Reaktor: add dnsmap-0.30

11 files changed, 20023 insertions, 0 deletions

diff --git a/Reaktor/repos/dnsmap/CREDITS.txt b/Reaktor/repos/dnsmap/CREDITS.txt
new file mode 100644
index 00000000..5f197151
--- /dev/null
+++ b/Reaktor/repos/dnsmap/CREDITS.txt
@@ -0,0 +1,10 @@
+Main author:
+pagvac (gnucitizen.org)
+
+Patches, bug hunting and general feedback:
+Borys Lacki (www.bothunters.pl)
+Philipp Winter (7c0.org)
+meathive (kinqpinz.info)
+David Kierznowski (withdk.com)
+GNa (gnanet.net)
+srl (security.research.labs@gmail.com)
diff --git a/Reaktor/repos/dnsmap/Changelog.txt b/Reaktor/repos/dnsmap/Changelog.txt
new file mode 100644
index 00000000..ba1b0976
--- /dev/null
+++ b/Reaktor/repos/dnsmap/Changelog.txt
@@ -0,0 +1,25 @@
+20/02/2010: dnsmap 0.30 released at www.gnucitizen.org
+* IPv6 support
+* Makefile included
+* delay option (-d) added. This is useful in cases where dnsmap is killing your bandwidth
+* ignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dnsmap to produce false positives
+* changes made to make dnsmap compatible with OpenDNS
+* disclosure of internal IP addresses (RFC 1918) are reported
+* updated built-in wordlist
+* included a standalone three-letter acronym (TLA) subdomains wordlist
+* domains susceptible to "same site" scripting (http://snipurl.com/etbcv) are reported
+* completion time is now displayed to the user
+* mechanism to attempt to bruteforce wildcard-enabled domains
+* unique filename containing timestamp is now created when no specific output filename is supplied by user
+* various minor bugs fixed
+
+22/02/2009: dnsmap 0.22 released at www.gnucitizen.org
+* saving the results in human-readable and CSV format for easy processing
+* fixed bug that disallowed reading wordlists with DOS CRLF format
+* improved built-in subdomains wordlist
+* new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion
+* bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards
+
+17/08/2006: dnsmap 0.1 (first public version) released at foro.elhacker.net
+* bruteforcing based on builtin list and user-supplied wordlist
+* obtain all available A records for each bruteforced (sub)domain (rather than only one)
diff --git a/Reaktor/repos/dnsmap/Makefile b/Reaktor/repos/dnsmap/Makefile
new file mode 100644
index 00000000..2393d374
--- /dev/null
+++ b/Reaktor/repos/dnsmap/Makefile
@@ -0,0 +1,12 @@
+CC=gcc
+CFLAGS=-I.
+BINDIR=/usr/local/bin
+
+dnsmap: dnsmap.c dnsmap.h
+	$(CC) $(CFLAGS) -o dnsmap dnsmap.c
+
+install: dnsmap
+	mkdir -p $(DESTDIR)$(BINDIR)
+	install -m 0755 dnsmap $(DESTDIR)$(BINDIR)
+	install -m 0755 dnsmap-bulk.sh $(DESTDIR)$(BINDIR)/dnsmap-bulk
+
diff --git a/Reaktor/repos/dnsmap/README.txt b/Reaktor/repos/dnsmap/README.txt
new file mode 100644
index 00000000..beab0f21
--- /dev/null
+++ b/Reaktor/repos/dnsmap/README.txt
@@ -0,0 +1,177 @@
+INTRODUCTION
+
+dnsmap was originally released back in 2006 and was inspired by the
+fictional story "The Thief No One Saw" by Paul Craig, which can be found
+in the book "Stealing the Network - How to 0wn the Box"
+
+dnsmap is mainly meant to be used by pentesters during the information
+gathering/enumeration phase of infrastructure security assessments. During the
+enumeration stage, the security consultant would typically discover the target
+company's IP netblocks, domain names, phone numbers, etc ...
+
+Subdomain brute-forcing is another technique that should be used in the
+enumeration stage, as it's especially useful when other domain enumeration
+techniques such as zone transfers don't work (I rarely see zone transfers
+being *publicly* allowed these days by the way).
+
+If you are interested in researching stealth computer intrusion techniques,
+I suggest reading this excellent (and fun) chapter which you can find for
+*free* on the web:
+
+http://www.ethicalhacker.net/content/view/45/2/
+
+I'm happy to say that dnsmap was included in Backtrack 2, 3 and 4 and has
+been reviewed by the community:
+
+http://backtrack.offensive-security.com/index.php?title=Tools
+http://www.networkworld.com/community/node/57543
+http://www.linuxhaxor.net/2007/07/14/backtrack-2-information-gathering-all-dnsmap/
+http://www.darknet.org.uk/2009/03/dnsmap-022-released-subdomain-bruteforcing-tool/
+http://www.gnucitizen.org/blog/new-version-of-dnsmap-out/
+
+
+COMPILING
+
+Compiling should be straightforward:
+
+$ make
+
+Or:
+
+$ gcc -Wall dnsmap.c -o dnsmap
+
+
+INSTALLATION
+
+Example of manual installation:
+
+# cp ./dnsmap /usr/local/bin/dnsmap
+
+If you wish to bruteforce several target domains in bulk fashion, you can use the
+included dnsmap-bulk.sh script. Just copy the script to /usr/local/bin/ so you can 
+call it from any location. e.g.:
+
+# cp ./dnsmap-bulk.sh /usr/local/bin/
+
+And set execute permissions. e.g.:
+
+# chmod ugo+x /usr/local/bin/dnsmap-bulk.sh
+
+
+LIMITATIONS
+
+Lack of multi-threading. This speed issue will hopefully be resolved in future versions.
