diff options
37 files changed, 0 insertions, 1396 deletions
diff --git a/Makefile b/Makefile deleted file mode 100644 index 2241dba..0000000 --- a/Makefile +++ /dev/null @@ -1,23 +0,0 @@ -submodules = gxfr dnsrecon bxfr whatweb -security_modules = subdomains revip whatweb - -all: init all-mods - -init: init-submodules $(submodules) -init-submodules: - cd ..;git submodule init; git submodule update -$(submodules): - cd repos/$@ ; git checkout master;git pull - -all-mods: $(addprefix public_commands/,$(security_modules)) -public_commands/%:commands/% - ln -s ../$< $@ - -debian-autostart: - useradd reaktor ||: - cp startup/init.d/reaktor-debian /etc/init.d/reaktor - cp startup/conf.d/reaktor /etc/default/ - update-rc.d reaktor defaults -supervisor-autostart: - useradd reaktor ||: - cp startup/supervisor/Reaktor.conf /etc/supervisor/conf.d/ diff --git a/UDP/README b/UDP/README deleted file mode 100644 index 587c804..0000000 --- a/UDP/README +++ /dev/null @@ -1,52 +0,0 @@ -# Specifications -From 2011-09-16: -## Use Case - [ - { - "port": 1337, - "pattern": "XXYY", - "comment" : "does the right thing", - "action" : { - "POST": { - "url" : "xyz", - "data" : "abc" - } - } - } - ] -## Head definition - { - "bind_addr" : "127.0.0.1", - "port" : 1234, - "pattern" : "XXZZ", - "action" : { }, - } -bind is an optional entry which lets the user define a bind address for the server. -terminator is optional which lets the user define the EOM terminator. - -## Actions -### POST -"POST" : { - "url" : "http://euer.krebsco.de/", - "data" : "{ \"something\" : \"else\" }" - } - -### PROCESS -Process is taken from //hyper/process/test/bc.json - rev:a7fd3f - -stdout/stderr are optional and if left away data will be written to real stdout/stderr -in the process in envp => "payload" will be allocated for the given payload from the network - - "PROCESS" : { - { - "path": "/usr/bin/bc", - "argv": [ - "bc" - ], - "envp": { - "was": "geht", - }, - "stdout": "uri:///path/to/somewhere", - "stderr": "uri:///path/to/somewhere" - } - } diff --git a/UDP/config b/UDP/config deleted file mode 100644 index 623c721..0000000 --- a/UDP/config +++ /dev/null @@ -1,15 +0,0 @@ -[ - { - "comment" : "listener for licht.shack", - "bind_addr" : "0.0.0.0", - "port" : 2342, - "pattern" : "", - "action" : { - "PROCESS" : { - "path" : "/krebs/Reaktor/udp_commands/licht_resolver", - "argv" : [ ], - "envp" : { } - } - } - } -] diff --git a/UDP/index b/UDP/index deleted file mode 100755 index ffe3d6b..0000000 --- a/UDP/index +++ /dev/null @@ -1,94 +0,0 @@ -#!/usr/bin/python - -import asyncore, socket -import logging,subprocess -import re -import json -log = logging.getLogger('ubot') - -def enable_syslog(logger): - import logging.handlers as handlers - from logging import Formatter - hdlr = handlers.SysLogHandler( - facility=handlers.SysLogHandler.LOG_DAEMON) - formatter = Formatter( - '%(filename)s: %(levelname)s: %(message)s') - hdlr.setFormatter(formatter) - logger.addHandler(hdlr) - -from twisted.internet.protocol import DatagramProtocol -from twisted.internet import reactor -from twisted.application.internet import MulticastServer -from socket import SOL_SOCKET,SO_BROADCAST -class ubot(DatagramProtocol): -# def startProtocol(self): -# log.info("Starting Listener for Multicast") -# self.transport.joinGroup("255.255.255.255") - - """ UDP Bot """ - def startProtocol(self): - log.info("starting Protocol at host (%s)" % self.bind_addr) - #self.transport. - if self.bind_addr != "255.255.255.255": - self.transport.joinGroup(self.bind_addr) - else: - self.transport.socket.setsockopt(SOL_SOCKET,SO_BROADCAST,True) - def __init__(self, pattern,action,bind_addr,**kwargs): - #DatagramProtocol.