Import upstream version 1.0.0+git20210910
Kali Janitor
1 year, 7 months ago
0 | Metadata-Version: 2.1 | |
1 | Name: py-altdns | |
2 | Version: 1.0.2 | |
3 | Summary: Generates permutations, alterations and mutations of subdomains and then resolves them. | |
4 | Home-page: https://github.com/infosec-au/altdns | |
5 | Author: Shubham Shah | |
6 | Author-email: [email protected] | |
7 | License: UNKNOWN | |
8 | Platform: UNKNOWN | |
9 | Classifier: Programming Language :: Python :: 3.9 | |
10 | Classifier: License :: OSI Approved :: Apache Software License | |
11 | Classifier: Operating System :: OS Independent | |
12 | Classifier: Topic :: Security | |
13 | Description-Content-Type: text/markdown | |
14 | License-File: LICENSE | |
15 | ||
16 | # Altdns - Subdomain discovery through alterations and permutations | |
17 | ||
18 | Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of. | |
19 | ||
20 | From these two lists that are provided as input to altdns, the tool then generates a _massive_ output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool. | |
21 | ||
22 | Alternatively, the `-r` flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file. | |
23 | ||
24 | Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated. | |
25 | ||
26 | Further information on attack methodology and this tool release can be found here: https://docs.google.com/presentation/d/1PCnjzCeklOeGMoWiE2IUzlRGOBxNp8K5hLQuvBNzrFY/ | |
27 | ||
28 | # Installation | |
29 | ||
30 | Python 2: | |
31 | ||
32 | `pip install py-altdns==1.0.0` | |
33 | ||
34 | Python 3: | |
35 | ||
36 | `pip3 install py-altdns==1.0.2` | |
37 | ||
38 | # Usage | |
39 | ||
40 | `# altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt` | |
41 | ||
42 | - `subdomains.txt` contains the known subdomains for an organization | |
43 | - `data_output` is a file that will contain the _massive_ list of altered and permuted subdomains | |
44 | - `words.txt` is your list of words that you'd like to permute your current subdomains with (i.e. `admin`, `staging`, `dev`, `qa`) - one word per line | |
45 | - the `-r` command resolves each generated, permuted subdomain | |
46 | - the `-s` command tells altdns where to save the results of the resolved permuted subdomains. `results_output.txt` will contain the final list of permuted subdomains found that are valid and have a DNS record. | |
47 | - the `-t` command limits how many threads the resolver will use simultaneously | |
48 | - `-d 1.2.3.4` overrides the system default DNS resolver and will use the specified IP address as the resolving server. Setting this to the authoritative DNS server of the target domain *may* increase resolution performance | |
49 | ||
50 | # Screenshots | |
51 | ||
52 | <img src="https://i.imgur.com/fkfZqkl.png" width="600px"/> | |
53 | ||
54 | <img src="https://i.imgur.com/Jyfue26.png" width="600px"/> | |
55 | ||
56 | # Show some love | |
57 | ||
58 | If this tool was useful at all to you during DNS recon stages - we'd love to know. Any suggestions or ideas for this tool are welcome - just tweet [@infosec_au](https://twitter.com/infosec_au) or [@nnwakelam](https://twitter.com/nnwakelam) and we'll work on it. | |
59 | ||
60 |
11 | 11 | |
12 | 12 | # Installation |
13 | 13 | |
14 | `pip install py-altdns` | |
14 | Python 2: | |
15 | ||
16 | `pip install py-altdns==1.0.0` | |
17 | ||
18 | Python 3: | |
19 | ||
20 | `pip3 install py-altdns==1.0.2` | |
15 | 21 | |
16 | 22 | # Usage |
17 | 23 |
6 | 6 | import time |
7 | 7 | import datetime |
8 | 8 | from threading import Lock |
9 | from queue import Queue as Queue | |
9 | try: | |
10 | import Queue as queue | |
11 | except ImportError: | |
12 | import queue as queue | |
10 | 13 | |
11 | 14 | import tldextract |
12 | 15 | from tldextract.tldextract import LOG |
41 | 44 | # save full URL as line in file |
42 | 45 | full_url = "{0}.{1}.{2}\n".format( |
43 | 46 | actual_sub, ext.domain, ext.suffix) |
44 | if actual_sub[-1:] is not ".": | |
47 | if actual_sub[-1:] != ".": | |
