Python 实现子域名查询与爆破
该工具第一是查询执行参数-a Search xxx.com第二是爆破-a Blast domain wordlist,工具同样可以使用DNS域名的枚举,和上面的区别就在于该方法使用了DNS迭代查询.
Web子域名查询: 该工具第一是查询执行参数-a Search xxx.com第二是爆破-a Blast domain wordlist
import requests
import re,linecache,argparse
head={'user-agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36'}
def Banner():
print(" _ ____ _ _ ")
print(" | | _ _/ ___|| |__ __ _ _ __| | __")
print(" | | | | | \___ \| '_ \ / _` | '__| |/ /")
print(" | |__| |_| |___) | | | | (_| | | | < ")
print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\")
print(" |___/ \n")
print("E-Mail: me@lyshark.com")
# 查询子域名
def SearchDomain(domain):
url = "https://crt.sh/?q=" + domain
try:
req = requests.get(url=url,headers=head,timeout=10)
result = re.findall('<TD>(.*?)</TD>\n <TD><A',req.text,re.S)
for item in result:
print(item)
except Exception:
pass
def VisitWeb(prefix,domain):
try:
url = "https://{}.{}".format(prefix,domain)
ret = requests.get(url=url, headers=head, timeout=1)
if(ret.status_code == 200):
return 1
else:
return 0
except:
return 0
# 爆破子域名
def BlastWeb(domain,wordlist):
forlen = len(linecache.getlines(wordlist))
fp = open(wordlist,"r+")
for i in range(0,forlen):
main = str(fp.readline().split()[0])
if VisitWeb(main, domain) != 0:
print("旁站: {}.{} 存在".format(main,domain))
if __name__ == "__main__":
Banner()
def RunCMD(argc, args):
if (argc == "Search"):
SearchDomain(args[0])
elif (argc == "Blast"):
SubDomain = args[0]
WordList = args[1]
BlastWeb(SubDomain,WordList)
Usage = "[*] Usage : main.py -a [Search | Blast] xxx.com"
parser = argparse.ArgumentParser(usage=Usage)
parser.add_argument("-a",dest="RunCMD",help="查询子域名命令")
args = parser.parse_args()
if args.RunCMD:
argc = args.RunCMD
RunCMD(argc,args)
else:
parser.print_help()
通过DNS爆破子域名: 该工具同样可以使用DNS域名的枚举,和上面的区别就在于该方法使用了DNS迭代查询.
import threading
import argparse
from queue import Queue
import dns.resolver
class BlastDNSDomain(threading.Thread):
def __init__(self,queue,result):
threading.Thread.__init__(self)
self._queue = queue
self.result = result
def run(self):
while not self._queue.empty():
SubDomain = self._queue.get_nowait()
try:
result =dns.resolver.query(SubDomain,'A')
if result.response.answer:
self.result.append(SubDomain)
print("[+] {}".format(SubDomain))
except Exception:
pass
def Banner():
print(" _ ____ _ _ ")
print(" | | _ _/ ___|| |__ __ _ _ __| | __")
print(" | | | | | \___ \| '_ \ / _` | '__| |/ /")
print(" | |__| |_| |___) | | | | (_| | | | < ")
print(" |_____\__, |____/|_| |_|\__,_|_| |_|\_\\")
print(" |___/ \n")
print("E-Mail: me@lyshark.com")
if __name__ == "__main__":
Banner()
Usage = "main.py -d xxx.com -w dict.log -t 5"
parser = OptionParser(usage=Usage)
parser.add_argument("-d", "--domain", dest="Domain", help="Specify subdomain format")
parser.add_argument("-w", "--wordlist", dest="WordList", help="Specify a dictionary file")
parser.add_argument("-t", "--ThreadCount", dest="ThreadCount", help="Specify the number of execution threads")
args = parser.parse_args()
if args.Domain and args.WordList and args.ThreadCount:
queue = Queue()
result = []
with open(args.WordList) as fp:
for item in fp:
queue.put(item.rstrip() + '.' + args.Domain)
threads = []
for item in range(int(args.ThreadCount)):
threads.append(BlastDNSDomain(queue, result))
for t in threads:
t.start()
for t in threads:
t.join()
print("所有DNS域名: {}".format(set(result)))
else:
parser.print_help()
文章出处:https://www.cnblogs.com/LyShark/p/9102655.html
本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
分类:
《Python 编程技术实践》
标签:
Python 安全编程
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
· 探究高空视频全景AR技术的实现原理
· 理解Rust引用及其生命周期标识(上)
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· 单线程的Redis速度为什么快?