__init__(self) - self.data = '' - self.pattern = pattern - self.action = action - self.bind_addr = bind_addr - - def datagramReceived(self,datagram,addr): - self.data = datagram - log.debug('<< %s' % self.data) - if self.find_pattern(): - self.start_action() - - def find_pattern(self): - """ returns true if own pattern is found""" - log.debug("Pattern is %s" %self.pattern) - ret = re.search(self.pattern,self.data) - if ret: - log.info("Match \"%s\" with pattern \"%s\"" % ((ret.string.strip()),self.pattern)) - else: - log.info("No Match") - return ret - - - def start_action(self): - """ runs all the defined actions""" - log.debug("Actions: %s" % str(self.action)) - self.start_process() - self.start_post() - - def start_process(self): - try: - act = self.action["PROCESS"] - proc = [] - proc.append(act["path"]) - proc.extend(act["argv"]) - - env = act["envp"] - env["payload"] = json.dumps(self.data) - log.info("Starting Process: %s (env: %s)" % (proc,env)) - subprocess.Popen(proc,env=env) - except Exception as e: - log.error(e) - def start_post(self): - pass - -def load_conf(conf_file): - return json.load(open(conf_file)) - - -if __name__ == "__main__": - import os - #enable_syslog(log) - HERE = os.path.dirname(os.path.realpath(__file__)) - lol = logging.DEBUG if os.environ.get('debug',False) else logging.INFO - logging.basicConfig(level=lol) - for i in load_conf("%s/config" %HERE): - reactor.listenMulticast(i["port"], ubot(**i)) - reactor.run() diff --git a/auth.lst b/auth.lst deleted file mode 100755 index 8b13789..0000000 --- a/auth.lst +++ /dev/null @@ -1 +0,0 @@ - diff --git a/elchos/admin.lst b/elchos/admin.lst deleted file mode 100644 index e69de29..0000000 --- a/elchos/admin.lst +++ /dev/null diff --git a/elchos/auth.lst b/elchos/auth.lst deleted file mode 100644 index e69de29..0000000 --- a/elchos/auth.lst +++ /dev/null diff --git a/elchos/commands/ftpget b/elchos/commands/ftpget deleted file mode 100755 index 74e76f8..0000000 --- a/elchos/commands/ftpget +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/sh -# usage: $0 [-d] uri sharename[/subdirs] -exec 2>&1 -set -euf -ncdc_user=hooker -usage(){ - cat <<EOF -usage: $0 [-d] uri share[/subdirs] - -d -- uri is a directory to be mirrored - share -- vag[0-n] - -EOF -} -examples(){ - cat <<EOF -examples: ftpget -d http://ftp.mozilla.org/pub/mozilla.org/firefox/releases/0.8 vag0/firefox_releases - -> 0.8 directory is stored to /media/vag0/firefox_releases - - ftpget -d http://speedtest.qsc.de/10MB.qsc vag0/ - -> 10MB.qsc is stored to /media/vag0/10MB.qsc -EOF -} -if test "${1:--h}" == '-h' -o "${1:-}" == '--help';then - usage - examples - exit 0 -fi -if test ${1:-} == '-d' ;then - is_dir=true - shift -fi - -target="${1:-}" -if !( echo "$target" | egrep -q '^(ftps*://|https*://)' );then - exit 23 -fi - -share=$( printf "%s" "${2?provide share name}" |head -1 | sed 's#\.\./##') -sharepath=/media/${share%%/*} -realshare="/media/$share" -test ! -e "$sharepath" && echo "$sharepath does not exist!" && exit 23 - -sudo -u $ncdc_user /usr/bin/mkdir -p "$realshare" - -if test -z ${is_dir:-};then - cmd="lftpget \"$target\"" -else - cmd="lftp -e \"mirror;exit\" $target" -fi - - if ! sudo -u $ncdc_user /usr/bin/tmux has-session -t dl >/dev/null 2>&1 ;then - sudo -u $ncdc_user /usr/bin/tmux new-session -s dl -d -c "$realshare" "$cmd" - else - sudo -u $ncdc_user /usr/bin/tmux new-window -t dl -c "$realshare" "$cmd" - fi -#sudo -u $ncdc_user /usr/bin/tmux new-window -t dl -#cd "$realshare" ;sudo -u hooker /usr/bin/lftpget "$target" -echo "download started, check with 'list_downloads'" diff --git a/elchos/commands/identify b/elchos/commands/identify deleted file mode 100755 index c2fb2c5..0000000 --- a/elchos/commands/identify +++ /dev/null @@ -1,22 +0,0 @@ -#!