-
Notifications
You must be signed in to change notification settings - Fork 23
/
Copy pathbrute-domain-tld
executable file
·123 lines (102 loc) · 3.78 KB
/
brute-domain-tld
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
#!/usr/bin/env python2.7
###########
# IMPORTS #
###########
import sys
import os
import argparse
from argparse import RawTextHelpFormatter
import dns
import dns.resolver
import dns.reversename
from multiprocessing import Pool
#from multiprocessing.dummy import Pool # utilise threads rather than subprocesses
import signal
####################
# GLOBAL VARIABLES #
####################
global nameserver
#############
# FUNCTIONS #
#############
def brute_ns(domain):
max_attempts = 3
resolver = dns.resolver.get_default_resolver()
resolver.nameservers = [nameserver]
resolver.lifetime = 3
attempt = 0
while attempt < max_attempts:
try:
answers = resolver.query(domain, 'SOA')
except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer, dns.resolver.NoNameservers):
#sys.stderr.write('%s => No record found.\n' % (domain))
pass
except dns.name.EmptyLabel:
sys.stderr.write('%s => A DNS label is empty.\n' % (domain))
except dns.resolver.Timeout:
attempt += 1
if attempt == max_attempts:
sys.stderr.write('%s => Request timed out.\n' % (domain))
continue
else:
# process answers
for answer in answers.response.answer:
if answer.rdtype == 6:
soa = answer.name.to_text()[:-1]
# use "host" rather than "soa" as sometimes the SOA record has a CNAME
sys.stdout.write('%s\n' % (domain))
sys.stdout.flush()
# break out of the loop
attempt = max_attempts
def initializer():
"""Ignore CTRL+C in the worker process."""
signal.signal(signal.SIGINT, signal.SIG_IGN)
########
# MAIN #
########
if __name__ == '__main__':
desc = 'Brute force TLDs and SLDs using DNS.' \
parser = argparse.ArgumentParser(description=desc)
parser.add_argument('-n', '--nameserver',
action='store',
help='nameserver to use for lookups (default: 8.8.8.8)',
metavar='SERVER',
default='8.8.8.8')
parser.add_argument('-w', '--wordlist',
action='store',
help='a list of TLDs to use for brute force attack (default: %s/wordlists/dns/tlds.txt)' % os.path.dirname(os.path.realpath(__file__)),
metavar='FILE',
default="%s/wordlists/dns/tlds.txt" % os.path.dirname(os.path.realpath(__file__)))
parser.add_argument('file',
nargs='?',
type=argparse.FileType('r'),
action='store',
help='file containing a list of domains split by a newline, otherwise read from STDIN',
metavar='FILE',
default=sys.stdin)
args = parser.parse_args()
global nameserver
nameserver = args.nameserver
with open(args.wordlist) as fp:
wordlist = [line.strip().lower() for line in fp if len(line.strip())>0 and line[0] is not '#']
try:
domains = [line.strip().lower() for line in args.file if len(line.strip())>0 and line[0] is not '#']
except KeyboardInterrupt:
exit()
# remove duplicates and sort
domains = list(set(domains))
domains = sorted(domains)
candidates = list()
for domain in domains:
for word in wordlist:
domain_root = domain.split('.')[0]
candidate = '%s.%s' % (domain_root, word)
candidates.append(candidate.lower())
pool = Pool(processes=10, initializer=initializer)
try:
pool.map(brute_ns, candidates)
pool.close()
pool.join()
except KeyboardInterrupt:
pool.terminate()
pool.join()