From 3741d76a38dc4b412780eb2a4ad79467a01f884b Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Apr 2012 23:30:41 +0200 Subject: add clean arguments to bot --- Reaktor/IRC/asybot.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) (limited to 'Reaktor') diff --git a/Reaktor/IRC/asybot.py b/Reaktor/IRC/asybot.py index 657cee40..17f9cb3a 100755 --- a/Reaktor/IRC/asybot.py +++ b/Reaktor/IRC/asybot.py @@ -12,6 +12,8 @@ from asyncore import loop from socket import AF_INET, SOCK_STREAM from signal import SIGALRM, signal, alarm from datetime import datetime as date, timedelta +import shlex +from time import sleep from sys import exit from re import split, search @@ -107,6 +109,7 @@ class asybot(asychat): def PRIVMSG(text): msg = 'PRIVMSG %s :%s' % (','.join(params), text) self.push(msg) + sleep(2) def ME(text): PRIVMSG('ACTION ' + text + '') @@ -133,11 +136,12 @@ class asybot(asychat): if is_executable(command): env = {} + args = [] if _argument != None: env['argument'] = _argument - + args = shlex.split(_argument) try: - p = popen([command], stdin=PIPE, stdout=PIPE, stderr=PIPE, env=env) + p = popen([command] + args, stdin=PIPE, stdout=PIPE, stderr=PIPE, env=env) except OSError, error: ME('brain damaged') log.error('OSError@%s: %s' % (command, error)) @@ -181,8 +185,12 @@ if __name__ == "__main__": lol = logging.DEBUG if env.get('debug',False) else logging.INFO logging.basicConfig(level=lol) - name = getconf1('Name', '/etc/tinc/retiolum/tinc.conf') - hostname = '%s.retiolum' % name + try: + name = getconf1('Name', '/etc/tinc/retiolum/tinc.conf') + hostname = '%s.retiolum' % name + except: + name = socket.gethostname() + hostname = name nick = str(env.get('nick', name)) host = str(env.get('host', 'supernode')) port = int(env.get('port', 6667)) -- cgit v1.2.3 From 5c39a037807847ce5a8ec8bae6a1914a0445b7ec Mon Sep 17 00:00:00 2001 From: makefu Date: Tue, 17 Apr 2012 23:43:01 +0200 Subject: add debian autostart --- Reaktor/autostart/reaktor | 2 + Reaktor/autostart/reaktor-debian | 102 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 104 insertions(+) create mode 100644 Reaktor/autostart/reaktor create mode 100755 Reaktor/autostart/reaktor-debian (limited to 'Reaktor') diff --git a/Reaktor/autostart/reaktor b/Reaktor/autostart/reaktor new file mode 100644 index 00000000..a4f3f8e1 --- /dev/null +++ b/Reaktor/autostart/reaktor @@ -0,0 +1,2 @@ +export target="#krebsco" +export host="irc.freenode.com" diff --git a/Reaktor/autostart/reaktor-debian b/Reaktor/autostart/reaktor-debian new file mode 100755 index 00000000..61644788 --- /dev/null +++ b/Reaktor/autostart/reaktor-debian @@ -0,0 +1,102 @@ +#!/bin/sh +# uses template from /etc/init.d/skeleton +### BEGIN INIT INFO +# Provides: reaktor +# Required-Start: +# Required-Stop: +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: reaktor +# Description: starts reaktor daemon +# +### END INIT INFO + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +NAME=reaktor +REAKTOR_USER=reaktor +DESC="$NAME daemon" +DAEMON=/usr/bin/python +DAEMON_DIR="/krebs/Reaktor/IRC/" +DAEMON_ARGS="${DAEMON_DIR}/asybot.py" +PIDFILE=/var/run/$NAME.pid +SCRIPTNAME=/etc/init.d/$NAME + +[ -x "$DAEMON" ] || exit 0 +[ -r /etc/default/$NAME ] && . /etc/default/$NAME +. /lib/init/vars.sh +. /lib/lsb/init-functions + +do_start() +{ + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon -b -d $DAEMON_DIR -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + || return 1 + start-stop-daemon -b -d $DAEMON_DIR -c $USER--start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS \ + || return 2 +} + +do_stop() +{ + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + start-stop-daemon --stop --retry=TERM/30/KILL/5 --pidfile $PIDFILE + RETVAL="$?" + [ "$RETVAL" = 2 ] && return 2 + rm -f $PIDFILE + return "$RETVAL" +} + +do_reload() { + start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE + return 0 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + case "$?" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + restart|force-reload) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop + case "$?" in + 0|1) + do_start + case "$?" in + 0) log_end_msg 0 ;; + 1) log_end_msg 1 ;; + *) log_end_msg 1 ;; + esac + ;; + *) + # Failed to stop + log_end_msg 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: -- cgit v1.2.3 From e9ec9f26b1d88e0bb2e219d8b5240bc0560dda67 Mon Sep 17 00:00:00 2001 From: EUcancER Date: Tue, 17 Apr 2012 23:47:19 +0200 Subject: fix user management --- Reaktor/autostart/reaktor-debian | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Reaktor') diff --git a/Reaktor/autostart/reaktor-debian b/Reaktor/autostart/reaktor-debian index 61644788..323449f8 100755 --- a/Reaktor/autostart/reaktor-debian +++ b/Reaktor/autostart/reaktor-debian @@ -13,7 +13,7 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin NAME=reaktor -REAKTOR_USER=reaktor +USER=reaktor DESC="$NAME daemon" DAEMON=/usr/bin/python DAEMON_DIR="/krebs/Reaktor/IRC/" @@ -33,7 +33,7 @@ do_start() # 2 if daemon could not be started start-stop-daemon -b -d $DAEMON_DIR -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon -b -d $DAEMON_DIR -c $USER--start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \ + start-stop-daemon -b -d $DAEMON_DIR -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 } -- cgit v1.2.3 From dfbd4b30b4239e8c276a076fa0bb9313f846dc04 Mon Sep 17 00:00:00 2001 From: EUcancER Date: Tue, 17 Apr 2012 23:53:04 +0200 Subject: fix directory --- Reaktor/autostart/reaktor-debian | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Reaktor') diff --git a/Reaktor/autostart/reaktor-debian b/Reaktor/autostart/reaktor-debian index 323449f8..a94384f4 100755 --- a/Reaktor/autostart/reaktor-debian +++ b/Reaktor/autostart/reaktor-debian @@ -31,9 +31,9 @@ do_start() # 0 if daemon has been started # 1 if daemon was already running # 2 if daemon could not be started - start-stop-daemon -b -d $DAEMON_DIR -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ + start-stop-daemon -b -d $DAEMON_DIR/.. -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \ || return 1 - start-stop-daemon -b -d $DAEMON_DIR -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \ + start-stop-daemon -b -d $DAEMON_DIR/.. -c $USER --start --quiet --make-pidfile --pidfile $PIDFILE --exec $DAEMON -- \ $DAEMON_ARGS \ || return 2 } -- cgit