-
Notifications
You must be signed in to change notification settings - Fork 665
/
active_scan.py
executable file
·77 lines (66 loc) · 2.55 KB
/
active_scan.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import optparse
from domain_dnsrecords import fetch_dns_records,parse_dns_records
import requests
from termcolor import colored
parser = optparse.OptionParser()
parser.add_option('-e', '--email_file', action="store", dest="emailfile", help="File containing list of Email ids", default="spam")
parser.add_option('-s', '--subdomain_file', action="store", dest="subdomain_file", help="File containing list of subdomains.", default="spam")
class style:
BOLD = '\033[1m'
END = '\033[0m'
def run_active(filename,entity):
counter = 0
if entity == "subdomains":
hosts_with_http_or_https = []
might_be_vuln = []
subdomain_list = []
fh = open(filename, 'r')
for y in fh.readlines():
subdomain_list.append(y.strip("\n").strip("\r"))
print colored(style.BOLD + "\n[+] Running Active Scan on " + str(len(subdomain_list)) + " subdomains" + style.END, 'green')
print "\n"
for x in subdomain_list:
print x + ": ",
recrd = fetch_dns_records(x,"CNAME")
print recrd
if "No Records Found" not in recrd:
try:
req = requests.get("http://" + str(x), timeout=5)
print colored("[+] HTTP - " + str(x) + ":\t" + str(req.status_code), 'green')
#If response code is 404, might be a third party app without mapping
if req.status_code == 404 or req.status_code == 403:
might_be_vuln.append(["http", x, recrd, req.status_code])
hosts_with_http_or_https.append("http://%s" % x)
except:
pass
try:
req = requests.get("https://" + str(x), timeout=5)
print colored("[+] HTTPS - " + str(x) + ":\t" + str(req.status_code), 'green')
#If response code is 404, might be a third party app without mapping
if req.status_code == 404 or req.status_code == 403:
might_be_vuln.append(["http", x])
hosts_with_http_or_https.append("https://%s" % x)
except:
pass
else:
counter = counter + 1
print colored(style.BOLD + "\n[+] No CNAME record found for " + str(counter) + " subdomains \n" + style.END, 'green')
if len(might_be_vuln) != 0:
print "Following subdomains are affected by Subdomain Take Over Vulnerability\n"
for x in might_be_vuln:
print x
else:
print "No subdomains are affected by Subdomain Take Over Vulnerability\n"
elif entity == "emails":
print "Work in Progress"
options, args = parser.parse_args()
emailfile = options.emailfile
subdomain_file = options.subdomain_file
if emailfile != 'spam':
filename = emailfile
run_active(filename, "emails")
elif subdomain_file != 'spam':
filename = subdomain_file
run_active(filename, "subdomains")
else:
print 'Please pass filename'