/usr/bin/env python -import imp -import os,sys - -def load_config(filename): - dirname = os.path.dirname(filename) - modname, ext = os.path.splitext(os.path.basename(filename)) - file, pathname, description = imp.find_module(modname, [ dirname ]) - return imp.load_module(modname, file, pathname, description) - -config = load_config(os.environ['config_filename']) - -with open(config.admin_file) as f: - for line in f: - nick,secret = line.split() - if sys.argv[1] == secret: - print("identified you as %s!"%nick) - with open(config.auth_file,'a+') as g: - g.write(os.environ['_prefix'] +"\n") - sys.exit(0) - -print("unable to identify you, sorry") diff --git a/elchos/commands/io b/elchos/commands/io deleted file mode 100755 index eb04ae9..0000000 --- a/elchos/commands/io +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/zsh -printf '%-10s %-7s %-7s %-7s %-7s\n' IFACE rxkB/s txkB/s rxTotal txTotal -sar -n DEV 1 3 | grep Average: | grep -v IFACE | grep -v ' lo ' | while read line;do - dev=$(echo $line | awk '{print $2}') - rxkb=$(echo $line | awk '{print $5}') - txkb=$(echo $line | awk '{print $6}') - total_bytes_r=$(cat /proc/net/dev | grep ${dev}: | awk '{print $2}') - total_bytes_t=$(cat /proc/net/dev | grep ${dev}: | awk '{print $10}') - - printf '%-10s %-7s %-7s %-7s %-7s\n' $dev $rxkb $txkb $((total_bytes_r / (1024*1024))) $((total_bytes_t / (1024*1024))) -done -printf "%-10s %-7s %-7s\n" "DSK" "rxkB/s" "txkB/s" -sar -p -d 1 3 | grep Average: | grep -v ' DEV ' |while read line; -do - dsk=$(echo $line | awk '{print $2}') - rd_sec=$(echo $line | awk '{print $4}') - wr_sec=$(echo $line | awk '{print $5}') - if echo $dsk | egrep -q '(sd|hd|vd)';then - # TODO for some reason 0.00 can only be interpreted correctly as arithmetic - # expession by zsh - # - # rd is counted in blocks (which is 512 bytes) - printf "%-10s %-7.2f %-7.2f\n" "/dev/$dsk" "$((rd_sec*2))" "$((wr_sec*2))" - fi -done diff --git a/elchos/commands/ips b/elchos/commands/ips deleted file mode 100755 index 17c3965..0000000 --- a/elchos/commands/ips +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -ip addr | grep 'inet ' | awk '{print $2}' | grep -v 127.0.0.1 | grep . diff --git a/elchos/commands/list_downloads b/elchos/commands/list_downloads deleted file mode 100755 index f53067d..0000000 --- a/elchos/commands/list_downloads +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -ncdc_user=hooker -count=$(sudo -u $ncdc_user /usr/bin/tmux list-windows -t dl 2>/dev/null| wc -l) - -test $count -eq 0 && echo "no downloads running" && exit 0 -for i in $(seq 0 $(($count-1)));do - sudo -u $ncdc_user /usr/bin/tmux capture-pane -t dl:$i -p | grep -v '^$' | tail -n 1 -done diff --git a/elchos/commands/onion b/elchos/commands/onion deleted file mode 100755 index 1a20299..0000000 --- a/elchos/commands/onion +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh - -sudo -u tor /krebs/bin/tor-get-hidden-service.sh || echo "no hidden service configured" diff --git a/elchos/commands/reboot b/elchos/commands/reboot deleted file mode 100755 index a264831..0000000 --- a/elchos/commands/reboot +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -echo "system is going down" -sudo /usr/bin/reboot diff --git a/elchos/commands/refresh_shares