| multithread
script to enumerate DNS information on a domain and to discover
non-contiguous ip blocks. OPERATIONS: 1) Get the host's addresse. 2) Get the namservers (threaded). 3) get the MX record (threaded). 4) Perform axfr queries on nameservers (threaded). 5) Get extra names via google scraping. 6) Brute force subdomains from file (threaded). 7) Calculate C class domain network ranges and perform whois queries on them (threaded). 8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded). 9) Write to domain_ips.txt file ip-blocks. PREREQUISITES: Net::IP Net::DNS Net::Netmask Net::Whois::IP HTML::Parser WWW::Mechanize and for threads (ithreads): threads threads::shared Thread::Queue DETAILED OPTIONS: The brute force -f switch must be specified to be able to continue the process execution. GENERAL: --enum Shortcut option equivalent to --threads 5 -s 10 -w. -h, --help Print the help message. --noreverse Skip the reverse lookup operations. Note: Reverse lookups can take long time on big netranges. --subfile file Write all valid subdomains to this file, subdomains are taken from NS and MX records, zonetransfer, google scraping, brute force and reverse lookup hostnames. Notes: This may consume memory. -t, --timeout value The tcp and udp timeout values in seconds (default: 10s). --threads value The number of threads that will perform all queries. -v, --verbose Be verbose (show all the progress and all the error messages). GOOGLE SCRAPING: This function will scrap subdomains from google search, using query: allinurl: -www site:domain. -p, --pages value The number of google search pages to process when scraping names, the -s switch must be specified, (default: 20 pages). -s, --scrap value The maximum number of subdomains that will be scraped from google. Notes!!!: Google can block our queries with the malware detection. Http proxy options for google scraping are automatically loaded from the environment if the vars http_proxy or HTTP_PROXY are present. "http_proxy=http://127.0.0.1:8118/" or "HTTP_PROXY=http://127.0.0.1:8118/". On IO errors the mechanize object will automatically call die. BRUTE FORCE: Brute force domains with a list from a file. -f, --file file Read subdomains from this file to perform brute force. -u, --update a|g|r|z Update the file specified with the -f switch with vaild subdomains. -u a google scraping, reverse lookup and zonetransfer results (all). -u g using google scraping subdomains results. -u r using PTR records discovred from reverse lookup operations, but be careful there can be lot of invalid hostnames so you can use the -e, --exclude <regexp> switch. Note: this may consume lot of memory on a domain with lot of subdomains. -u z using zonetransfer subdomains results. -r, --recursion Recursion on subdomains, additional checks using brute force on valid subdomains, may consume memory. Note: These subdomains are taken from zonetransfer, google scraping and previous brute force results. NS, MX, reverse lookup results are not concerned. WHOIS IP: Perform whois ip queries on netanges discovered from previous operations. -d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, (default: 3s). Note: whois servers will limit the number of connections. -w, --whois Perform whois ip queries on netanges. Notes: The whois query should recursively query the various whois providers untile it gets the more detailed information including either TechPhone or OrgTechPhone by default. See: perldoc Net::Whois::IP. On errors the netrange will be a default c class /24. REVERSE LOOKUP: -e, --exclude <regexp> Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames. Note: PTR records that not match the domain are also excluded. Verbose mode will show all results. FINAL RESULTS: Valid non-contiguous ip blocks are calculated : 1) From reverse lookups that were performed on netranges ( c class netranges or whois netranges ). 2) If the noreverse switch is used then they are calculated from previous operations results (nslookups, zonetransfers, google scraping and brute forcing). Special thanks to perl and module developers. Filip Waeytens tix |
| WHAT
YOU NEED: _____________ - perl (if you got windows, check out activestateperl) - Net::SNMP module (install from CPAN) - brains - a target which runs snmp and supports v2 HOWDUZZITWORK?: ______________ -It's basically an snmp tabledump. I included a couple of OID's which might be interesting - "perl snmpenum.pl <IP> <COMMUNITY> <FILE>" if you don't know what IP is or community, RTFM The FILE consists of 3 tab delimited values; The first value is neglectable, it's just a system description, which I was gonna use later but I got lazy and...I just left it like that :) The second value is a description of the OID-table, which is the the third value. I provided 3 example files which already give some useful info. If the output is empty it mostly means the MIB is not supported. You can make your own file by just doing an snmpwalk and getting the OIDs you needa nd dumping them in a file of the same format. SOWHYIZZITUSEFUL? ________________ - If you don't think it's useful, .... don't use it. ------ Filip |