项目作者: jtof-fap

项目描述 :
Find all hostnames in given folder and checks (with recursive dig function) which are in perimeter.
高级语言: Python
项目地址: git://github.com/jtof-fap/verifHostname.git
创建时间: 2015-10-13T09:24:12Z
项目社区:https://github.com/jtof-fap/verifHostname

开源协议:GNU General Public License v3.0

下载


FindHostname

Introduction

Find all hostnames in given folder and checks (with recursive dig function) which are in perimeter.

First, you should populate a folder with text files containing hostnames. The script identifies all hostnames which presents in files with one regular expression, sort -u the list and tries to filter the noise in order to reduce the size of initial input. If you have no idea for populate the initial list, you can add:

  • Nessus xml output,
  • Maltego hostname list,
  • Sublist3r, theHarvester results exports,
  • Burp “site map” txt export,
  • DNS brute force/ Zone transfert,
  • Any export of tools finding hostnames from IP (ex: bing search IP:”X.X.X.X”),
  • Etc…

Second, populate a txt file with your pentest scope (IP, IP/32, network/cidr).

Then, this tool finds those of which the dig command returns an IP belonging to the perimeter file. No more of blah blah, a good schema is better:

The script resolves and keeps, in the final result, all discovered CNAMEs and all IPs associated with one DNS name. The output is in nessus target format:hostname / vhost [IP].

Installation, dependencies and requirements

Installation

  1. git clone https://github.com/jtof-fap/verifHostname.git

Python version

This script currently supports Python 2 and Python 3.

Dependencies

verifHostname.py depends on the docopt, and netaddr python modules :

  1. # pip install -r requirements.txt

Requirements

This script need the following requirements to run:

  • On Linux : dig command (# apt-get install dnsutils)
  • On Windows : require dig.exe on the same folder and bind libs in system32

Command line -h (RTFM)

Arguments:

  1. FOLDER_OR_FILE File or Folder which gathers the text files containing hostnames.
  2. PERIMETER_FILE Perimeter file 1 element/line (IP, IP/32, network/cidr).
  3. -t, --thread = <num> Thread number (default (10)).
  4. -s, --server = <X.X.X.X> DNS Server, prefer robust for multithreading (default (8.8.8.8)).

Options:

  1. -h, --help Print Help
  2. -v, --version Print Version
  3. -d, --debug Print Debug

Usage:

  1. verifHostname.py FOLDER_OR_FILE PERIMETER_FILE
  2. verifHostname.py FOLDER_OR_FILE PERIMETER_FILE -d
  3. verifHostname.py FOLDER_OR_FILE PERIMETER_FILE -t xx
  4. verifHostname.py FOLDER_OR_FILE PERIMETER_FILE -s X.X.X.X
  5. verifHostname.py FOLDER_OR_FILE PERIMETER_FILE [-d] [-t 5] [-s 8.8.4.4]

Example usage

Inputs:

  1. # cat targets.txt
  2. www.twitter.com
  3. https://fiber.google.com/
  4. /www.google.com 08237
  5. mail.google.com
  6. maps.google.com
  7. yahoo.fr
  8. testfile.php
  9. testline
  10. google.com
  11. <host>gsuite.google.com/</host>
  12. <img src="https://store.google.com/">
  13. firebase.google.com
  14. # cat perimeter.txt
  15. 172.217.17.0/24
  16. 216.58.204.96/29
  17. 216.58.204.142/32
  18. 216.58.64/29

Program:

  1. # python3 verifHostname.py targets.txt perimeter.txt
  2. INFO > Thread number : 10
  3. INFO > Check that hostname present in file or folder 'targets.txt' be part of perimeter given in 'perimeter.txt' file
  4. INFO > Search hostname in 'targets.txt'
  5. INFO > Program check 10 hostname
  6. fiber.google.com[216.58.204.142]
  7. firebase.google.com[216.58.204.142]
  8. google.com[216.58.204.142]
  9. gsuite.google.com[216.58.204.142]
  10. maps.google.com[216.58.204.142]
  11. store.google.com[216.58.204.142]
  12. www.google.com[216.58.204.100]
  13. www3.l.google.com[216.58.204.142]
  14. INFO > End process.