+
+
+FUN THINGS THAT CAN HAPPEN
+
+1. Finding interesting remote access servers (e.g.: https://extranet.targetdomain.com)
+
+2. Finding badly configured and/or unpatched servers (e.g.: test.targetdomain.com)
+
+3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
+   of your target organization (registry lookups - aka whois is your friend)
+
+4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
+   (RFC 1918). This is great as sometimes they are real up-to-date "A" records which means
+   that it *is* possible to enumerate internal servers of a target organization from the
+   Internet by only using standard DNS resolving (as oppossed to zone transfers for instance).
+
+5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com).
+   This method is an alternative to finding devices via Google hacking techniques
+
+USAGE
+
+Bruteforcing can be done either with dnsmap's built-in wordlist or a user-supplied wordlist.
+Results can be saved in CSV and human-readable format for further processing. dnsmap does
+NOT require root privileges to be run, and should NOT be run with such privileges for
+security reasons.
+
+The usage syntax can be obtained by simply running dnsmap without any parameters:
+
+$ ./dnsmap
+
+dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
+
+usage: dnsmap <target-domain> [options]
+options:
+-w <wordlist-file>
+-r <regular-results-file>
+-c <csv-results-file>
+-d <delay-millisecs>
+-i <ips-to-ignore> (useful if you're obtaining false positives)
+
+Note: delay value is a maximum random value. e.g.: if you enter 1000, each DNS request
+will be delayed a *maximum* of 1 second. By default, dnsmap uses a value of 10 milliseconds
+of maximum delay between DNS lookups
+
+
+EXAMPLES
+Subdomain bruteforcing using dnsmap's built-in word-list:
+
+$ ./dnsmap targetdomain.foo
+
+Subdomain bruteforcing using a user-supplied wordlist:
+
+$ ./dnsmap targetdomain.foo -w wordlist.txt
+
+Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ :
+
+$ ./dnsmap targetdomain.foo -r /tmp/
+
+Since no filename was provided in the previous example, but rather only a path, dnsmap would
+create an unique filename which includes the current timestamp. e.g.:
+/tmp/dnsmap_targetdomain_foo_2009_12_15_234953.txt
+
+Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/,
+and waiting a random maximum of 3 milliseconds between each request:
+
+$ ./dnsmap targetdomain.foo -r /tmp/ -d 300
+
+It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is
+interfering with your online experience. i.e.: killing your bandwidth
+
+Subdomain bruteforcing with 0.8 seconds delay, saving results in regular and CSV format,
+filtering 2 user-provided IP and using a user-supplied wordlist:
+
+$ ./dnsmap targetdomain.foo -d 800 -r /tmp/ -c /tmp/ -i 10.55.206.154,10.55.24.100 -w ./wordlist_TLAs.txt
+
+For bruteforcing a list of target domains in a bulk fashion use the bash script provided. e.g.:
+
+$ ./dnsmap-bulk.sh domains.txt /tmp/results/
+
+
+WORDLISTS
+
+http://packetstormsecurity.org/Crackers/wordlists/dictionaries/
+http://www.cotse.com/tools/wordlists1.htm
+http://wordlist.sourceforge.net/
+
+
+OTHER SIMILAR TOOLS - choice is freedom!
+
+WS-DNS-BFX
+http://ws.hackaholic.org/tools/WS-DNS-BFX.tgz
+
+DNSDigger
+http://www.ernw.de/download/dnsdigger.zip
+
+Fierce Domain Scan
+http://ha.ckers.org/fierce/
+
+Desperate
+http://www.sensepost.com/research_misc.html
+
+DNSenum
+http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz
+
+ReverseRaider
+http://complemento.sourceforge.net/
+
+Knock
+http://knock.gianniamato.it/
+
+
+--
+pagvac | GNUCITIZEN.org
+Feb 2010
diff --git a/Reaktor/repos/dnsmap/TODO.txt b/Reaktor/repos/dnsmap/TODO.txt
new file mode 100644
index 00000000..0df13680
--- /dev/null
+++ b/Reaktor/repos/dnsmap/TODO.txt
@@ -0,0 +1,13 @@
+* multi-threading - use pthread.h?