v1.2.3 From 8954275f37e3392adc4a85a2c6c18683fb149f10 Mon Sep 17 00:00:00 2001 From: EUcancER Date: Tue, 17 Apr 2012 23:56:37 +0200 Subject: update makefile --- Reaktor/Makefile | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 Reaktor/Makefile (limited to 'Reaktor') diff --git a/Reaktor/Makefile b/Reaktor/Makefile new file mode 100644 index 00000000..2b121435 --- /dev/null +++ b/Reaktor/Makefile @@ -0,0 +1,4 @@ +debian-autostart: + cp autostart/reaktor-debian /etc/init.d/reaktor + cp autostart/reaktor /etc/default/ + update-rc.d reaktor defaults -- cgit v1.2.3 From 14eea1de9f193d8e31e8381ea12d34703d6d5ad3 Mon Sep 17 00:00:00 2001 From: EUcancER Date: Wed, 18 Apr 2012 11:16:21 +0200 Subject: Reaktor: add revip command --- Reaktor/commands/revip | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100755 Reaktor/commands/revip (limited to 'Reaktor') diff --git a/Reaktor/commands/revip b/Reaktor/commands/revip new file mode 100755 index 00000000..1d20037d --- /dev/null +++ b/Reaktor/commands/revip @@ -0,0 +1,46 @@ +#!/usr/bin/python +# fork from darkb0t v0.4 +# modularized and extended +import sys +import os +import json +import socket +import httplib +try: + target = sys.argv[1] +except: + print "Usage: %s [target]" % sys.argv[0] + exit(0) + +print "Reverse IP Search" +print "Target: ",target +try: + hostname,aliases,ip = socket.gethostbyaddr(target) +except: + print "Cannot resolve `%s`!" % target + exit (1) +print "IP: ",ip[0] +sites = {target : "", hostname : ""} # make entries unique +for a in aliases: + sites[a] = "" +offset = 0 +appid = os.environ.get("BING_APPID",'7A0B8DA3E913BE5ECB4AF11C7BC398B43000DC1C') +while offset < 50: + url ="/json.aspx?AppId=%s&Query=ip:%s&Sources=Web+RelatedSearch+News+Image+Video&Version=2.2&Market=en-us&Web.Count=50&Web.Offset=%s&Web.Options=DisableQueryAlterations" % (appid, ip, offset) + conn = httplib.HTTPConnection("api.bing.net") + conn.request("GET", url) + res = conn.getresponse() + doc = json.load(res) + try: + results = doc["SearchResponse"]["Web"]["Results"] + conn.close() + for res in results: + sites[res['DisplayUrl']] = "" + offset += 50 + except: + break +print "Total: ", len(sites), " dns name(s)\n" +num = 1 +for s in sites: + print "["+str(num)+"/"+str(len(sites))+"] : "+s + num += 1 -- cgit v1.2.3 From 2a739377f53d7e7f9000683eff00ed40f56b14aa Mon Sep 17 00:00:00 2001 From: EUcancER Date: Wed, 18 Apr 2012 11:28:20 +0200 Subject: fix url parser --- Reaktor/commands/revip | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'Reaktor') diff --git a/Reaktor/commands/revip b/Reaktor/commands/revip index 1d20037d..b4920f52 100755 --- a/Reaktor/commands/revip +++ b/Reaktor/commands/revip @@ -6,6 +6,7 @@ import os import json import socket import httplib +from urlparse import urlparse try: target = sys.argv[1] except: @@ -25,7 +26,7 @@ for a in aliases: sites[a] = "" offset = 0 appid = os.environ.get("BING_APPID",'7A0B8DA3E913BE5ECB4AF11C7BC398B43000DC1C') -while offset < 50: +while offset < 300: url ="/json.aspx?AppId=%s&Query=ip:%s&Sources=Web+RelatedSearch+News+Image+Video&Version=2.2&Market=en-us&Web.Count=50&Web.Offset=%s&Web.Options=DisableQueryAlterations" % (appid, ip, offset) conn = httplib.HTTPConnection("api.bing.net") conn.request("GET", url) @@ -35,7 +36,7 @@ while offset < 50: results = doc["SearchResponse"]["Web"]["Results"] conn.close() for res in results: - sites[res['DisplayUrl']] = "" + sites[urlparse(res['Url'])[1]] = "" offset += 50 except: break -- cgit v1.2.3 From 9b6cf277da29f7d36d7262a8c3dea2f7bab017fc Mon Sep 17 00:00:00 2001 From: EUcancER Date: Wed, 18 Apr 2012 23:11:33 +0200 Subject: live feedback from subprocess, shorter timeout --- Reaktor/IRC/asybot.py | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) (limited to 'Reaktor') diff --git a/Reaktor/IRC/asybot.py b/Reaktor/IRC/asybot.py index 17f9cb3a..6edc13ba 100755 --- a/Reaktor/IRC/asybot.py +++ b/Reaktor/IRC/asybot.py @@ -109,7 +109,7 @@ class asybot(asychat): def PRIVMSG(text): msg = 'PRIVMSG %s :%s' % (','.join(params), text) self.push(msg) - sleep(2) + sleep(1) def ME(text): PRIVMSG('ACTION ' + text + '') @@ -128,7 +128,7 @@ class asybot(asychat): from os.path import realpath, dirname, join from subprocess import Popen as popen, PIPE - + from time import time Reaktor_dir = dirname(realpath(dirname(__file__))) public_commands = join(Reaktor_dir, 'public_commands') command = join(public_commands, _command) @@ -137,29 +137,27 @@ class asybot(asychat): env = {} args = [] + start = time() if _argument != None: env['argument'] = _argument args = shlex.split(_argument) try: - p = popen([command] + args, stdin=PIPE, stdout=PIPE, stderr=PIPE, env=env) + p = popen([command] + args,bufsize=1, stdout=PIPE, stderr=PIPE, env=env) except OSError, error: ME('brain damaged') log.error('OSError@%s: %s' % (command, error)) return - - stdout, stderr = [ x[:len(x)-1] for x in - [ x.split('\n') for x in p.communicate()]] - code = p.returncode pid = p.pid + for line in iter(p.stdout.readline,""): + PRIVMSG(line) + log.debug('%s stdout: %s' % (pid, line)) + p.wait() + elapsed = time() - start + code = p.returncode + log.info('command: %s -> %s in %d seconds' % (command, code,elapsed)) + [log.debug('%s stderr: %s' % (pid, x)) for x in p.stderr.readlines()] - log.info('command: %s -> %s' % (command, code)) - [log.debug('%s stdout: %s' % (pid, x)) for x in stdout] - [log.debug('%s stderr: %s' % (pid, x)) for x in stderr] - - if code == 0: - [PRIVMSG(x) for x in stdout] - [PRIVMSG(x) for x in stderr] - else: + if code != 0: ME('mimimi') else: -- cgit v1.2.3 From 45804e008620847b91ac92ac1db9e76eecb19484 Mon Sep 17 00:00:00 2001 From: EUcancER Date: Wed, 18 Apr 2012 23:12:18 +0200 Subject: Reaktor:add modified version of gxfr with csv support --- Reaktor/repos/gxfr/gxfr.py | 235 ++++++++++++++++++++++++++++++++++++++++++++ Reaktor/repos/gxfr/here.csv | 5 + 2 files changed, 240 insertions(+) create mode 100644 Reaktor/repos/gxfr/gxfr.py create mode 100644 Reaktor/repos/gxfr/here.csv (limited to 'Reaktor') diff --git a/Reaktor/repos/gxfr/gxfr.py b/Reaktor/repos/gxfr/gxfr.py new file mode 100644 index 00000000..819f0b11 --- /dev/null +++ b/Reaktor/repos/gxfr/gxfr.py @@ -0,0 +1,235 @@ +#!