Under the wood / Debug Trace:

  1. # python3 verifHostname.py targets.txt perimeter.txt -d
  2. INFO > Thread number : 10
  3. DEBUG > Command line argument :
  4. #>FILE OR FOLDER : 'targets.txt'
  5. #>PERIMETER : '/tmp/perimeter.txt'
  6. #>CUSTOM DNS SERVER : 8.8.8.8
  7. #>THREAD NUMBER : 10
  8. INFO > Check that hostname present in file or folder 'targets.txt' be part of perimeter given in 'perimeter.txt' file
  9. DEBUG > Perimeter : [['172.217.17.0/24'], ['216.58.204.96/29'], ['216.58.204.142/32'], ['216.58.64/29']]
  10. DEBUG > Files in folder 'targets.txt' : ['targets.txt']
  11. INFO > Search hostname in 'targets.txt'
  12. DEBUG > Hostname list : {'fiber.google.com', 'yahoo.fr', 'google.com', 'firebase.google.com', 'store.google.com', 'www.google.com', 'gsuite.google.com', 'mail.google.com', 'www.twitter.com', 'maps.google.com'}
  13. INFO > Program check 10 hostname
  14. DEBUG > dig fiber.google.com +short
  15. DEBUG > dig yahoo.fr +short
  16. DEBUG > dig google.com +short
  17. DEBUG > dig firebase.google.com +short
  18. DEBUG > dig store.google.com +short
  19. DEBUG > dig www.google.com +short
  20. DEBUG > dig gsuite.google.com +short
  21. DEBUG > dig mail.google.com +short
  22. DEBUG > dig www.twitter.com +short
  23. DEBUG > dig maps.google.com +short
  24. DEBUG > yahoo.fr match 77.238.184.24 but it is not on perimeter... next...
  25. DEBUG > yahoo.fr match 98.137.236.24 but it is not on perimeter... next...
  26. DEBUG > yahoo.fr match 106.10.212.24 but it is not on perimeter... next...
  27. DEBUG > yahoo.fr match 124.108.105.24 but it is not on perimeter... next...
  28. DEBUG > yahoo.fr match 74.6.50.24 but it is not on perimeter... next...
  29. DEBUG > CNAME Found for fiber.google.com : www3.l.google.com.
  30. DEBUG > dig www3.l.google.com. +short
  31. DEBUG > MATCH SINGLE: www.google.com match 216.58.204.100
  32. DEBUG > CNAME Found for www.twitter.com : twitter.com.
  33. DEBUG > MATCH SINGLE: google.com match 216.58.204.142
  34. DEBUG > CNAME Found for gsuite.google.com : www3.l.google.com.
  35. DEBUG > dig www3.l.google.com. +short
  36. DEBUG > CNAME Found for firebase.google.com : www3.l.google.com.
  37. DEBUG > dig www3.l.google.com. +short
  38. DEBUG > dig twitter.com. +short
  39. DEBUG > MATCH SINGLE: maps.google.com match 216.58.204.142
  40. DEBUG > CNAME Found for mail.google.com : googlemail.l.google.com.
  41. DEBUG > dig googlemail.l.google.com. +short
  42. DEBUG > MATCH SINGLE: store.google.com match 216.58.204.142
  43. DEBUG > MATCH CNAME Recursive call : CNAME fiber.google.com match IP : 216.58.204.142
  44. DEBUG > MATCH CNAME Recursive call : CNAME www3.l.google.com. match IP : 216.58.204.142
  45. DEBUG > MATCH CNAME Recursive call : CNAME gsuite.google.com match IP : 216.58.204.142
  46. DEBUG > MATCH CNAME Recursive call : CNAME www3.l.google.com. match IP : 216.58.204.142
  47. DEBUG > googlemail.l.google.com. match 216.58.204.133 but it is not in perimeter... next...
  48. DEBUG > mail.google.com match 216.58.204.133 but it is not in perimeter... next...
  49. DEBUG > twitter.com. match 104.244.42.129 but it is not in perimeter... next...
  50. DEBUG > MATCH CNAME Recursive call : CNAME firebase.google.com match IP : 216.58.204.142
  51. DEBUG > twitter.com. match 104.244.42.1 but it is not in perimeter... next...
  52. DEBUG > MATCH CNAME Recursive call : CNAME www3.l.google.com. match IP : 216.58.204.142
  53. DEBUG > www.twitter.com match 104.244.42.65 but it is not in perimeter... next...
  54. DEBUG > www.twitter.com match 104.244.42.1 but it is not in perimeter... next...
  55. fiber.google.com[216.58.204.142]
  56. firebase.google.com[216.58.204.142]
  57. google.com[216.58.204.142]
  58. gsuite.google.com[216.58.204.142]
  59. maps.google.com[216.58.204.142]
  60. store.google.com[216.58.204.142]
  61. www.google.com[216.58.204.100]
  62. www3.l.google.com[216.58.204.142]
  63. INFO > End process.

Tips and tricks

If you just wanna check which hostnames are valid (with CNAME resolve), put in the perimeter file:

  1. 0.0.0.0/0

License

verifHostname is licensed under the GNU GPL license(Version 3). Take a look at the LICENSE for more information.

Version

Current version is 1.0