b/elchos/commands/refresh_shares deleted file mode 100755 index 1005998..0000000 --- a/elchos/commands/refresh_shares +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/sh -ncdc_user=hooker -sudo /krebs/bin/refresh-shares.ship 2>&1 -sudo -u $ncdc_user /krebs/bin/update-search.sh 2>&1 diff --git a/elchos/commands/shares b/elchos/commands/shares deleted file mode 100755 index 1601d58..0000000 --- a/elchos/commands/shares +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/sh -df -h | grep '/media/' diff --git a/elchos/commands/update_search b/elchos/commands/update_search deleted file mode 100755 index 1db1c1b..0000000 --- a/elchos/commands/update_search +++ /dev/null @@ -1,3 +0,0 @@ -#!/bin/sh -ncdc_user=hooker -sudo -u $ncdc_user /krebs/bin/update-search.sh diff --git a/elchos/config.py b/elchos/config.py deleted file mode 100644 index eeeacd8..0000000 --- a/elchos/config.py +++ /dev/null @@ -1,78 +0,0 @@ -import socket -name = socket.gethostname() -cfg_file = "/krebs/config.sh" - -# TODO: shell config file cannot contain variables or anything fancy -ret ={} - -import shlex -## load config file, lex split every line, split at = -with open(cfg_file) as f: - for line in f: - k,v = shlex.split(line)[0].split("=",1) - ret[k] = v - -#irc_server = 'irc.freenode.net' -irc_server = ret["IRC_SERVER"] - -debug = False - -state_dir='/krebs/painload/Reaktor' -irc_alarm_timeout = 300 -irc_hammer_interval = 10 -irc_kill_timeout = 360 -irc_nickname = name -irc_restart_timeout = 5 -irc_port = 6667 -irc_channels = [ - '#elchOS' -] - -admin_file='admin.lst' -auth_file='auth.lst' - -def default_command(cmd): - return { - 'capname': cmd, - 'pattern': '^(?:' + name + '|\\*):\\s*' + cmd + '\\s*(?:\\s+(?P<args>.*))?$', - 'argv': [ 'commands/' + cmd ] } - -def elch_command(cmd): - return { - 'capname': cmd, - 'pattern': '^(?:' + name + '|\\*):\\s*' + cmd + '\\s*(?:\\s+(?P<args>.*))?$', - 'argv': [ 'elchos/commands/' + cmd ] } - -public_commands = [ - default_command('caps'), - default_command('hello'), - default_command('uptime'), - default_command('badcommand'), - default_command('rev'), - elch_command('search'), - elch_command('list_downloads'), - elch_command('io'), - elch_command('ips'), - elch_command('shares'), - elch_command('onion'), - default_command('nocommand'), - # command not found - { 'pattern': '^(?:' + name + '|\\*):.*', - 'argv': [ 'commands/respond','You are made of stupid!'] }, - # "highlight" - { 'pattern': '.*\\b' + name + '\\b.*', - 'argv': [ 'commands/say', 'I\'m famous' ] }, - # identify via direct connect - { 'capname': 'identify', - 'pattern': 'identify' + '\\s*(?:\\s+(?P<args>.*))?$', - 'argv' : [ 'commands/identify' ]} - -] - -commands = [ - default_command('reload'), - elch_command('update_search'), - elch_command('refresh_shares'), - elch_command('ftpget'), - elch_command('reboot') -] diff --git a/etc/conf.d/reaktor b/etc/conf.d/reaktor deleted file mode 100644 index a4f3f8e..0000000 --- a/etc/conf.d/reaktor +++ /dev/null @@ -1,2 +0,0 @@ -export target="#krebsco" -export host="irc.freenode.com" diff --git a/etc/init.d/reaktor-debian b/etc/init.d/reaktor-debian deleted file mode 100755 index a94384f..0000000 --- a/etc/init.d/reaktor-debian +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/sh -# uses template from /etc/init.d/skeleton -### BEGIN INIT INFO -# Provides: reaktor -# Required-Start: -# Required-Stop: -# Default-Start: 2 3 4 5 -# Default-Stop: 0 1 6 -# Short-Description: reaktor -# Description: starts reaktor daemon -# -### END INIT INFO - -PATH=/sbin:/usr/sbin:/bin:/usr/bin -NAME=reaktor -USER=reaktor -DESC="$NAME daemon" -DAEMON=/usr/bin/python -DAEMON_DIR="/krebs/Reaktor/IRC/" -DAEMON_ARGS="${DAEMON_DIR}/asybot.py" -PIDFILE=/var/run/$NAME.pid -SCRIPTNAME=/etc/init.d/$NAME - -[ -x "$DAEMON" ] || exit 0 -[ -r /etc/default/$NAME ] && . /etc/default/$NAME -. /lib/init/vars.sh -. /lib/lsb/init-functions - -do_start() -{ - # 0 if daemon has been started - # 1 if daemon was already running - # 2 if daemon could not be started - start-stop-daemon -b -d $DAEMON_DIR/.. -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ - || return 1 - start-stop-daemon -b -d $DAEMON_DIR/.. -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \ - $DAEMON_ARGS \ - || return 2 -} - -do_stop() -{ - # 0 if daemon has been stopped - # 1 if daemon was already stopped - # 2 if daemon could not be stopped - start-stop-daemon --stop --retry=TERM/30/KILL/5 --pidfile $PIDFILE - RETVAL="$?" - [ "$RETVAL" = 2 ] && return 2 - rm -f $PIDFILE - return "$RETVAL" -} - -do_reload() { - start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE - return 0 -} - -case "$1" in - start) - [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" - do_start - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - stop) - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" - do_stop - case "$?" in - 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; - 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; - esac - ;; - status) - status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? - ;; - restart|force-reload) - log_daemon_msg "Restarting $DESC" "$NAME" - do_stop - case "$?" in - 0|1) - do_start - case "$?" in - 0) log_end_msg 0 ;; - 1) log_end_msg 1 ;; - *) log_end_msg 1 ;; - esac - ;; - *) - # Failed to stop - log_end_msg 1 - ;; - esac - ;; - *) - echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 - exit 3 - ;; -esac - -: diff --git a/etc/supervisor/Reaktor.conf b/etc/supervisor/Reaktor.conf deleted file mode 100644 index 497066e..0000000 --- a/etc/supervisor/Reaktor.conf +++ /dev/null @@ -1,6 +0,0 @@ -[program:Reaktor] -command=/usr/bin/python2.6 IRC/asybot.py -environment=host='irc.freenode.net',target='#krebsco' -redirect_stderr=true -user=reaktor -directory=/krebs/Reaktor diff --git a/etc/systemd/system/Reaktor.service b/etc/systemd/system/Reaktor.service deleted file mode 100644 index 6bb3e55..0000000 --- a/etc/systemd/system/Reaktor.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Reaktor for user %i -After=network.target nss-lookup.target - -[Service] -Type=normal -#TODO - make reaktor path variable -User=reaktor -ExecStart=/krebs/painload/Reaktor/index -Restart=always -RestartSec=3 - -[Install] -WantedBy=multi-user.target diff --git a/repos/bxfr/bxfr.py b/repos/bxfr/bxfr.py deleted file mode 100644 index 8e6bd10..0000000 --- a/repos/bxfr/bxfr.py +++ /dev/null @@ -1,238 +0,0 @@ -#!/usr/bin/python -tt - -# gxfr replicates dns zone transfers by enumerating subdomains using advanced search engine queries and conducting dns lookups. -# By Tim Tomes (LaNMaSteR53) -# Available for download at http://LaNMaSteR53.com or http://code.google.com/p/gxfr/ - -import sys, os.path, urllib, urllib2, re, time, socket, random, socket - - -def help(): - print """ Syntax: ./gxfr.py domain [options] - - -h, --help this screen - -v enable verbose mode - -t [num of seconds] set number of seconds to wait between queries (default=15) - -q [max num of queries] restrict to maximum number of queries (default=0, indefinite) - --dns-lookup enable dns lookups of all subdomains - --proxy [file|ip:port|-] use a proxy or list of open proxies