+* can't handle wildcarded domains that return more than one IP address on non-existing subdomains
+	test domain: proboards.com
+* allow using a customized list of DNS server to share network load
+* allow using DNS server supplied on the command line
+* for openDNS users: document how to permanently change DNS server settings so they are not overwritten by DHCP settings
+* convert hostent structs to addrinfo ?
+* replace inet_ntoa(*((struct in_addr *)host->h_addr_list[j])) with ipstr
+* obtain aliases for each domain (CNAME records)?
+* clever numerical domain bruteforce for clusters. i.e.: www2, www3
+* pickup new subdomains via reverse lookups (PTR records)
+* better input validation
+	* improve function that validates target domain
diff --git a/Reaktor/repos/dnsmap/dnsmap-bulk.sh b/Reaktor/repos/dnsmap/dnsmap-bulk.sh
new file mode 100755
index 00000000..574aba22
--- /dev/null
+++ b/Reaktor/repos/dnsmap/dnsmap-bulk.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+if [[ $# -ne 1 && $# -ne 2 ]]
+then
+	echo "usage: `basename $0` <domains-file> [results-path]";
+	echo "e.g.:";
+	echo "`basename $0` domains.txt";
+	echo "`basename $0` domains.txt /tmp/";
+	exit
+fi
+for i in `cat $1`
+do
+	if [[ $# -eq 1 ]] 
+	then	
+		dnsmap $i
+	elif [[ $# -eq 2 ]]
+	then
+		dnsmap $i -r $2
+	fi
+done		
diff --git a/Reaktor/repos/dnsmap/dnsmap.c b/Reaktor/repos/dnsmap/dnsmap.c
new file mode 100644
index 00000000..5276e305
--- /dev/null
+++ b/Reaktor/repos/dnsmap/dnsmap.c
@@ -0,0 +1,795 @@
+/*
+ * ** dnsmap - DNS Network Mapper by pagvac
+ * ** Copyright (C) 2010 gnucitizen.org
+ * **
+ * ** This program is free software; you can redistribute it and/or modify
+ * ** it under the terms of the GNU General Public License as published by
+ * ** the Free Software Foundation; either version 2 of the License, or
+ * ** (at your option) any later version.
+ * **
+ * ** This program is distributed in the hope that it will be useful,
+ * ** but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * ** GNU General Public License for more details.
+ * **
+ * ** You should have received a copy of the GNU General Public License
+ * ** along with this program; if not, write to the Free Software
+ * ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+ * */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <netdb.h>
+#include <string.h>
+#include <time.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include "dnsmap.h" // built-in subdomains list and define macros
+
+
+// function prototypes
+unsigned short int wildcarDetect(char *, char *);
+unsigned short int dodelay(unsigned short int);
+unsigned short int isPrivateIP(char *);
+unsigned short int isValidDomain(char *);
+unsigned short int usesOpenDNS(char *);
+unsigned short int isIPblacklisted(char *);
+
+int main(int argc, char *argv[]) {
+
+	unsigned short int i=0, j=0, k=0, l=0, found=0, ipCount=0, filtIPcount=0, milliseconds=10, intIPcount=0,
+		wordlist=FALSE, txtResults=FALSE, csvResults=FALSE,
+		delay=TRUE, filter=FALSE;
+	unsigned long int start=0, end=0;
+	char dom[MAXSTRSIZE]={'\0'}, csvResultsFilename[MAXSTRSIZE]={'\0'}, 
+		txtResultsFilename[MAXSTRSIZE]={'\0'}, wordlistFilename[MAXSTRSIZE]={'\0'},
+		ipstr[INET_ADDRSTRLEN]={'\0'}, wildcardIpStr[INET_ADDRSTRLEN]={'\0'},
+		filterIPs[5][INET_ADDRSTRLEN]={{'\0'}},
+		invalidTldIpstr[INET_ADDRSTRLEN]={'\0'};
+	void *addr;
+	char *ipver, *strP;
+
+	struct hostent *h;
+	// start of IPv6 stuff
+    	struct addrinfo hints, *res, *p;
+    	int status;
+    	char ipv6str[INET6_ADDRSTRLEN];
+        memset(&hints, 0, sizeof hints);
+        hints.ai_family = AF_INET6; // AF_INET or AF_INET6 to force version
+        hints.ai_socktype = SOCK_STREAM;
+	// end of IPv6 stuff
+
+	FILE *fpWords,*fpCsvLogs,*fpTxtLogs;
+
+	time_t     now;
+	struct tm  *ts;
+	char       timestampBuf[18];
+ 
+	printf("%s", BANNER);
+
+	// get the current time
+	now = time(NULL);
+	 
+	// timestamp format: yyyy_mm_dd_hhmmss
+	ts = localtime(&now);
+	strftime(timestampBuf, sizeof(timestampBuf), "%Y_%m_%d_%H%M%S", ts);
+
+
+	// start of *primitive* input validation
+	// ideally more work should be spent on this!