/usr/bin/python -tt + +# gxfr replicates dns zone transfers by enumerating subdomains using advanced search engine queries and conducting dns lookups. +# By Tim Tomes (LaNMaSteR53) +# Available for download at http://LaNMaSteR53.com or http://code.google.com/p/gxfr/ + +import sys, os.path, urllib, urllib2, re, time, socket, random, socket + + +def help(): + print """ Syntax: ./gxfr.py domain [options] + + -h, --help this screen + -v enable verbose mode + -t [num of seconds] set number of seconds to wait between queries (default=15) + -q [max num of queries] restrict to maximum number of queries (default=0, indefinite) + --dns-lookup enable dns lookups of all subdomains + --proxy [file|ip:port|-] use a proxy or list of open proxies to send queries (@random w/list) + - [file] must consist of 1 or more ip:port pairs + - replace filename with '-' (dash) to accept stdin + --user-agent ['string'] set custom user-agent string + --timeout [seconds] set socket timeout (default=system default) + --csv [file] + + Examples: + $ ./gxfr.py foxnews.com --dns-lookup -v + $ ./gxfr.py foxnews.com --dns-lookup --proxy open_proxies.txt --timeout 10 + $ ./gxfr.py foxnews.com --dns-lookup -t 5 -q 5 -v --proxy 127.0.0.1:8080 + $ curl http://rmccurdy.com/scripts/proxy/good.txt | ./gxfr.py website.com -v -t 3 --proxy - + """ + sys.exit(2) + +if len(sys.argv) < 2: + help() + +if '-h' in sys.argv or '--help' in sys.argv: + help() + +# declare vars and process arguments +query_cnt = 0 +csvname = False +domain = sys.argv[1] +sys.argv = sys.argv[2:] +lookup = False +encrypt = True +base_url = 'https://www.google.com' +base_uri = '/m/search?' +base_query = 'site:' + domain +pattern = '>([\.\w-]*)\.%s.+?<' % (domain) +proxy = False +user_agent = 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; FDM; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 1.1.4322)' +verbose = False +secs = 15 +max_queries = 10 # default = 10 queries +# process command line arguments +if len(sys.argv) > 0: + if '--dns-lookup' in sys.argv: + lookup = True + if '--csv' in sys.argv: + csvname = sys.argv[sys.argv.index('--csv') + 1] + if '--proxy' in sys.argv: + proxy = True + filename = sys.argv[sys.argv.index('--proxy') + 1] + if filename == '-': + proxies = sys.stdin.read().split() + elif os.path.exists(filename): + content = open(filename).read() + proxies = re.findall('\d+\.\d+\.\d+\.\d+:\d+', content) + elif re.match(r'^\d+\.\d+\.\d+\.\d+:\d+$', filename): + proxies = [filename] + else: + help() + if '--timeout' in sys.argv: + timeout = int(sys.argv[sys.argv.index('--timeout') + 1]) + socket.setdefaulttimeout(timeout) + if '--user-agent' in sys.argv: + user_agent = sys.argv[sys.argv.index('--user-agent') + 1] + if '-v' in sys.argv: + verbose = True + if '-t' in sys.argv: + secs = int(sys.argv[sys.argv.index('-t') + 1]) + if '-q' in sys.argv: + max_queries = int(sys.argv[sys.argv.index('-q') + 1]) +subs = [] +new = True +page = 0 + +# --begin-- +print '[-] domain:', domain +print '[-] user-agent:', user_agent +# execute search engine queries and scrape results storing subdomains in a list +print '[-] querying search engine, please wait...' +# loop until no new subdomains are found +while new == True: + try: + query = '' + # build query based on results of previous results + for sub in subs: + query += ' -site:%s.%s' % (sub, domain) + full_query = base_query + query + start_param = '&start=%s' % (str(page*10)) + query_param = 'q=%s' % (urllib.quote_plus(full_query)) + if len(base_uri) + len(query_param) + len(start_param) < 2048: + last_query_param = query_param + params = query_param + start_param + else: + params = last_query_param[:2047-len(start_param)-len(base_uri)] + start_param + full_url = base_url + base_uri + params + # note: query character limit is passive in mobile, but seems to be ~794 + # note: query character limit seems to be 852 for desktop queries + # note: typical URI max length is 2048 (starts after top level domain) + if verbose: print '[+] using query: %s...' % (full_url) + # build web request and submit query + request = urllib2.Request(full_url) + # spoof user-agent string + request.add_header('User-Agent', user_agent) + # if proxy is enabled, use the correct handler + if proxy == True: + # validate proxies at runtime + while True: + try: + # select a proxy from list at random + num = random.randint(0,len(proxies)-1) + host = proxies[num] + opener = urllib2.build_opener(urllib2.ProxyHandler({'http': host})) + if verbose: print '[+] sending query to', host + # send query to proxy server + result = opener.open(request).read() + # exit while loop if successful + break + except Exception as inst: + print '[!] %s failed: %s' % (host, inst) + if len(proxies) == 1: + # exit of no proxy servers from list are valid + print '[-] valid proxy server not found' + sys.exit(2) + else: + # remove host from list of proxies and try again + del proxies[num] + else: + opener = urllib2.build_opener(urllib2.HTTPHandler(), urllib2.HTTPSHandler()) + # send query to search engine + try: + result = opener.open(request).read() + except Exception as inst: + print '[!] {0}'.format(inst) + if str(inst).index('503') != -1: print '[!] possible shun: use --proxy or find something else to do for 24 hours :)' + sys.exit(2) + if not verbose: sys.stdout.write('.'); sys.stdout.flush() + #if not verbose: sys.stdout.write('\n'); sys.stdout.flush() + # iterate query count + query_cnt += 1 + sites = re.findall(pattern, result) + # create a uniq list + sites = list(set(sites)) + new = False + # add subdomain to list if not already exists + for site in sites: + if site not in subs: + if verbose: print '[!] subdomain found:', site + subs.append(site) + new = True + # exit if maximum number of queries has been made + if query_cnt == max_queries: + print '[-] maximum number of queries made...' + break + # start going through all pages if querysize is maxed out + if new == False: + # exit if all subdomains have been found + if not 'Next page' in result: + #import pdb; pdb.set_trace() # curl to stdin breaks pdb + print '[-] all available subdomains found...' + break + else: + page += 1 + new = True + if verbose: print '[+] no new subdomains found on page. jumping to result %d.' % (page*10) + # sleep script to avoid lock-out + if verbose: print '[+] sleeping to avoid lock-out...' + time.sleep(secs) + except KeyboardInterrupt: + # catch keyboard interrupt and gracefull complete script + break + +# print list of subdomains +print '[-] successful queries made:', str(query_cnt) +if verbose: + # rebuild and display final query if in verbose mode + #final_query = '' + #for sub in subs: + # final_query += '+-site:%s.