to send queries (@random w/list) - - [file] must consist of 1 or more ip:port pairs - - replace filename with '-' (dash) to accept stdin - --user-agent ['string'] set custom user-agent string - --timeout [seconds] set socket timeout (default=system default) - --csv [file] - - Examples: - $ ./gxfr.py foxnews.com --dns-lookup -v - $ ./gxfr.py foxnews.com --dns-lookup --proxy open_proxies.txt --timeout 10 - $ ./gxfr.py foxnews.com --dns-lookup -t 5 -q 5 -v --proxy 127.0.0.1:8080 - $ curl http://rmccurdy.com/scripts/proxy/good.txt | ./gxfr.py website.com -v -t 3 --proxy - - """ - sys.exit(2) - -if len(sys.argv) < 2: - help() - -if '-h' in sys.argv or '--help' in sys.argv: - help() - -# declare vars and process arguments -#http://www.bing.com/search?q=site%3agoogle.de&qs=n&filt=all&pq=site%3agoogle.d&sc=8-5&sp=-1&sk=&first=1&FORM=PORE -query_cnt = 0 -csvname = False -domain = sys.argv[1] -sys.argv = sys.argv[2:] -lookup = False -encrypt = True -base_url = 'http://www.bing.com' -base_uri = '/search?qs=n&form=QBRE&sc=0-0&sp=-1&sk=' -base_query = 'site:' + domain -pattern = '//([\.\w-]*)\.%s.+?' % (domain) -proxy = False -user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)' -verbose = False -secs = 15 -max_queries = 10 # default = 10 queries -# process command line arguments -if len(sys.argv) > 0: - if '--dns-lookup' in sys.argv: - lookup = True - if '--csv' in sys.argv: - csvname = sys.argv[sys.argv.index('--csv') + 1] - if '--proxy' in sys.argv: - proxy = True - filename = sys.argv[sys.argv.index('--proxy') + 1] - if filename == '-': - proxies = sys.stdin.read().split() - elif os.path.exists(filename): - content = open(filename).read() - proxies = re.findall('\d+\.\d+\.\d+\.\d+:\d+', content) - elif re.match(r'^\d+\.\d+\.\d+\.\d+:\d+$', filename): - proxies = [filename] - else: - help() - if '--timeout' in sys.argv: - timeout = int(sys.argv[sys.argv.index('--timeout') + 1]) - socket.setdefaulttimeout(timeout) - if '--user-agent' in sys.argv: - user_agent = sys.argv[sys.argv.index('--user-agent') + 1] - if '-v' in sys.argv: - verbose = True - if '-t' in sys.argv: - secs = int(sys.argv[sys.argv.index('-t') + 1]) - if '-q' in sys.argv: - max_queries = int(sys.argv[sys.argv.index('-q') + 1]) -subs = [] -new = True -page = 0 - -# --begin-- -print '[-] domain:', domain -print '[-] user-agent:', user_agent -# execute search engine queries and scrape results storing subdomains in a list -print '[-] querying search engine, please wait...' -# loop until no new subdomains are found -while new == True: - try: - query = '' - # build query based on results of previous results - for sub in subs: - query += ' -site:%s.%s' % (sub, domain) - full_query = base_query + query - start_param = '&first=%s' % (str(page*10)) - query_param = '&q=%s&pq=%s' % (urllib.quote_plus(full_query),urllib.quote_plus(full_query)) - if len(base_uri) + len(query_param) + len(start_param) < 2048: - last_query_param = query_param - params = query_param + start_param - else: - params = last_query_param[:2047-len(start_param)-len(base_uri)] + start_param - full_url = base_url + base_uri + params - # note: query character limit is passive in mobile, but seems to be ~794 - # note: query character limit seems to be 852 for desktop queries - # note: typical URI max length is 2048 (starts after top level domain) - if verbose: print '[+] using query: %s...' % (full_url) - # build web request and submit query - request = urllib2.Request(full_url) - # spoof user-agent string - request.add_header('User-Agent', user_agent) - # if proxy is enabled, use the