+	if(argc==1) {
+		printf("%s%s", USAGE, EXAMPLES);	
+		exit(1);	
+	}
+	else if(argc%2==1 && argc>2) {
+		printf("%s%s", USAGE, EXAMPLES);	
+		exit(1);	
+	}
+	for(i=0;argv[1][i];++i) // convert domain to lower case
+		argv[1][i]=(tolower(argv[1][i]));
+	#if DEBUG
+		printf("domain: %s\n", argv[1]);
+	#endif	
+	if(!isValidDomain(argv[1])) {
+		printf("%s", DOMAINERR);	
+		exit(1);
+	}
+
+	for(i=0;i<argc;++i) {
+		if((strlen(argv[i]))>MAXSTRSIZE) {
+			printf("%s",INPUTERR);                        
+			exit(1);
+		}
+	}
+	// end of simple input validation
+	
+	/*
+	else if ((h=gethostbyname(argv[1])) == NULL) {  // get the host info
+	        herror("gethostbyname");
+	        exit(1);
+	}
+	*/
+	
+	start=(int)time(NULL);
+
+	#if DEBUG
+		printf("start time: %d\n", (int)start);
+	#endif
+
+	// parse options
+	for(i=0;i<argc;++i) { 
+		// save results in file using regular format	
+		if(!strcmp(argv[i],"-r")) {	
+	       		// contruct path where txt results file will be created 
+			txtResults=TRUE;	
+			//strncpy(csvResultsFilename, argv[(i+1)], MAXSTRSIZE);
+			strncpy(txtResultsFilename, argv[(i+1)], MAXSTRSIZE-strlen(txtResultsFilename)-1);	
+			fpTxtLogs=fopen(txtResultsFilename, "a");
+			if(!fpTxtLogs) {
+				strncat(txtResultsFilename, "dnsmap_", MAXSTRSIZE-strlen(txtResultsFilename)-1);
+				strncat(txtResultsFilename, argv[1], MAXSTRSIZE-strlen(txtResultsFilename)-1);
+				strncat(txtResultsFilename, "_", MAXSTRSIZE-strlen(txtResultsFilename)-1);
+				strncat(txtResultsFilename, timestampBuf, MAXSTRSIZE-strlen(txtResultsFilename)-1);
+				// replace dots '.' with underscores '_' in filename
+				for(l=0;l<strlen(txtResultsFilename);++l)
+					if(txtResultsFilename[l]=='.')
+						txtResultsFilename[l]='_';
+				strncat(txtResultsFilename, ".txt", MAXSTRSIZE-strlen(txtResultsFilename)-1);
+				fpTxtLogs=fopen(txtResultsFilename, "a");
+				if(!fpTxtLogs) {
+					printf(CREATEFILEERR);
+					exit(1);
+				}
+			}
+		}
+
+		// save results in file using CSV format	
+		if(!strcmp(argv[i],"-c")) {	
+	       		// contruct path where CSV results file will be created 
+			csvResults=TRUE;	
+			strncpy(csvResultsFilename, argv[(i+1)], MAXSTRSIZE-strlen(csvResultsFilename)-1);
+ 		 	fpCsvLogs=fopen(csvResultsFilename, "a");
+			if(!fpCsvLogs) {
+				strncat(csvResultsFilename, "dnsmap_", MAXSTRSIZE-strlen(csvResultsFilename)-1);
+				strncat(csvResultsFilename, argv[1], MAXSTRSIZE-strlen(csvResultsFilename)-1);
+				strncat(csvResultsFilename, "_", MAXSTRSIZE-strlen(csvResultsFilename)-1);
+				strncat(csvResultsFilename, timestampBuf, MAXSTRSIZE-strlen(csvResultsFilename)-1);
+				// replace dots '.' with underscores '_' in filename
+				for(l=0;l<strlen(csvResultsFilename);++l)
+					if(csvResultsFilename[l]=='.')