45 | 48 | write_domain(args, wp, full_url) |
46 | 49 | current_sub.pop(index) |
47 | 50 | current_sub.append(word.strip()) |
98 | 101 | # save full URL as line in file |
99 | 102 | full_url = "{0}.{1}.{2}\n".format( |
100 | 103 | actual_sub, ext.domain, ext.suffix) |
101 | if len(current_sub[0]) > 0 and actual_sub[:1] is not "-": | |
104 | if len(current_sub[0]) > 0 and actual_sub[:1] != "-": | |
102 | 105 | write_domain(args, wp, full_url) |
103 | 106 | current_sub[index] = original_sub |
104 | 107 | # second dash alteration |
108 | 111 | # save second full URL as line in file |
109 | 112 | full_url = "{0}.{1}.{2}\n".format( |
110 | 113 | actual_sub, ext.domain, ext.suffix) |
111 | if actual_sub[-1:] is not "-": | |
114 | if actual_sub[-1:] != "-": | |
112 | 115 | write_domain(args, wp, full_url) |
113 | 116 | current_sub[index] = original_sub |
114 | 117 | |
164 | 167 | result = list() |
165 | 168 | result.append(target) |
166 | 169 | resolver = dns.resolver.Resolver() |
167 | if(resolverName is not None): #if a DNS server has been manually specified | |
170 | if(resolverName != None): #if a DNS server has been manually specified | |
168 | 171 | resolver.nameservers = [resolverName] |
169 | 172 | try: |
170 | 173 | for rdata in resolver.query(final_hostname, 'CNAME'): |
171 | 174 | result.append(rdata.target) |
172 | 175 | except: |
173 | 176 | pass |
174 | if len(result) is 1: | |
177 | if len(result) == 1: | |
175 | 178 | try: |
176 | 179 | A = resolver.query(final_hostname, "A") |
177 | 180 | if len(A) > 0: |
244 | 247 | |
245 | 248 | |
246 | 249 | def main(): |
247 | q = Queue() | |
250 | q = queue.Queue() | |
248 | 251 | |
249 | 252 | parser = argparse.ArgumentParser() |
250 | 253 | parser.add_argument("-i", "--input", |
290 | 293 | alteration_words = get_alteration_words(args.wordlist) |
291 | 294 | |
292 | 295 | # if we should remove existing, save the output to a temporary file |
293 | if args.ignore_existing is True: | |
296 | if args.ignore_existing == True: | |
294 | 297 | args.output_tmp = args.output + '.tmp' |
295 | 298 | else: |
296 | 299 | args.output_tmp = args.output |
300 | 303 | |
301 | 304 | insert_all_indexes(args, alteration_words) |
302 | 305 | insert_dash_subdomains(args, alteration_words) |
303 | if args.add_number_suffix is True: | |
306 | if args.add_number_suffix == True: | |
304 | 307 | insert_number_suffix_subdomains(args, alteration_words) |
305 | 308 | join_words_subdomains(args, alteration_words) |
306 | 309 | |
307 | 310 | threadhandler = [] |
308 | 311 | |
309 | 312 | # Removes already existing + dupes from output |
310 | if args.ignore_existing is True: | |
313 | if args.ignore_existing == True: | |
311 | 314 | remove_existing(args) |
312 | 315 | else: |
313 | 316 | remove_duplicates(args) |
0 | Metadata-Version: 2.1 | |
1 | Name: py-altdns | |
2 | Version: 1.0.2 | |
3 | Summary: Generates permutations, alterations and mutations of subdomains and then resolves them. | |
4 | Home-page: https://github.com/infosec-au/altdns | |
5 | Author: Shubham Shah | |
6 | Author-email: [email protected] | |
7 | License: UNKNOWN | |
8 | Platform: UNKNOWN | |
9 | Classifier: Programming Language :: Python :: 3.9 | |
10 | Classifier: License :: OSI Approved :: Apache Software License | |
11 | Classifier: Operating System :: OS Independent | |
12 | Classifier: Topic :: Security | |
13 | Description-Content-Type: text/markdown | |
14 | License-File: LICENSE | |
15 | ||
16 | # Altdns - Subdomain discovery through alterations and permutations | |
17 | ||
18 | Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of. | |
19 | ||
20 | From these two lists that are provided as input to altdns, the tool then generates a _massive_ output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool. | |
21 | ||
22 | Alternatively, the `-r` flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file. | |
23 | ||
24 | Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated. | |
25 | ||
