http://LaNMaSteR53.com or http://code.google.com/p/gxfr/
-
-import sys, os.path, urllib, urllib2, re, time, socket, random, socket
-
-
-def help():
- print """ Syntax: ./gxfr.py domain [options]
-
- -h, --help this screen
- -v enable verbose mode
- -t [num of seconds] set number of seconds to wait between queries (default=15)
- -q [max num of queries] restrict to maximum number of queries (default=0, indefinite)
- --dns-lookup enable dns lookups of all subdomains
- --proxy [file|ip:port|-] use a proxy or list of open proxies to send queries (@random w/list)
- - [file] must consist of 1 or more ip:port pairs
- - replace filename with '-' (dash) to accept stdin
- --user-agent ['string'] set custom user-agent string
- --timeout [seconds] set socket timeout (default=system default)
- --csv [file]
-
- Examples:
- $ ./gxfr.py foxnews.com --dns-lookup -v
- $ ./gxfr.py foxnews.com --dns-lookup --proxy open_proxies.txt --timeout 10
- $ ./gxfr.py foxnews.com --dns-lookup -t 5 -q 5 -v --proxy 127.0.0.1:8080
- $ curl http://rmccurdy.com/scripts/proxy/good.txt | ./gxfr.py website.com -v -t 3 --proxy -
- """
- sys.exit(2)
-
-if len(sys.argv) < 2:
- help()
-
-if '-h' in sys.argv or '--help' in sys.argv:
- help()
-
-# declare vars and process arguments
-#http://www.bing.com/search?q=site%3agoogle.de&qs=n&filt=all&pq=site%3agoogle.d&sc=8-5&sp=-1&sk=&first=1&FORM=PORE
-query_cnt = 0
-csvname = False
-domain = sys.argv[1]
-sys.argv = sys.argv[2:]
-lookup = False
-encrypt = True
-base_url = 'http://www.bing.com'
-base_uri = '/search?qs=n&form=QBRE&sc=0-0&sp=-1&sk='
-base_query = 'site:' + domain
-pattern = '//([\.\w-]*)\.%s.+?' % (domain)
-proxy = False
-user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)'
-verbose = False
-secs = 15
-max_queries = 10 # default = 10 queries
-# process command line arguments
-if len(sys.argv) > 0:
- if '--dns-lookup' in sys.argv:
- lookup = True
- if '--csv' in sys.argv:
- csvname = sys.argv[sys.argv.index('--csv') + 1]
- if '--proxy' in sys.argv:
- proxy = True
- filename = sys.argv[sys.argv.index('--proxy') + 1]
- if filename == '-':
- proxies = sys.stdin.read().split()
- elif os.path.exists(filename):
- content = open(filename).read()
- proxies = re.findall('\d+\.\d+\.\d+\.\d+:\d+', content)
- elif re.match(r'^\d+\.\d+\.\d+\.\d+:\d+$', filename):
- proxies = [filename]
- else:
- help()
- if '--timeout' in sys.argv:
- timeout = int(sys.argv[sys.argv.index('--timeout') + 1])
- socket.setdefaulttimeout(timeout)
- if '--user-agent' in sys.argv:
- user_agent = sys.argv[sys.argv.index('--user-agent') + 1]
- if '-v' in sys.argv:
- verbose = True
- if '-t' in sys.argv:
- secs = int(sys.argv[sys.argv.index('-t') + 1])
- if '-q' in sys.argv:
- max_queries = int(sys.argv[sys.argv.index('-q') + 1])
-subs = []
-new = True
-page = 0
-
-# --begin--
-print '[-] domain:', domain
-print '[-] user-agent:', user_agent
-# execute search engine queries and scrape results storing subdomains in a list
-print '[-] querying search engine, please wait...'