+						csvResultsFilename[l]='_';
+				strncat(csvResultsFilename, ".csv", MAXSTRSIZE-strlen(csvResultsFilename)-1);
+				fpCsvLogs=fopen(csvResultsFilename, "a");
+				if(!fpCsvLogs) {
+					printf(CREATEFILEERR);
+					exit(1);
+				}
+			}
+		}	
+
+		// use provided wordlist as opposed to built-in one
+		if(!strcmp(argv[i],"-w")) {
+			wordlist=TRUE;
+			strncpy(wordlistFilename, argv[(i+1)],MAXSTRSIZE);
+		}
+
+		// delay between subdomain resolution requests
+		if(!strcmp(argv[i],"-d")) {
+			if(atoi(argv[(i+1)])<1 || atoi(argv[(i+1)])>300000) {  // delay must be between 1 ms and 5 minutes
+				printf("%s", DELAYINPUTERR);
+				exit(1);
+			}						
+			delay=TRUE;
+			milliseconds=atoi(argv[(i+1)]);
+		}
+		// filter out user-provided IP(s)
+		if(!strcmp(argv[i],"-i")) {
+		        for(filtIPcount=1,j=0;argv[i+1][j]!='\0';++j)
+       		        	if(argv[i+1][j]==',')
+               		         	++filtIPcount;
+			#if DEBUG			
+				printf("%d IP(s) to filter found\nParsing ...\n", filtIPcount);
+			#endif
+        		if(filtIPcount<=5) {
+				printf(FILTERMSG);
+               	 		strP=strtok(argv[i+1],",");
+                		for(j=0;strP;) {
+                        		if(strlen(strP)<INET_ADDRSTRLEN) {
+                                		strncpy(filterIPs[j],strP,INET_ADDRSTRLEN);
+						#if DEBUG
+	                                		printf("%s\n",filterIPs[j]);
+						#endif
+                                		++j;
+                        		}
+                        		strP=strtok(NULL," ,");
+                		}
+        		}
+			else {
+				printf(FILTIPINPUTERR);
+				exit(1);
+			}
+		}
+	}
+
+	// read subdomains from built-in list
+	if(!wordlist) {
+		// openDNS detection
+		if(usesOpenDNS(invalidTldIpstr))
+			printf("%s",OPENDNSMSG);
+
+		// wildcard detection
+		wildcarDetect(argv[1],wildcardIpStr);
+
+		if(strcmp(invalidTldIpstr,wildcardIpStr))
+			printf(WILDCARDWARN);
+		printf(BUILTINMSG);
+		if(milliseconds>=1)
+                	printf(DELAYMSG);	
+			
+		printf("%s", "\n");
+		for(i=0;i<(sizeof(sub)/MAXSUBSIZE);++i) {
+			//skipResolve=FALSE;
+			strncpy(dom,sub[i],MAXSTRSIZE-strlen(dom)-1);
+			strncat(dom,".",MAXSTRSIZE-strlen(dom)-1);//TEST
+			strncat(dom,argv[1],MAXSTRSIZE-strlen(dom)-1);
+			#if DEBUG
+				printf("brute-forced domain: %s\n",dom);
+			#endif
+
+			// ipv6 code modded from www.kame.net
+			status = getaddrinfo(dom, NULL, &hints, &res);
+		    	if ((status=getaddrinfo(dom, NULL, &hints, &res))==0) {
+				printf("%s\n", dom);
+				++found;
+			    	if(txtResults)
+					fprintf(fpTxtLogs, "%s\n", dom);
+				if(csvResults)
+					fprintf(fpCsvLogs, "%s", dom);
+			    	for(p=res,k=0;p;p=p->ai_next,++k) {
+					if (p->ai_family==AF_INET6) { // IPv6
+				    		struct sockaddr_in6 *ipv6=(struct sockaddr_in6 *)p->ai_addr;
+				    		addr = &(ipv6->sin6_addr);
+				    		ipver = "IPv6";
+					}
+					// convert the IP to a string and print it:
+					inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str);
+			       		printf("%s address #%d: %s\n",ipver,k+1,ipv6str);
+					++ipCount;
+					if(txtResults)
+						fprintf(fpTxtLogs,"%s address #%d: %s\n",ipver,k+1,ipv6str);
+					if(csvResults)
+						fprintf(fpCsvLogs,",%s", ipv6str);	
+		    		}
+				printf("%s", "\n");
+				if(txtResults)
+					fprintf(fpTxtLogs,"\n");
+				if(csvResults)
+					fprintf(fpCsvLogs,"\n");	
+	    			freeaddrinfo(res); // free the linked list
+			} // end of if conditional
+			h=gethostbyname(dom);
+			//sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[0])),"%s");
+			//for(j=0;h->h_addr_list[j];++j) {
+			//	sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[j])),"%s");
+			//	if(isIPblacklisted(ipstr)) {
+			//		skipResolve=TRUE;
+			//		break;
+			//	}
+			//}
+			//if(h && !skipResolve) {
+			//if(h && !isIPblacklisted(ipstr)) {
+			if(h && !isIPblacklisted(inet_ntoa(*((struct in_addr *)h->h_addr_list[0])))) {
+				for(j=0;h->h_addr_list[j];++j) {
+					sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[j])),"%s");
+					for(k=0;k<filtIPcount;++k) {
+						if(strcmp(filterIPs[k],ipstr)==0) { // filtered IP found
+							 // 1st IP of array - weird output formatting bug
+							if(j!=0 && strcmp(wildcardIpStr,filterIPs[k])) {
+								printf("\n");
+							    	if(txtResults)
