-
Notifications
You must be signed in to change notification settings - Fork 111
/
sub_brute.rb
189 lines (170 loc) · 6.18 KB
/
sub_brute.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
#!/usr/bin/env ruby
require 'io/console'
require 'net/http'
require 'open-uri'
require 'resolv'
require 'socket'
require 'timeout'
=begin
###############################################
Pure subdomain bruteforcer:
Will check and see if host is pointing to AWS
Alrets if a subdomain returns 404 so you can
manually check and see if it's hosted on a
3rd party website and if they are registered
properly or not.
Author : Behrouz Sadeghipour
Email : [email protected]
Twitter: @NahamSec
http:://github.com/nahamsec
###############################################
=end
class String
def black; "\e[30m#{self}\e[0m" end
def red; "\e[31m#{self}\e[0m" end
def green; "\e[32m#{self}\e[0m" end
def brown; "\e[33m#{self}\e[0m" end
def blue; "\e[34m#{self}\e[0m" end
def magenta; "\e[35m#{self}\e[0m" end
def cyan; "\e[36m#{self}\e[0m" end
def brown; "\e[37m#{self}\e[0m" end
def bg_black; "\e[40m#{self}\e[0m" end
def bg_red; "\e[41m#{self}\e[0m" end
def bg_green; "\e[42m#{self}\e[0m" end
def bg_brown; "\e[43m#{self}\e[0m" end
def bg_blue; "\e[44m#{self}\e[0m" end
def bg_magenta; "\e[45m#{self}\e[0m" end
def bg_cyan; "\e[46m#{self}\e[0m" end
def bg_brown; "\e[47m#{self}\e[0m" end
def bold; "\e[1m#{self}\e[22m" end
def italic; "\e[3m#{self}\e[23m" end
def underline; "\e[4m#{self}\e[24m" end
def blink; "\e[5m#{self}\e[25m" end
def reverse_color; "\e[7m#{self}\e[27m" end
end
def host(get_host) #get cname data and check response code for 404 and alert user
Resolv::DNS.open do |dns|
res = dns.getresources get_host, Resolv::DNS::Resource::IN::CNAME
if res.empty?
break
end
heroku_error = "there is no app configured at that hostname".red.bold
amazonAWS_error = "NoSuchBucket".red.bold
squarespace_error = "No Such Account".red.bold
github_error = "There isn't a GitHub Pages site here".red.bold
shopify_error = "Sorry, this shop is currently unavailable.".red.bold
tumblr_error = "There's nothing here.".red.bold
wpengine_error = "The site you were looking for couldn't be found.".red.bold
check_it = ""
real_host = res.first.name.to_s
check_real_host = "http://"+real_host
check_it = Net::HTTP.get(URI.parse(check_real_host))
if (check_it.index("There is no app configured at that hostname"))
puts "- Subdomain pointing to a non-existing Heroku app showing: ".red + heroku_error
elsif (check_it.index("NoSuchBucket"))
puts "- Subdomain pointing to an unclaimed AmazonAWS bucket showing: ".red + amazonAWS_error
elsif (check_it.index("No Such Account"))
puts "- Subdomain pointing to a non-existing SquareSpace account showing: ".red + squarespace_error
elsif (check_it.index("You're Almost There"))
puts "- Subdomain pointing to a non-existing SquareSpace account showing: ".red + squarespace_error
elsif (check_it.index("There isn't a GitHub Pages site here"))
puts "- Subdomain pointing to a non-existing Github subdomain indicating".red + github_error
elsif (check_it.index("Sorry, this shop is currently unavailable."))
puts "- Subdomain pointing to a non-existing Shopify subdomain indicating".red + shopify_error
elsif (check_it.index("There's nothing here."))
puts "- Subdomain pointing to a non-existing Tumblr subdomain indicating".red + tumblr_error
elsif (check_it.index("The site you were looking for couldn't be found."))
puts "- Subdomain pointing to a non-existing WPEngine subdomain indicating".red + wpengine_error
end
#if (real_host = get_host)
#else
puts ("- Seems like " + get_host + " is an alias for " + real_host).brown
#end
end
return
end
def find_subs(targetURI)
target = "http://"+targetURI
begin
#Timeout::timeout(600) {
res = Net::HTTP.get_response(URI.parse(target))
getCode = res.code
ip_address = Resolv.getaddress targetURI
if (getCode != "503")
File.open("output.txt", "a") do |file|
file.puts targetURI
end
puts "[#{Time.now.asctime}] " + getCode + " " + targetURI.green + " ---> " + ip_address + " "
if (ip_address == "127.0.0.1")
puts "Sub domain is poiting to localhost --> Check for more details".red
else
end
host targetURI
else
end
if getCode == "404"
puts "----> Check for further information on where this is pointing to.".red
end
#}
rescue Timeout::Error
rescue Errno::EHOSTUNREACH
rescue URI::InvalidURIError
rescue SocketError
rescue Errno::ECONNREFUSED
rescue Resolv::ResolvError
rescue Errno::ETIMEDOUT
rescue Errno::ENETUNREACH
end
# recursiveBruteForce
end
def createURI(getURI)
File.open("list.txt", "r") do |f|
f.each_line do |line|
targetURI = line.chomp + "." + getURI
find_subs targetURI
end
end
end
def createURIThreaded(getURI)
total_threads = 100 #safe value
queue = Queue.new
File.open("list.txt", "r") do |f|
f.each_line do |line|
targetURI = line.chomp + "." + getURI
queue << targetURI
end
workers = total_threads.times.map do
Thread.new do
begin
while targetURI = queue.pop(true)
find_subs targetURI
end
rescue ThreadError
end
end
end
workers.map(&:join)
end
end
File.open("output.txt", "w")
system "clear"
puts "Enter a domain you'd like to brute force and look for hostile subdomain takeover(example: hackme.ltd)"
fastmode = ARGV.include? '--fast'
ARGV.clear
getURI = gets.chomp
unless fastmode then
createURI getURI
else
createURIThreaded getURI
end
puts "\n\n\n\n\n[#{Time.now.asctime}] Starting to bruteforce the subdomains using the same wordlist"
File.open("output.txt", "r").each do |ff|
ff.each_line do |domain|
targetURI = domain.chomp
unless fastmode then
createURI targetURI
else
createURIThreaded targetURI
end
end
end