%s' % (sub, domain) + #print '[+] final query string: %sstart=%s&%s%s' % (base_url, str(page*10), base_query, query) + print '[+] final query string: %s' % (full_url) +print ' ' +print '[subdomains] -', str(len(subs)) +csvwriter = False +try: + if csvname: + import csv + csvwriter = csv.writer(open(csvname,'wb')) +except: + print "[!] Cannot open CSV" +for sub in subs: + dom = '%s.%s' % (sub, domain ) + hostname,aliases,ips = socket.gethostbyname_ex(dom) + #print hostname,aliases,ip + print dom,",".join(ips) + try: + line = [dom] + ips + csvwriter.writerow([dom] + ips) + except: pass + + +# conduct dns lookup if argument is present +if lookup == True: + print ' ' + print '[-] querying dns, please wait...' + dict = {} + # create a dictionary where the subdomain is the key and a list of all associated ips is the value + for sub in subs: + sub = '%s.%s' % (sub, domain) + if verbose: print '[+] querying dns for %s...' % (sub) + # dns query and dictionary assignment + try: + dict[sub] = list(set([item[4][0] for item in socket.getaddrinfo(sub, 80)])) + except socket.gaierror: + # dns lookup failure + dict[sub] = list(set(['no entry'])) + # print table of subdomains and ips + print ' ' + print '[ip]'.ljust(16, ' ') + '[subdomain]' + for key in dict.keys(): + for ip in dict[key]: + print ip.ljust(16, ' ') + key +# --end-- diff --git a/Reaktor/repos/gxfr/here.csv b/Reaktor/repos/gxfr/here.csv new file mode 100644 index 00000000..95faaa9c --- /dev/null +++ b/Reaktor/repos/gxfr/here.csv @@ -0,0 +1,5 @@ +mobile.foxnews.com,72.5.158.94 +video.foxnews.com,2.20.180.43,2.20.180.96 +www.foxnews.com,2.20.180.96,2.20.180.34 +latino.foxnews.com,2.20.180.72,2.20.180.26 +ureport.foxnews.com,69.90.218.153 -- cgit v1.2.3 From 9917d1d3974cb156a434e6f3a518de3ac643163e Mon Sep 17 00:00:00 2001 From: EUcancER Date: Wed, 18 Apr 2012 23:12:52 +0200 Subject: Reaktor: pull revip into seperate folder --- Reaktor/repos/revip/revip | 48 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100755 Reaktor/repos/revip/revip (limited to 'Reaktor') diff --git a/Reaktor/repos/revip/revip b/Reaktor/repos/revip/revip new file mode 100755 index 00000000..d6acd669 --- /dev/null +++ b/Reaktor/repos/revip/revip @@ -0,0 +1,48 @@ +#!/usr/bin/python +# fork from darkb0t v0.4 +# modularized and extended +import sys +import os +import json +import socket +import httplib +from urlparse import urlparse +try: + target = sys.argv[1] +except: + print "Usage: %s [target]" % sys.argv[0] + exit(0) + +print "Reverse IP Search" +print "Target: ",target +try: + hostname,aliases,ip = socket.gethostbyname_ex(target) + ip = socket.gethostbyname(target) +except: + print "Cannot resolve `%s`!" % target + exit (1) +print "IP: ",ip +sites = {target : "", hostname : ""} # make entries unique +for a in aliases: + sites[a] = "" +offset = 0 +appid = os.environ.get("BING_APPID",'7A0B8DA3E913BE5ECB4AF11C7BC398B43000DC1C') +while offset < 300: + url ="/json.aspx?AppId=%s&Query=ip:%s&Sources=Web+RelatedSearch+News+Image+Video&Version=2.2&Market=en-us&Web.Count=50&Web.Offset=%s&Web.Options=DisableQueryAlterations" % (appid, ip, offset) + conn = httplib.HTTPConnection("api.bing.net") + conn.request("GET", url) + res = conn.getresponse() + doc = json.load(res) + try: + results = doc["SearchResponse"]["Web"]["Results"] + conn.close() + for res in results: + sites[urlparse(res['Url'])[1]] = "" + offset += 50 + except: + break +print "Total: ", len(sites), " dns name(s)\n" +num = 1 +for s in sites: + print "["+str(num)+"/"+str(len(sites))+"] : "+s + num += 1 -- cgit v1.2.3 From 3c52c7895c28e7f63e27680bd7ef533b93ec37ba Mon Sep 17 00:00:00 2001 From: EUcancER Date: Wed, 18 Apr 2012 23:14:55 +0200 Subject: Reaktor: add dnsmap-0.30 --- Reaktor/repos/dnsmap/CREDITS.txt | 10 + Reaktor/repos/dnsmap/Changelog.txt | 25 + Reaktor/repos/dnsmap/Makefile | 12 + Reaktor/repos/dnsmap/README.txt | 177 + Reaktor/repos/dnsmap/TODO.txt | 13 + Reaktor/repos/dnsmap/dnsmap-bulk.sh | 19 + Reaktor/repos/dnsmap/dnsmap.c | 795 ++ Reaktor/repos/dnsmap/dnsmap.h | 1047 ++ Reaktor/repos/dnsmap/gpl-2.0.txt | 339 + Reaktor/repos/dnsmap/use_cases.txt | 10 + Reaktor/repos/dnsmap/wordlist_TLAs.txt | 17576 +++++++++++++++++++++++++++++++ 11 files changed, 20023 insertions(+) create mode 100644 Reaktor/repos/dnsmap/CREDITS.txt create mode 100644 Reaktor/repos/dnsmap/Changelog.txt create mode 100644 Reaktor/repos/dnsmap/Makefile create mode 100644 Reaktor/repos/dnsmap/README.txt create mode 100644 Reaktor/repos/dnsmap/TODO.txt create mode 100755 Reaktor/repos/dnsmap/dnsmap-bulk.sh create mode 100644 Reaktor/repos/dnsmap/dnsmap.c create mode 100644 Reaktor/repos/dnsmap/dnsmap.h create mode 100644 Reaktor/repos/dnsmap/gpl-2.0.txt create mode 100644 Reaktor/repos/dnsmap/use_cases.txt create mode 100644 Reaktor/repos/dnsmap/wordlist_TLAs.txt (limited to 'Reaktor') diff --git a/Reaktor/repos/dnsmap/CREDITS.txt b/Reaktor/repos/dnsmap/CREDITS.txt new file mode 100644 index 00000000..5f197151 --- /dev/null +++ b/Reaktor/repos/dnsmap/CREDITS.txt @@ -0,0 +1,10 @@ +Main author: +pagvac (gnucitizen.org) + +Patches, bug hunting and general feedback: +Borys Lacki (www.bothunters.pl) +Philipp Winter (7c0.org) +meathive (kinqpinz.info) +David Kierznowski (withdk.com) +GNa (gnanet.net) +srl (security.research.labs@gmail.com) diff --git a/Reaktor/repos/dnsmap/Changelog.txt b/Reaktor/repos/dnsmap/Changelog.txt new file mode 100644 index 00000000..ba1b0976 --- /dev/null +++ b/Reaktor/repos/dnsmap/Changelog.txt @@ -0,0 +1,25 @@ +20/02/2010: dnsmap 0.30 released at www.gnucitizen.org +* IPv6 support +* Makefile included +* delay option (-d) added. This is useful in cases where dnsmap is killing your bandwidth +* ignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dnsmap to produce false positives +* changes made to make dnsmap compatible with OpenDNS +* disclosure of internal IP addresses (RFC 1918) are reported +* updated built-in wordlist +* included a standalone three-letter acronym (TLA) subdomains wordlist +* domains susceptible to "same site" scripting (http://snipurl.com/etbcv) are reported +* completion time is now displayed to the user +* mechanism to attempt to bruteforce wildcard-enabled domains +* unique filename containing timestamp is now created when no specific output filename is supplied by user +* various minor bugs fixed + +22/02/2009: dnsmap 0.22 released at www.gnucitizen.org +* saving the results in human-readable and CSV format for easy processing +* fixed bug that disallowed reading wordlists with DOS CRLF format +* improved built-in subdomains wordlist +* new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion +* bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards + +17/08/2006: dnsmap 0.1 (first public version) released at foro.elhacker.net +* bruteforcing based on builtin list and user-supplied wordlist +* obtain all available A records for each bruteforced (sub)domain (rather than only one) diff --git a/Reaktor/repos/dnsmap/Makefile b/Reaktor/repos/dnsmap/Makefile new file mode 100644 index 00000000..2393d374 --- /dev/null +++ b/Reaktor/repos/dnsmap/Makefile @@ -0,0 +1,12 @@ +CC=gcc +CFLAGS=-I. +BINDIR=/usr/local/bin + +dnsmap: dnsmap.c dnsmap.h + $(CC) $(CFLAGS) -o dnsmap dnsmap.c + +install: dnsmap + mkdir -p $(DESTDIR)$(BINDIR) + install -m 0755 dnsmap $(DESTDIR)$(BINDIR) + install -m 0755 dnsmap-bulk.sh $(DESTDIR)$(BINDIR)/dnsmap-bulk + diff --git a/Reaktor/repos/dnsmap/README.txt b/Reaktor/repos/dnsmap/README.txt new file mode 100644 index 00000000..beab0f21 --- /dev/null +++ b/Reaktor/repos/dnsmap/README.txt @@ -0,0 +1,177 @@ +INTRODUCTION + +dnsmap was originally released back in 2006 and was inspired by the +fictional story "The Thief No One Saw" by Paul Craig, which can be found +in the book "Stealing the Network - How to 0wn the Box" + +dnsmap is mainly meant to be used by pentesters during the information +gathering/enumeration phase of infrastructure security assessments. During the +enumeration stage, the security consultant would typically discover the target +company's IP netblocks, domain names, phone numbers, etc ... + +Subdomain brute-forcing is another technique that should be used in the +enumeration stage, as it's especially useful when other domain enumeration +techniques such as zone transfers don't work (I rarely see zone transfers +being *publicly* allowed these days by the way). + +If you are interested in researching stealth computer intrusion techniques, +I suggest reading this excellent (and fun) chapter which you can find for +*free* on the web: + +http://www.ethicalhacker.net/content/view/45/2/ + +I'm happy to say that dnsmap was included in Backtrack 2, 3 and 4 and has +been reviewed by the community: + +http://backtrack.offensive-security.com/index.php?title=Tools +http://www.networkworld.com/community/node/57543 +http://www.linuxhaxor.net/2007/07/14/backtrack-2-information-gathering-all-dnsmap/ +http://www.darknet.org.uk/2009/03/dnsmap-022-released-subdomain-bruteforcing-tool/ +http://www.gnucitizen.org/blog/new-version-of-dnsmap-out/ + + +COMPILING + +Compiling should be straightforward: + +$ make + +Or: + +$ gcc -Wall dnsmap.c -o dnsmap + + +INSTALLATION + +Example of manual installation: + +# cp ./dnsmap /usr/local/bin/dnsmap + +If you wish to bruteforce several target domains in bulk fashion, you can use the +included dnsmap-bulk.sh script. Just copy the script to /usr/local/bin/ so you can +call it from any location. e.g.: + +# cp ./dnsmap-bulk.sh /usr/local/bin/ + +And set execute permissions. e.g.: + +# chmod ugo+x /usr/local/bin/dnsmap-bulk.sh + + +LIMITATIONS + +Lack of multi-threading. This speed issue will hopefully be resolved in future versions. + + +FUN THINGS THAT CAN HAPPEN + +1. Finding interesting remote access servers (e.g.: https://extranet.targetdomain.com) + +2. Finding badly configured and/or unpatched servers (e.g.: test.targetdomain.com) + +3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks + of your target organization (registry lookups - aka whois is your friend) + +4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses + (RFC 1918). This is great as sometimes they are real up-to-date "A" records which means + that it *is* possible to enumerate internal servers of a target organization from the + Internet by only using standard DNS resolving (as oppossed to zone transfers for instance). + +5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com). + This method is an alternative to finding devices via Google hacking techniques + +USAGE + +Bruteforcing can be done either with dnsmap's built-in wordlist or a user-supplied wordlist. +Results can be saved in CSV and human-readable format for further processing. dnsmap does +NOT require root privileges to be run, and should NOT be run with such privileges for +security reasons. + +The usage syntax can be obtained by simply running dnsmap without any parameters: + +$ ./dnsmap + +dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) + +usage: dnsmap [options] +options: +-w +-r +-c +-d +-i (useful if you're obtaining false positives) + +Note: delay value is a maximum random value. e.g.: if you enter 1000, each DNS request +will be delayed a *maximum* of 1 second. By default, dnsmap uses a value of 10 milliseconds +of maximum delay between DNS lookups + + +EXAMPLES +Subdomain bruteforcing using dnsmap's built-in word-list: + +$ ./dnsmap targetdomain.foo + +Subdomain bruteforcing using a user-supplied wordlist: + +$ ./dnsmap targetdomain.foo -w wordlist.txt + +Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ : + +$ ./dnsmap targetdomain.foo -r /tmp/ + +Since no filename was provided in the previous example, but rather only a path, dnsmap would +create an unique filename which includes the current timestamp. e.g.: +/tmp/dnsmap_targetdomain_foo_2009_12_15_234953.txt + +Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/, +and waiting a random maximum of 3 milliseconds between each request: + +$ ./dnsmap targetdomain.foo -r /tmp/ -d 300 + +It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is +interfering with your online experience. i.e.: killing your bandwidth + +Subdomain bruteforcing with 0.8 seconds delay, saving results in regular and CSV format, +filtering 2 user-provided IP and using a user-supplied wordlist: + +$ ./dnsmap targetdomain.foo -d 800 -r /tmp/ -c /tmp/ -i 10.55.206.154,10.55.24.100 -w ./wordlist_TLAs.txt + +For bruteforcing a list of target domains in a bulk fashion use the