+									fprintf(fpTxtLogs, "%s", "\n");
+								if(csvResults)
+									fprintf(fpCsvLogs, "%s", "\n");
+							}
+							#if DEBUG
+								printf("%s found and ignored\n",filterIPs[k]);
+							#endif
+							filter=TRUE;
+							if(h->h_addr_list[j+1])
+								++j;
+							else
+								break;
+						}
+					}
+					// END OF TEST
+					//if(strcmp(wildcardIpStr,ipstr) && strcmp(filterIpStr,ipstr)) {
+					if(strcmp(wildcardIpStr,ipstr) && filter==FALSE) {
+						if(j==0) {
+							++found;
+							printf("%s\n", dom);
+						
+						    	if(txtResults)
+								fprintf(fpTxtLogs, "%s\n", dom);
+							if(csvResults)
+								fprintf(fpCsvLogs, "%s", dom);
+						}
+						printf("[%d] %s : %s\n", j+1,dom,ipstr);
+						++ipCount;
+
+						if(isPrivateIP(ipstr)) {
+						//if(isPrivateIP(inet_ntoa(*((struct in_addr *)h->h_addr_list[j])))) {
+							printf("%s",INTIPWARN);
+							++intIPcount;						
+						}
+						if(!strcmp(ipstr,"127.0.0.1") && strcmp(wildcardIpStr,ipstr)) {	
+						//if(!strcmp(inet_ntoa(*((struct in_addr *)h->h_addr_list[j])),
+							//"127.0.0.1"))
+							printf("%s",SAMESITEXSSWARN);
+						}
+						if(txtResults) {
+							//fprintf(fpCsvLogs,",%s",
+							//	inet_ntoa(*((struct in_addr *)h->h_addr_list[j])));	
+							fprintf(fpTxtLogs,"IP address #%d: %s\n", j+1, ipstr);
+							if(isPrivateIP(ipstr) && strcmp(wildcardIpStr,ipstr))
+								fprintf(fpTxtLogs,"%s",INTIPWARN);
+							if(!strcmp(ipstr,"127.0.0.1") && strcmp(wildcardIpStr,ipstr))
+								fprintf(fpTxtLogs,"%s",SAMESITEXSSWARN);
+						}
+						if(csvResults && strcmp(wildcardIpStr,ipstr))
+							fprintf(fpCsvLogs,",%s",ipstr);
+					}
+				}	
+				//if(strcmp(wildcardIpStr,ipstr) && strcmp(filterIpStr,ipstr)) {
+				if(strcmp(wildcardIpStr,ipstr) && filter==FALSE) {				
+					printf("%s", "\n");
+					if(txtResults)
+						fprintf(fpTxtLogs,"%s","\n");
+					if(csvResults)
+						fprintf(fpCsvLogs,"%s","\n");
+				}
+				filter=FALSE;
+			}
+  			// user wants delay between DNS requests?
+			if(delay)
+				dodelay(milliseconds);				
+		}
+		if(txtResults)
+			fclose(fpTxtLogs);
+		if(csvResults)
+			fclose(fpCsvLogs);	
+	}
+	
+	// read subdomains from wordlist file	
+	else if(wordlist) {
+      		// openDNS detection
+		if(usesOpenDNS(invalidTldIpstr))
+			printf("%s",OPENDNSMSG);
+
+		// wildcard detection
+		wildcarDetect(argv[1],wildcardIpStr);
+		if(strcmp(invalidTldIpstr,wildcardIpStr))
+			printf(WILDCARDWARN);
+
+		fpWords=fopen(wordlistFilename, "r");	
+		if(fpWords) { 
+			printf(EXTERNALMSG);
+			if(milliseconds>=1)
+	                	printf(DELAYMSG);
+			printf("%s","\n");
+	
+                        while(!feof(fpWords)) {
+				//strncpy(dom,"",MAXSTRSIZE-strlen(dom)-1);
+				for(i=0;i<strlen(dom);++i)
+					dom[i]='\0';
+				fscanf(fpWords,"%100s",dom); // wordlist subdomain not allowed to be more than 100 chars
+				#if DEBUG
+					printf("lengh of dom: %d\n",strlen(dom));				
+				#endif
+	                        strncat(dom,".",MAXSTRSIZE-strlen(dom)-1);
+	                        strncat(dom,argv[1],MAXSTRSIZE-strlen(dom)-1);
+	
+				#if DEBUG
+					printf("brute-forced domain: %s\n",dom);
+				#endif
+				// ipv6 code modded from www.kame.net
+				status = getaddrinfo(dom, NULL, &hints, &res);
+			    	if ((status=getaddrinfo(dom, NULL, &hints, &res))==0) {
+					printf("%s\n", dom);
+					++found;
+				    	if(txtResults)
+						fprintf(fpTxtLogs, "%s\n", dom);
+					if(csvResults)
+						fprintf(fpCsvLogs, "%s", dom);
+				    	for(p=res,k=0;p;p=p->ai_next,++k) {
+						void *addr;
+						char *ipver;
+						if (p->ai_family==AF_INET6) { // IPv6
+					    		struct sockaddr_in6 *ipv6=(struct sockaddr_in6 *)p->ai_addr;
+					    		addr = &(ipv6->sin6_addr);
+					    		ipver = "IPv6";
+						}
+						// convert the IP to a string and print it:
+						inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str);
+				       		printf("%s address #%d: %s\n",ipver,k+1,ipv6str);
+						++ipCount;
+						if(txtResults)
+							fprintf(fpTxtLogs,"%s address #%d: %s\n",ipver,k+1,ipv6str);
+						if(csvResults)
+							fprintf(fpCsvLogs,",%s", ipv6str);	
+			    		}
+					printf("%s", "\n");
+					if(txtResults)
+						fprintf(fpTxtLogs,"\n");
+					if(csvResults)
+						fprintf(fpCsvLogs,"\n");	
+
