自写子域名爆破脚本

  • by

个人最近由于各种原因,需要自写子域名爆破脚本

把能用的前期简易脚本分享于此,缺少的txt文件自行补充下:

#!/usr/bin/env python
# -*- encoding: utf-8 -*-

from multiprocessing import Pool
import gevent
from gevent import monkey, pool

monkey.patch_all()

import dns.resolver
import time
import codecs


# 去除左边和右边的
def left_rigth_strip(before_strip_str):
    if "http" in before_strip_str:
        return before_strip_str.replace("http://", "").replace("https://", "").rstrip("\n")
    return before_strip_str


# 载入相关后缀200余个
def load_suffix():
    suffixes = []
    with codecs.open("dict/suffix.txt", "r") as f:
        for suffixe in f.readlines():
            suffixe = suffixe.rstrip("\n")
            suffixes.append(suffixe)
            suffixe = suffixe.lower()
            suffixes.append(suffixe)
    f.close()
    return suffixes


# 得到根domain
def get_root_domain(domain):
    domain = left_rigth_strip(domain)
    temp = domain.split(".")
    # print(temp)
    if temp[-2] in suffix_list:
        domain = temp[-3] + "." + temp[-2] + "." + temp[-1]
    else:
        domain = temp[-2] + "." + temp[-1]
    return domain


# 载入dns domains
def load_dns_domains():
    domains = []
    with codecs.open("dict/dns_domains.txt", "r") as f:
        for domain in f.readlines():
            domain = left_rigth_strip(domain)
            domains.append(domain)
    f.close()
    return domains


# 载入target domains
def load_target_domains():
    domains = []
    with codecs.open("dict/domains.txt", "r") as f:
        for domain in f.readlines():
            domain = left_rigth_strip(domain)
            domains.append(domain)
    f.close()
    temp = []
    for domain in domains:
        domain = get_root_domain(domain)
        temp.append(domain)
    return temp


# 载入爆破dict
def load_domain_dict():
    domain_dict = []
    with codecs.open("dict/domain_dict.txt", "r") as f:
        for domain in f.readlines():
            domain_dict.append(domain.rstrip("\n"))
    f.close()
    return domain_dict


# 请求dns服务器 查看域名是否存在
def domain_query(domain=None, dns_servers=None):
    resolver = dns.resolver.Resolver()
    # dns_servers = ['114.114.114.114', '8.8.8.8', '223.5.5.5', '223.6.6.6', '119.29.29.29', '182.254.116.116']
    resolver.lifetime = resolver.timeout = 6.0
    resolver.nameservers = dns_servers  # 默认['114.114.114.114', '8.8.8.8']
    # print(resolver.nameservers)
    try:
        ans = resolver.query(domain)
        if ans:
            # ips = ', '.join(sorted([i.address for i in ans]))
            print(domain)
            domain_results.add(domain)
    except:
        pass


def test(domain):
    print(domain)


# 扫描每个目标的子域名
def scan_subdomain(domain):
    scan_pool = pool.Pool(5)
    gevent_list = [scan_pool.spawn(test, (domain_dict + "." + domain)) for domain_dict in domain_dicts]
    gevent.joinall(gevent_list)


if __name__ == '__main__':
    start_time = time.time()

    global domain_results
    domain_results = set()
    global suffix_list
    suffix_list = load_suffix()
    global domain_dicts
    domain_dicts = load_domain_dict()  # 得到前缀字典 2s
    global dns_servers
    dns_servers = load_dns_domains()

    domain_pool = pool.Pool(5)
    domains = load_target_domains()  # 得到目标字典
    gevent_list = [domain_pool.spawn(scan_subdomain, domain) for domain in domains]
    gevent.joinall(gevent_list)

    # 保存最后的结果
    with codecs.open("domain_results.txt", "w+") as f:
        for domain_result in domain_results:
            f.write(domain_result)
            f.write("\n")
    f.close()

    end_time = time.time()
    print(end_time - start_time)

2020.1.1

发表评论

电子邮件地址不会被公开。 必填项已用*标注