correct handler - if proxy == True: - # validate proxies at runtime - while True: - try: - # select a proxy from list at random - num = random.randint(0,len(proxies)-1) - host = proxies[num] - opener = urllib2.build_opener(urllib2.ProxyHandler({'http': host})) - if verbose: print '[+] sending query to', host - # send query to proxy server - result = opener.open(request).read() - # exit while loop if successful - break - except Exception as inst: - print '[!] %s failed: %s' % (host, inst) - if len(proxies) == 1: - # exit of no proxy servers from list are valid - print '[-] valid proxy server not found' - sys.exit(2) - else: - # remove host from list of proxies and try again - del proxies[num] - else: - opener = urllib2.build_opener(urllib2.HTTPHandler(), urllib2.HTTPSHandler()) - # send query to search engine - try: - result = opener.open(request).read() - except Exception as inst: - print '[!] {0}'.format(inst) - if str(inst).index('503') != -1: print '[!] possible shun: use --proxy or find something else to do for 24 hours :)' - sys.exit(2) - if not verbose: sys.stdout.write('.'); sys.stdout.flush() - #if not verbose: sys.stdout.write('\n'); sys.stdout.flush() - # iterate query count - query_cnt += 1 - sites = re.findall(pattern, result) - # create a uniq list - sites = list(set(sites)) - new = False - # add subdomain to list if not already exists - for site in sites: - if site not in subs: - if verbose: print '[!] subdomain found:', site - subs.append(site) - new = True - # exit if maximum number of queries has been made - if query_cnt == max_queries: - print '[-] maximum number of queries made...' - break - # start going through all pages if querysize is maxed out - if new == False: - # exit if all subdomains have been found - if not 'Next page' in result: - #import pdb; pdb.set_trace() # curl to stdin breaks pdb - print '[-] all available subdomains found...' - break - else: - page += 1 - new = True - if verbose: print '[+] no new subdomains found on page. jumping to result %d.' % (page*10) - # sleep script to avoid lock-out - if verbose: print '[+] sleeping to avoid lock-out...' - time.sleep(secs) - except KeyboardInterrupt: - # catch keyboard interrupt and gracefull complete script - break - -# print list of subdomains -print '[-] successful queries made:', str(query_cnt) -if verbose: - # rebuild and display final query if in verbose mode - #final_query = '' - #for sub in subs: - # final_query += '+-site:%s.%s' % (sub, domain) - #print '[+] final query string: %sstart=%s&%s%s' % (base_url, str(page*10), base_query, query) - print '[+] final query string: %s' % (full_url) -print ' ' -print '[subdomains] -', str(len(subs)) -csvwriter = False -try: - if csvname: - import csv - csvwriter = csv.writer(open(csvname,'wb')) -except: - print "[!] Cannot open CSV" -for sub in subs: - dom = '%s.%s' % (sub, domain ) - - #host resolution makes this computer more visible - hostname,aliases,ips = socket.gethostbyname_ex(dom) - #print hostname,aliases,ip - print dom,",".join(ips) - try: - line = [dom] + ips - csvwriter.writerow([dom] + ips) - except: pass - - -# conduct dns lookup if argument is present -if lookup == True: - print ' ' - print '[-] querying dns, please wait...' - dict = {} - # create a dictionary where the subdomain is the key and a list of all associated ips is the value - for sub in subs: - sub = '%s.%s' % (sub, domain) - if verbose: print '[+] querying dns for %s...' % (sub) - # dns query and dictionary assignment - try: - dict[sub] = list(set([item[4][0] for item in socket.getaddrinfo(sub, 80)])) - |