bash script provided. e.g.: + +$ ./dnsmap-bulk.sh domains.txt /tmp/results/ + + +WORDLISTS + +http://packetstormsecurity.org/Crackers/wordlists/dictionaries/ +http://www.cotse.com/tools/wordlists1.htm +http://wordlist.sourceforge.net/ + + +OTHER SIMILAR TOOLS - choice is freedom! + +WS-DNS-BFX +http://ws.hackaholic.org/tools/WS-DNS-BFX.tgz + +DNSDigger +http://www.ernw.de/download/dnsdigger.zip + +Fierce Domain Scan +http://ha.ckers.org/fierce/ + +Desperate +http://www.sensepost.com/research_misc.html + +DNSenum +http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz + +ReverseRaider +http://complemento.sourceforge.net/ + +Knock +http://knock.gianniamato.it/ + + +-- +pagvac | GNUCITIZEN.org +Feb 2010 diff --git a/Reaktor/repos/dnsmap/TODO.txt b/Reaktor/repos/dnsmap/TODO.txt new file mode 100644 index 00000000..0df13680 --- /dev/null +++ b/Reaktor/repos/dnsmap/TODO.txt @@ -0,0 +1,13 @@ +* multi-threading - use pthread.h? +* can't handle wildcarded domains that return more than one IP address on non-existing subdomains + test domain: proboards.com +* allow using a customized list of DNS server to share network load +* allow using DNS server supplied on the command line +* for openDNS users: document how to permanently change DNS server settings so they are not overwritten by DHCP settings +* convert hostent structs to addrinfo ? +* replace inet_ntoa(*((struct in_addr *)host->h_addr_list[j])) with ipstr +* obtain aliases for each domain (CNAME records)? +* clever numerical domain bruteforce for clusters. i.e.: www2, www3 +* pickup new subdomains via reverse lookups (PTR records) +* better input validation + * improve function that validates target domain diff --git a/Reaktor/repos/dnsmap/dnsmap-bulk.sh b/Reaktor/repos/dnsmap/dnsmap-bulk.sh new file mode 100755 index 00000000..574aba22 --- /dev/null +++ b/Reaktor/repos/dnsmap/dnsmap-bulk.sh @@ -0,0 +1,19 @@ +#!/bin/bash +if [[ $# -ne 1 && $# -ne 2 ]] +then + echo "usage: `basename $0` [results-path]"; + echo "e.g.:"; + echo "`basename $0` domains.txt"; + echo "`basename $0` domains.txt /tmp/"; + exit +fi +for i in `cat $1` +do + if [[ $# -eq 1 ]] + then + dnsmap $i + elif [[ $# -eq 2 ]] + then + dnsmap $i -r $2 + fi +done diff --git a/Reaktor/repos/dnsmap/dnsmap.c b/Reaktor/repos/dnsmap/dnsmap.c new file mode 100644 index 00000000..5276e305 --- /dev/null +++ b/Reaktor/repos/dnsmap/dnsmap.c @@ -0,0 +1,795 @@ +/* + * ** dnsmap - DNS Network Mapper by pagvac + * ** Copyright (C) 2010 gnucitizen.org + * ** + * ** This program is free software; you can redistribute it and/or modify + * ** it under the terms of the GNU General Public License as published by + * ** the Free Software Foundation; either version 2 of the License, or + * ** (at your option) any later version. + * ** + * ** This program is distributed in the hope that it will be useful, + * ** but WITHOUT ANY WARRANTY; without even the implied warranty of + * ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * ** GNU General Public License for more details. + * ** + * ** You should have received a copy of the GNU General Public License + * ** along with this program; if not, write to the Free Software + * ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "dnsmap.h" // built-in subdomains list and define macros + + +// function prototypes +unsigned short int wildcarDetect(char *, char *); +unsigned short int dodelay(unsigned short int); +unsigned short int isPrivateIP(char *); +unsigned short int isValidDomain(char *); +unsigned short int usesOpenDNS(char *); +unsigned short int isIPblacklisted(char *); + +int main(int argc, char *argv[]) { + + unsigned short int i=0, j=0, k=0, l=0, found=0, ipCount=0, filtIPcount=0, milliseconds=10, intIPcount=0, + wordlist=FALSE, txtResults=FALSE, csvResults=FALSE, + delay=TRUE, filter=FALSE; + unsigned long int start=0, end=0; + char dom[MAXSTRSIZE]={'\0'}, csvResultsFilename[MAXSTRSIZE]={'\0'}, + txtResultsFilename[MAXSTRSIZE]={'\0'}, wordlistFilename[MAXSTRSIZE]={'\0'}, + ipstr[INET_ADDRSTRLEN]={'\0'}, wildcardIpStr[INET_ADDRSTRLEN]={'\0'}, + filterIPs[5][INET_ADDRSTRLEN]={{'\0'}}, + invalidTldIpstr[INET_ADDRSTRLEN]={'\0'}; + void *addr; + char *ipver, *strP; + + struct hostent *h; + // start of IPv6 stuff + struct addrinfo hints, *res, *p; + int status; + char ipv6str[INET6_ADDRSTRLEN]; + memset(&hints, 0, sizeof hints); + hints.ai_family = AF_INET6; // AF_INET or AF_INET6 to force version + hints.ai_socktype = SOCK_STREAM; + // end of IPv6 stuff + + FILE *fpWords,*fpCsvLogs,*fpTxtLogs; + + time_t now; + struct tm *ts; + char timestampBuf[18]; + + printf("%s", BANNER); + + // get the current time + now = time(NULL); + + // timestamp format: yyyy_mm_dd_hhmmss + ts = localtime(&now); + strftime(timestampBuf, sizeof(timestampBuf), "%Y_%m_%d_%H%M%S", ts); + + + // start of *primitive* input validation + // ideally more work should be spent on this! + if(argc==1) { + printf("%s%s", USAGE, EXAMPLES); + exit(1); + } + else if(argc%2==1 && argc>2) { + printf("%s%s", USAGE, EXAMPLES); + exit(1); + } + for(i=0;argv[1][i];++i) // convert domain to lower case + argv[1][i]=(tolower(argv[1][i])); + #if DEBUG + printf("domain: %s\n", argv[1]); + #endif + if(!isValidDomain(argv[1])) { + printf("%s", DOMAINERR); + exit(1); + } + + for(i=0;iMAXSTRSIZE) { + printf("%s",INPUTERR); + exit(1); + } + } + // end of simple input validation + + /* + else if ((h=gethostbyname(argv[1])) == NULL) { // get the host info + herror("gethostbyname"); + exit(1); + } + */ + + start=(int)time(NULL); + + #if DEBUG + printf("start time: %d\n", (int)start); + #endif + + // parse options + for(i=0;i300000) { // delay must be between 1 ms and 5 minutes + printf("%s", DELAYINPUTERR); + exit(1); + } + delay=TRUE; + milliseconds=atoi(argv[(i+1)]); + } + // filter out user-provided IP(s) + if(!strcmp(argv[i],"-i")) { + for(filtIPcount=1,j=0;argv[i+1][j]!='\0';++j) + if(argv[i+1][j]==',') + ++filtIPcount; + #if DEBUG + printf("%d IP(s) to filter found\nParsing ...