+		    			freeaddrinfo(res); // free the linked list
+					// ipv6 code modded from www.kame.net
+				} // end of if conditional
+
+				h=gethostbyname(dom);
+
+				if(h && !isIPblacklisted(inet_ntoa(*((struct in_addr *)h->h_addr_list[0])))) {
+                                        for(j=0;h->h_addr_list[j];++j) {
+						sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[j])),"%s");
+						//TEST
+						for(k=0;k<filtIPcount;++k) {
+							if(strcmp(filterIPs[k],ipstr)==0) { // filtered IP found
+								// 1st IP of array - weird output formatting bug
+								if(j!=0 && strcmp(wildcardIpStr,filterIPs[k])) {
+									printf("\n");
+								    	if(txtResults)
+										fprintf(fpTxtLogs, "%s", "\n");
+									if(csvResults)
+										fprintf(fpCsvLogs, "%s", "\n");
+								}
+								#if DEBUG
+									printf("%s found and ignored\n",filterIPs[k]);
+								#endif
+								filter=TRUE;
+								if(h->h_addr_list[j+1])
+									++j;
+								else
+									break;
+							}
+						}
+						// END OF TEST                                      
+
+						//if(strcmp(wildcardIpStr,ipstr) && strcmp(filterIpStr,ipstr)) {
+						if(strcmp(wildcardIpStr,ipstr) && filter==FALSE) {
+							if(j==0) {
+								++found;
+								printf("%s\n",dom);
+
+						               if(txtResults) {
+						                        //fprintf(fpCsvLogs,"%s",dom);
+									fprintf(fpTxtLogs,"%s\n",dom);
+								}
+						                if(csvResults) {
+						                        //fprintf(fpCsvLogs,"%s",dom);
+									fprintf(fpCsvLogs,"%s",dom);
+								}
+							}
+							printf("IP address #%d: %s\n",j+1,ipstr);
+							++ipCount;
+						
+							if(isPrivateIP(ipstr) && strcmp(wildcardIpStr,ipstr)) {
+								printf("%s",INTIPWARN);
+								++intIPcount;						
+							}
+							if(!strcmp(ipstr,"127.0.0.1") && strcmp(wildcardIpStr,ipstr))
+								printf("%s",SAMESITEXSSWARN);
+			                                if(txtResults && strcmp(wildcardIpStr,ipstr)) {
+								fprintf(fpTxtLogs,"IP address #%d: %s\n",j+1,ipstr);
+								if(isPrivateIP(ipstr))
+									fprintf(fpTxtLogs,"%s",INTIPWARN);
+								if(!strcmp(ipstr,"127.0.0.1"))
+									fprintf(fpTxtLogs,"%s",SAMESITEXSSWARN);
+							}
+							if(csvResults && strcmp(wildcardIpStr,ipstr))
+								fprintf(fpCsvLogs,",%s",ipstr);	
+						}
+                                        }
+					//if(strcmp(wildcardIpStr,ipstr) && strcmp(filterIpStr,ipstr)) {
+					if(strcmp(wildcardIpStr,ipstr) && filter==FALSE) {
+							printf("%s", "\n");
+		                                if(txtResults)
+							fprintf(fpTxtLogs,"%s","\n");
+						if(csvResults)
+		                                        fprintf(fpCsvLogs,"%s","\n");
+					}
+					filter=FALSE;
+                                }
+				// user wants delay between DNS requests?
+				if(delay)
+					dodelay(milliseconds);
+			} // end while() loop
+			fclose(fpWords);
+		}
+		else {
+			printf(OPENFILEERR);
+			exit(1);
+		}
+		if(txtResults)
+			fclose(fpTxtLogs);
+		if(csvResults)
+			fclose(fpCsvLogs);			
+	}
+
+	printf(RESULTSMSG4);
+	if(intIPcount>=1)
+		printf(RESULTSMSG1);
+
+	if(txtResults)
+		printf(RESULTSMSG2);
+	if(csvResults)
+		printf(RESULTSMSG5);	
+
+	end=(int)time(NULL);
+	printf(RESULTSMSG3);
+
+	return 0;
+}
+
+// return true if domain wildcards are enabled
+unsigned short int wildcarDetect(char *dom, char *ipstr) {
+        char strTmp[30]={'\0'},s[MAXSTRSIZE]={'\0'};
+        unsigned short int i=0,n=0,max=0;
+	struct hostent *h;
+
+        srand(time(NULL));
+	max=rand()%20;
+	// max should be between 10 and 20
+	if(max<10)
+		max=max+(10-max);
+	
+	// generate up to random 20 digits-long subdomain
+	// e.g. 06312580442146732554
+ 
+	for(i=0;i<max;++i) {
+                n=rand()%10;
+                sprintf(strTmp, "%d", n);
+                if(i==0)
+                        strncpy(s,strTmp,MAXSTRSIZE-strlen(s)-1);
+                else
+                        strncat(s,strTmp,MAXSTRSIZE-strlen(s)-1);
+        }
+	strncat(s,".",MAXSTRSIZE-strlen(s)-1);
+	strncat(s, dom,MAXSTRSIZE-strlen(s)-1);
+	#if DEBUG
+		printf("random subdomain for wildcard testing: %s\n",s);
+	#endif
+	
+	// random subdomain resolves, thus wildcards are enabled
+	h=gethostbyname(s); // replace with getaddrinfo() ?