-# loop until no new subdomains are found
-while new == True:
- try:
- query = ''
- # build query based on results of previous results
- for sub in subs:
- query += ' -site:%s.%s' % (sub, domain)
- full_query = base_query + query
- start_param = '&first=%s' % (str(page*10))
- query_param = '&q=%s&pq=%s' % (urllib.quote_plus(full_query),urllib.quote_plus(full_query))
- if len(base_uri) + len(query_param) + len(start_param) < 2048:
- last_query_param = query_param
- params = query_param + start_param
- else:
- params = last_query_param[:2047-len(start_param)-len(base_uri)] + start_param
- full_url = base_url + base_uri + params
- # note: query character limit is passive in mobile, but seems to be ~794
- # note: query character limit seems to be 852 for desktop queries
- # note: typical URI max length is 2048 (starts after top level domain)
- if verbose: print '[+] using query: %s...' % (full_url)
- # build web request and submit query
- request = urllib2.Request(full_url)
- # spoof user-agent string
- request.add_header('User-Agent', user_agent)
- # if proxy is enabled, use the correct handler
- if proxy == True:
- # validate proxies at runtime
- while True:
- try:
- # select a proxy from list at random
- num = random.randint(0,len(proxies)-1)
- host = proxies[num]
- opener = urllib2.build_opener(urllib2.ProxyHandler({'http': host}))
- if verbose: print '[+] sending query to', host
- # send query to proxy server
- result = opener.open(request).read()
- # exit while loop if successful
- break
- except Exception as inst:
- print '[!] %s failed: %s' % (host, inst)
- if len(proxies) == 1:
- # exit of no proxy servers from list are valid
- print '[-] valid proxy server not found'
- sys.exit(2)
- else:
- # remove host from list of proxies and try again
- del proxies[num]
- else:
- opener = urllib2.build_opener(urllib2.HTTPHandler(), urllib2.HTTPSHandler())
- # send query to search engine
- try:
- result = opener.open(request).read()
- except Exception as inst:
- print '[!] {0}'.format(inst)
- if str(inst).index('503') != -1: print '[!] possible shun: use --proxy or find something else to do for 24 hours :)'
- sys.exit(2)
- if not verbose: sys.stdout.write('.'); sys.stdout.flush()
- #if not verbose: sys.stdout.write('\n'); sys.stdout.flush()
- # iterate query count
- query_cnt += 1
- sites = re.findall(pattern, result)
- # create a uniq list
- sites = list(set(sites))
- new = False
- # add subdomain to list if not already exists
- for site in sites:
- if site not in subs:
- if verbose: print '[!] subdomain found:', site
- subs.append(site)
- new = True
- # exit if maximum number of queries has been made
- if query_cnt == max_queries:
- print '[-] maximum number of queries made...'
- break
- # start going through all pages if querysize is maxed out
- if new == False:
- # exit if all subdomains have been found
- if not 'Next page' in result:
- #import pdb; pdb.set_trace() # curl to stdin breaks pdb
- print '[-] all available subdomains found...'
- break
- else:
- page += 1
- new = True
- if verbose: print '[+] no new subdomains found on page. jumping to result %d.' % (page*10)
- # sleep script to avoid lock-out
- if verbose: print '[+] sleeping to avoid lock-out...'
- time.sleep(secs)
- except KeyboardInterrupt:
- # catch keyboard interrupt and gracefull complete script
- break
-
-# print list of subdomains
-print '[-] successful queries made:', str(query_cnt)
-if verbose:
- # rebuild and display final query if in verbose mode
- #final_query = ''
- #for sub in subs:
- # final_query += '+-site:%s.%s' % (sub, domain)
- #print '[+] final query string: %sstart=%s&%s%s' % (base_url, str(page*10), base_query, query)
- print '[+] final query string: %s' % (full_url)
-print ' '
-print '[subdomains] -', str(len(subs))
-csvwriter = False
-try:
- if csvname:
- import csv
- csvwriter = csv.writer(open(csvname,'wb'))
-except:
- print "[!] Cannot open CSV"
-for sub in subs:
- dom = '%s.%s' % (sub, domain )
-
- #host resolution makes this computer more visible
- hostname,aliases,ips = socket.gethostbyname_ex(dom)
- #print hostname,aliases,ip
- print dom,",".join(ips)
- try:
- line = [dom] + ips
- csvwriter.writerow([dom] + ips)
- except: pass
-
-
-# conduct dns lookup if argument is present
-if lookup == True:
- print ' '
- print '[-] querying dns, please wait...'
- dict = {}
- # create a dictionary where the subdomain is the key and a list of all associated ips is the value
- for sub in subs:
- sub = '%s.%s' % (sub, domain)
- if verbose: print '[+] querying dns for %s...' % (sub)
- # dns query and dictionary assignment
- try:
- dict[sub] = list(set([item[4][0] for item in socket.getaddrinfo(sub, 80)]))
-