\n", filtIPcount); + #endif + if(filtIPcount<=5) { + printf(FILTERMSG); + strP=strtok(argv[i+1],","); + for(j=0;strP;) { + if(strlen(strP)=1) + printf(DELAYMSG); + + printf("%s", "\n"); + for(i=0;i<(sizeof(sub)/MAXSUBSIZE);++i) { + //skipResolve=FALSE; + strncpy(dom,sub[i],MAXSTRSIZE-strlen(dom)-1); + strncat(dom,".",MAXSTRSIZE-strlen(dom)-1);//TEST + strncat(dom,argv[1],MAXSTRSIZE-strlen(dom)-1); + #if DEBUG + printf("brute-forced domain: %s\n",dom); + #endif + + // ipv6 code modded from www.kame.net + status = getaddrinfo(dom, NULL, &hints, &res); + if ((status=getaddrinfo(dom, NULL, &hints, &res))==0) { + printf("%s\n", dom); + ++found; + if(txtResults) + fprintf(fpTxtLogs, "%s\n", dom); + if(csvResults) + fprintf(fpCsvLogs, "%s", dom); + for(p=res,k=0;p;p=p->ai_next,++k) { + if (p->ai_family==AF_INET6) { // IPv6 + struct sockaddr_in6 *ipv6=(struct sockaddr_in6 *)p->ai_addr; + addr = &(ipv6->sin6_addr); + ipver = "IPv6"; + } + // convert the IP to a string and print it: + inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); + printf("%s address #%d: %s\n",ipver,k+1,ipv6str); + ++ipCount; + if(txtResults) + fprintf(fpTxtLogs,"%s address #%d: %s\n",ipver,k+1,ipv6str); + if(csvResults) + fprintf(fpCsvLogs,",%s", ipv6str); + } + printf("%s", "\n"); + if(txtResults) + fprintf(fpTxtLogs,"\n"); + if(csvResults) + fprintf(fpCsvLogs,"\n"); + freeaddrinfo(res); // free the linked list + } // end of if conditional + h=gethostbyname(dom); + //sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[0])),"%s"); + //for(j=0;h->h_addr_list[j];++j) { + // sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[j])),"%s"); + // if(isIPblacklisted(ipstr)) { + // skipResolve=TRUE; + // break; + // } + //} + //if(h && !skipResolve) { + //if(h && !isIPblacklisted(ipstr)) { + if(h && !isIPblacklisted(inet_ntoa(*((struct in_addr *)h->h_addr_list[0])))) { + for(j=0;h->h_addr_list[j];++j) { + sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[j])),"%s"); + for(k=0;kh_addr_list[j+1]) + ++j; + else + break; + } + } + // END OF TEST + //if(strcmp(wildcardIpStr,ipstr) && strcmp(filterIpStr,ipstr)) { + if(strcmp(wildcardIpStr,ipstr) && filter==FALSE) { + if(j==0) { + ++found; + printf("%s\n", dom); + + if(txtResults) + fprintf(fpTxtLogs, "%s\n", dom); + if(csvResults) + fprintf(fpCsvLogs, "%s", dom); + } + printf("[%d] %s : %s\n", j+1,dom,ipstr); + ++ipCount; + + if(isPrivateIP(ipstr)) { + //if(isPrivateIP(inet_ntoa(*((struct in_addr *)h->h_addr_list[j])))) { + printf("%s",INTIPWARN); + ++intIPcount; + } + if(!strcmp(ipstr,"127.0.0.1") && strcmp(wildcardIpStr,ipstr)) { + //if(!strcmp(inet_ntoa(*((struct in_addr *)h->h_addr_list[j])), + //"127.0.0.1")) + printf("%s",SAMESITEXSSWARN); + } + if(txtResults) { + //fprintf(fpCsvLogs,",%s", + // inet_ntoa(*((struct in_addr *)h->h_addr_list[j]))); + fprintf(fpTxtLogs,"IP address #%d: %s\n", j+1, ipstr); + if(isPrivateIP(ipstr) && strcmp(wildcardIpStr,ipstr)) + fprintf(fpTxtLogs,"%s",INTIPWARN); + if(!strcmp(ipstr,"127.0.0.1") && strcmp(wildcardIpStr,ipstr)) + fprintf(fpTxtLogs,"%s",SAMESITEXSSWARN); + } + if(csvResults && strcmp(wildcardIpStr,ipstr)) + fprintf(fpCsvLogs,",%s",ipstr); + } + } + //if(strcmp(wildcardIpStr,ipstr) && strcmp(filterIpStr,ipstr)) { + if(strcmp(wildcardIpStr,ipstr) && filter==FALSE) { + printf("%s", "\n"); + if(txtResults) + fprintf(fpTxtLogs,"%s","\n"); + if(csvResults) + fprintf(fpCsvLogs,"%s","\n"); + } + filter=FALSE; + } + // user wants delay between DNS requests? + if(delay) + dodelay(milliseconds); + } + if(txtResults) + fclose(fpTxtLogs); + if(csvResults) + fclose(fpCsvLogs); + } + + // read subdomains from wordlist file + else if(wordlist) { + // openDNS detection + if(usesOpenDNS(invalidTldIpstr)) + printf("%s",OPENDNSMSG); + + // wildcard detection + wildcarDetect(argv[1],wildcardIpStr); + if(strcmp(invalidTldIpstr,wildcardIpStr)) + printf(WILDCARDWARN); + + fpWords=fopen(wordlistFilename, "r"); + if(fpWords) { + printf(EXTERNALMSG); + if(milliseconds>=1) + printf(DELAYMSG); + printf("%s","\n"); + + while(!feof(fpWords)) { + //strncpy(dom,"",MAXSTRSIZE-strlen(dom)-1); + for(i=0;iai_next,++k) { + void *addr; + char *ipver; + if (p->ai_family==AF_INET6) { // IPv6 + struct sockaddr_in6 *ipv6=(struct sockaddr_in6 *)p->ai_addr; + addr = &(ipv6->sin6_addr); + ipver = "IPv6"; + } + // convert the IP to a string and print it: + inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); + printf("%s address #%d: %s\n",ipver,k+1,ipv6str); + ++ipCount; + if(txtResults) + fprintf(fpTxtLogs,"%s address #%d: %s\n",ipver,k+1,ipv6str); + if(csvResults) + fprintf(fpCsvLogs,",%s", ipv6str); + } + printf("%s", "\n"); + if(txtResults) + fprintf(fpTxtLogs,"\n"); + if(csvResults) + fprintf(fpCsvLogs,"\n"); + + freeaddrinfo(res); // free the linked list + // ipv6 code modded from www.kame.net + } // end of if conditional + + h=gethostbyname(dom); + + if(h && !isIPblacklisted(inet_ntoa(*((struct in_addr *)h->h_addr_list[0])))) { + for(j=0;h->h_addr_list[j];++j) { + sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[j])),"%s"); + //TEST + for(k=0;kh_addr_list[j+1]) + ++j; + else + break; + } + } + // END OF TEST + + //if(strcmp(wildcardIpStr,ipstr) && strcmp(filterIpStr,ipstr)) { + if(strcmp(wildcardIpStr,ipstr) && filter==FALSE) { + if(j==0) { + ++found; + printf("%s\n",dom); + + if(txtResults) { + //fprintf(fpCsvLogs,"%s",dom); + fprintf(fpTxtLogs,"%s\n",dom); + } + if(csvResults) { + //fprintf(fpCsvLogs,"%s",dom); + fprintf(fpCsvLogs,"%s",dom); + } + } + printf("IP address #%d: %s\n",j+1,ipstr); + ++ipCount; + + if(isPrivateIP(ipstr) && strcmp(wildcardIpStr,ipstr)) { + printf("%s",INTIPWARN); + ++intIPcount; + } + if(!strcmp(ipstr,"127.0.0.1") && strcmp(wildcardIpStr,ipstr)) + printf("%s",SAMESITEXSSWARN); + if(txtResults && strcmp(wildcardIpStr,ipstr)) { + fprintf(fpTxtLogs,"IP address #%d: %s\n",j+1,ipstr); + if(isPrivateIP(ipstr)) + fprintf(fpTxtLogs,"%s",INTIPWARN); + if(!strcmp(ipstr,"127.0.0.1")) + fprintf(fpTxtLogs,"%s",SAMESITEXSSWARN); + } + if(csvResults && strcmp(wildcardIpStr,ipstr)) + fprintf(fpCsvLogs,",%s",ipstr); + } + } + //if(strcmp(wildcardIpStr,ipstr) && strcmp(filterIpStr,ipstr)) { + if(strcmp(wildcardIpStr,ipstr) && filter==FALSE) { + printf("%s", "\n"); + if(txtResults) + fprintf(fpTxtLogs,"%s","\n"); + if(csvResults) + fprintf(fpCsvLogs,"%s","\n"); + } + filter=FALSE; + } + // user wants delay between DNS requests? + if(delay) + dodelay(milliseconds); + } // end while() loop + fclose(fpWords); + } + else { + printf(OPENFILEERR); + exit(1); + } + if(txtResults) + fclose(fpTxtLogs); + if(csvResults) + fclose(fpCsvLogs); + } + + printf(RESULTSMSG4); + if(intIPcount>=1) + printf(RESULTSMSG1); + + if(txtResults) + printf(RESULTSMSG2); + if(csvResults) + printf(RESULTSMSG5); + + end=(int)time(NULL); + printf(RESULTSMSG3); + + return 