+	if(h) { /*
+		for(i=0;h->h_addr_list[i];++i) {
+		*/
+		//sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[i])),"%s");	                              
+		sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[0])),"%s");
+		#if DEBUG
+			printf("wildcard domain\'s IP address: %s\n",ipstr);
+		#endif
+		return TRUE;
+	}
+	else
+		return FALSE;
+}
+
+// return number of milliseconds delayed
+unsigned short int dodelay(unsigned short int maxmillisecs) {
+	unsigned short int n=0;
+
+	srand(time(NULL));
+	n=rand()%maxmillisecs;
+	++n;
+	maxmillisecs=n;
+	#if DEBUG
+		printf("sleeping %d milliseconds ...\n",maxmillisecs);
+	#endif
+	usleep(maxmillisecs*1000);
+
+	return maxmillisecs;
+}
+
+// return true if IP addr is internal (RFC1918)
+unsigned short int isPrivateIP(char *ip) {
+	
+  	char classB[][8]={"172.16.","172.17.","172.18.","172.19.",
+		"172.20.","172.21.","172.22.","172.23.","172.24.",
+		"172.25.","172.26.","172.27.","172.28.","172.29.",
+		"172.30.","172.31."};
+
+	unsigned short int i=0,j=0;
+	size_t len = strlen(ip);
+
+	// shortest: 0.0.0.0 - 8 chars inc \0
+	// longest: 255.255.255.255 - 16 chars inc \0
+	if(len<8 || len>16)
+		return 0;
+	// ip addr must have three period signs
+	for(i=0,j=0;i<len;++i) {
+		if(ip[i]=='.')
+			++j;
+	}
+	if(j!=3 || ip[0]=='.' || ip[len-1]=='.')
+		return 0;
+
+	// 10.0.0.0 - 10.255.255.255 (10/8 prefix)
+	if(strncmp(ip,"10.",3)==0)
+		return 1;
+
+	// 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
+	else if(strncmp(ip,"192.168.",8)==0)
+		return 1;
+	
+	
+	else {
+		// 172.16.0.0 - 172.31.255.255  (172.16/12 prefix)		
+		for(i=0;i<sizeof(classB)/8;++i) {
+			if(strncmp(ip,classB[i],7)==0)
+				return 1;
+		}
+		return 0;
+	}
+}
+
+// return true if domain is valid, false otherwise
+unsigned short int isValidDomain(char *d) {
+
+	unsigned int i=0, j=0;
+	char *tld;
+	size_t len;
+        char strTmp[30]={'\0'},s[MAXSTRSIZE]={'\0'};
+        unsigned short int n=0,max=0;
+
+	struct hostent *h;
+
+	if(strlen(d)<4) // smallest possible domain provided. e.g. a.pl
+		return 0;
+	if(!strstr(d,".")) // target domain must have at least one dot. e.g. target.va, branch.target.va
+		return 0;
+        tld=strstr(d,".");
+        tld=tld+1;
+	while(strstr(tld,".")){
+		tld=strstr(tld,".");	
+		tld=tld+1;
+	}
+	#if DEBUG
+		printf("tld\'s length: %d\n",strlen(tld));
+		printf("dom: %s tld: %s\n",d,tld);
+	#endif
+	if((strlen(tld)<2) || (strlen(tld)>6)) // tld must be between 2-6 char. e.g. .museum, .uk
+		return FALSE;
+
+	// valid domain can only contain digits, letters, dot (.) and dash symbol (-)
+	len = strlen(d);
+	for(i=0;i<len;++i) {
+		if (!(d[i] >= '0' && d[i] <= '9') &&
+			!(d[i] >= 'a' && d[i] <= 'z') &&
+			!(d[i] >= 'A' && d[i] <= 'Z') &&
+			!(d[i] >= '-' && d[i] <= '.'))
+			return 0;
+	}
+
+        srand(time(NULL));
+	max=rand()%20;
+	// max should be between 10 and 20
+	if(max<10)
+		max=max+(10-max);
+	
+	// generate up to random 20 digits-long subdomain
+	// e.g. 06312580442146732554
+ 
+	for(i=0;i<max;++i) {
+                n=rand()%10;
+                sprintf(strTmp, "%d", n);
+                if(i==0)
+                        strncpy(s,strTmp,MAXSTRSIZE-strlen(s)-1);
+                else
+                        strncat(s,strTmp,MAXSTRSIZE-strlen(s)-1);
+        }
+	strncat(s,".",MAXSTRSIZE-strlen(s)-1);