0; +} + +// return true if domain wildcards are enabled +unsigned short int wildcarDetect(char *dom, char *ipstr) { + char strTmp[30]={'\0'},s[MAXSTRSIZE]={'\0'}; + unsigned short int i=0,n=0,max=0; + struct hostent *h; + + srand(time(NULL)); + max=rand()%20; + // max should be between 10 and 20 + if(max<10) + max=max+(10-max); + + // generate up to random 20 digits-long subdomain + // e.g. 06312580442146732554 + + for(i=0;ih_addr_list[i];++i) { + */ + //sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[i])),"%s"); + sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[0])),"%s"); + #if DEBUG + printf("wildcard domain\'s IP address: %s\n",ipstr); + #endif + return TRUE; + } + else + return FALSE; +} + +// return number of milliseconds delayed +unsigned short int dodelay(unsigned short int maxmillisecs) { + unsigned short int n=0; + + srand(time(NULL)); + n=rand()%maxmillisecs; + ++n; + maxmillisecs=n; + #if DEBUG + printf("sleeping %d milliseconds ...\n",maxmillisecs); + #endif + usleep(maxmillisecs*1000); + + return maxmillisecs; +} + +// return true if IP addr is internal (RFC1918) +unsigned short int isPrivateIP(char *ip) { + + char classB[][8]={"172.16.","172.17.","172.18.","172.19.", + "172.20.","172.21.","172.22.","172.23.","172.24.", + "172.25.","172.26.","172.27.","172.28.","172.29.", + "172.30.","172.31."}; + + unsigned short int i=0,j=0; + size_t len = strlen(ip); + + // shortest: 0.0.0.0 - 8 chars inc \0 + // longest: 255.255.255.255 - 16 chars inc \0 + if(len<8 || len>16) + return 0; + // ip addr must have three period signs + for(i=0,j=0;i6)) // tld must be between 2-6 char. e.g. .museum, .uk + return FALSE; + + // valid domain can only contain digits, letters, dot (.) and dash symbol (-) + len = strlen(d); + for(i=0;i= '0' && d[i] <= '9') && + !(d[i] >= 'a' && d[i] <= 'z') && + !(d[i] >= 'A' && d[i] <= 'Z') && + !(d[i] >= '-' && d[i] <= '.')) + return 0; + } + + srand(time(NULL)); + max=rand()%20; + // max should be between 10 and 20 + if(max<10) + max=max+(10-max); + + // generate up to random 20 digits-long subdomain + // e.g. 06312580442146732554 + + for(i=0;ih_addr_list[j];++j) + inet_ntoa(*((struct in_addr *)h->h_addr_list[j])); + if(j>1) { + #if DEBUG + + printf("wildcard domain\'s number of IP address(es): %d" + " (this causes dnsmap to produce false positives)\n",j); + #endif + return FALSE; + } + } + + return TRUE; + +} + +// return true if IP is blacklisted, false otherwise +unsigned short int isIPblacklisted(char *ip) { + int i; + // add you own blacklisted IP addresses here if dnsmap is producing false positives. + // this could be caused by your ISP returning a captive portal search page when + // when requesting invalid domains on your browser + char ips[][INET_ADDRSTRLEN]={ + "81.200.64.50", + "67.215.66.132", + "1.2.3.4", + "0.0.0.0" // add your false positive IPs here + }; + + //for(i=0;ips[i];++i) { + for(i=0;i<(sizeof(ips)/INET_ADDRSTRLEN);++i) { + if(!strcmp(ips[i],ip)) + return TRUE; + } + + return FALSE; +} + + +// return true if usage of public DNS server is detected +// Note: right now this function only detects openDNS, but might be +// updated in the future to detect other common public DNS servers +unsigned short int usesOpenDNS(char *ipstr) { + char strTmp[30]={'\0'}, s[MAXSTRSIZE]={'\0'}, dummyLTD[4]={"xyz"}/*, ipstr[INET_ADDRSTRLEN]={'\0'}*/; + char ips[][INET_ADDRSTRLEN]={"67.215.65.132"}; + unsigned short int i=0,j=0,n=0,max=0; + struct hostent *h; + + srand(time(NULL)); + max=rand()%20; + // max should be between 10 and 20 + if(max<10) + max=max+(10-max); + + // generate up to random 20 digits-long subdomain + // e.g. 06312580442146732554 + + for(i=0;ih_addr_list[i];++i) { + sprintf(ipstr,inet_ntoa(*((struct in_addr *)h->h_addr_list[i])),"%s"); + #if DEBUG + printf("public DNS server\'s default IP address #%d: %s\n",i+1,ipstr); + #endif + for(j=0;i<(sizeof(ips)/INET_ADDRSTRLEN);++j) { + if(!strcmp(ips[i],ipstr)) + return TRUE; + } + } + return TRUE; + } + else + return FALSE; +} diff --git a/Reaktor/repos/dnsmap/dnsmap.h b/Reaktor/repos/dnsmap/dnsmap.h new file mode 100644 index 00000000..7dde6bdc --- /dev/null +++ b/Reaktor/repos/dnsmap/dnsmap.h @@ -0,0 +1,1047 @@ +/* + * ** dnsmap - DNS Network Mapper by pagvac + * ** Copyright (C) 2010 gnucitizen.org + * ** + * ** This program is free software; you can redistribute it and/or modify + * ** it under the terms of the GNU General Public License as published by + * ** the Free Software Foundation; either version 2 of the License, or + * ** (at your option) any later version. + * ** + * ** This program is distributed in the hope that it will be useful, + * ** but WITHOUT ANY WARRANTY; without even the implied warranty of + * ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * ** GNU General Public License for more details. + * ** + * ** You should have received a copy of the GNU General Public License + * ** along with this program; if not, write to the Free Software + * ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + * */ + +#define MAXSUBSIZE 100 +#define MAXSTRSIZE 200 +#define BANNER "dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)\n\n" +#define USAGE "usage: dnsmap [options]\noptions:\n"\ + "-w \n-r \n-c \n"\ + "-d \n-i (useful if you're obtaining false positives)\n\n" +#define EXAMPLES "e.g.:\ndnsmap target-domain.foo\n"\ + "dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt\n"\ + "dnsmap target-fomain.foo -r /tmp/ -d 3000\n"\ + "dnsmap target-fomain.foo -r ./domainbf_results.txt\n\n" +#define INTIPWARN "[+] warning: internal IP address disclosed\n" +#define SAMESITEXSSWARN "[+] warning: domain might be vulnerable to \"same site\" scripting (http://snipurl.com/etbcv)\n" +#define WILDCARDWARN "[+] warning: domain might use wildcards. "\ + "%s will be ignored from results\n", wildcardIpStr +#define INPUTERR "[+] error: entered parameter(s) is/are too long!\n" +#define DELAYINPUTERR "[+] error: delay must be between 1 and 300000 milliseconds (5 minutes)!\n" +#define FILTIPINPUTERR "[+] error: the maxium number of IPs to filter is 5!\n" +#define DOMAINERR "[+] error: entered domain is not valid!\n" +#define CREATEFILEERR "%s\"%s\"!\n\n", "[+] error creating results