26 | Further information on attack methodology and this tool release can be found here: https://docs.google.com/presentation/d/1PCnjzCeklOeGMoWiE2IUzlRGOBxNp8K5hLQuvBNzrFY/ | |
27 | ||
28 | # Installation | |
29 | ||
30 | Python 2: | |
31 | ||
32 | `pip install py-altdns==1.0.0` | |
33 | ||
34 | Python 3: | |
35 | ||
36 | `pip3 install py-altdns==1.0.2` | |
37 | ||
38 | # Usage | |
39 | ||
40 | `# altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt` | |
41 | ||
42 | - `subdomains.txt` contains the known subdomains for an organization | |
43 | - `data_output` is a file that will contain the _massive_ list of altered and permuted subdomains | |
44 | - `words.txt` is your list of words that you'd like to permute your current subdomains with (i.e. `admin`, `staging`, `dev`, `qa`) - one word per line | |
45 | - the `-r` command resolves each generated, permuted subdomain | |
46 | - the `-s` command tells altdns where to save the results of the resolved permuted subdomains. `results_output.txt` will contain the final list of permuted subdomains found that are valid and have a DNS record. | |
47 | - the `-t` command limits how many threads the resolver will use simultaneously | |
48 | - `-d 1.2.3.4` overrides the system default DNS resolver and will use the specified IP address as the resolving server. Setting this to the authoritative DNS server of the target domain *may* increase resolution performance | |
49 | ||
50 | # Screenshots | |
51 | ||
52 | <img src="https://i.imgur.com/fkfZqkl.png" width="600px"/> | |
53 | ||
54 | <img src="https://i.imgur.com/Jyfue26.png" width="600px"/> | |
55 | ||
56 | # Show some love | |
57 | ||
58 | If this tool was useful at all to you during DNS recon stages - we'd love to know. Any suggestions or ideas for this tool are welcome - just tweet [@infosec_au](https://twitter.com/infosec_au) or [@nnwakelam](https://twitter.com/nnwakelam) and we'll work on it. | |
59 | ||
60 |
0 | LICENSE | |
1 | README.md | |
2 | setup.py | |
3 | altdns/__init__.py | |
4 | altdns/__main__.py | |
5 | py_altdns.egg-info/PKG-INFO | |
6 | py_altdns.egg-info/SOURCES.txt | |
7 | py_altdns.egg-info/dependency_links.txt | |
8 | py_altdns.egg-info/entry_points.txt | |
9 | py_altdns.egg-info/requires.txt | |
10 | py_altdns.egg-info/top_level.txt⏎ |
0 | altdns |
4 | 4 | |
5 | 5 | setuptools.setup( |
6 | 6 | name="py-altdns", |
7 | version="1.0.0", | |
7 | version="1.0.2", | |
8 | 8 | author="Shubham Shah", |
9 | 9 | author_email="[email protected]", |
10 | 10 | description="Generates permutations, alterations and mutations of subdomains and then resolves them.", |
19 | 19 | }, |
20 | 20 | install_requires=["tldextract","argparse","termcolor","dnspython"], |
21 | 21 | classifiers=[ |
22 | "Programming Language :: Python :: 2.7", | |
22 | "Programming Language :: Python :: 3.9", | |
23 | 23 | "License :: OSI Approved :: Apache Software License", |
24 | 24 | "Operating System :: OS Independent", |
25 | 25 | "Topic :: Security" |
26 | 26 | ], |
27 | )⏎ | |
27 | ) |
0 | 1 | |
1 | 10 | |
2 | 11 | |
3 | 12 | |
4 | 13 | |
5 | 14 | |
6 | 15 | |
7 | 16 | |
8 | 17 | |
9 | 18 | |
10 | 19 | |
11 | 2 | |
12 | 20 | |
13 | 2009 | |
14 | 2010 | |
15 | 2011 | |
16 | 2012 | |
17 | 2013 | |
18 | 2014 | |
19 | 2015 | |
20 | 2016 | |
21 | 2017 | |
22 | 2018 | |
23 | 2019 | |
24 | 3 | |
25 | 4 | |
26 | 5 | |
27 | 6 | |
28 | 7 | |
29 | 8 | |
30 | 9 | |
31 | a | |
32 | acc | |
33 | accept | |
34 | accounts | |
35 | admin | |
36 | admin1 | |
37 | administrator | |
38 | akali | |
39 | akamai | |
40 | alpha | |
41 | alt | |
42 | america | |
43 | analytics | |
44 | api | |
45 | api1 | |
46 | api-docs | |
47 | apollo | |
48 | april | |
49 | aws | |
50 | b | |
51 | backend | |
52 | beta | |
53 | billing | |
54 | boards | |
55 | box | |
56 | brand | |
57 | brasil | |
58 | brazil | |
59 | bucket | |
60 | bucky | |
61 | c | |
62 | cdn | |
63 | cf | |
64 | chef | |
65 | ci | |
66 | client | |
67 | cloudfront | |
68 | cms | |
69 | cms1 | |
70 | cn | |
71 | com | |
72 | confluence | |
73 | container | |
74 | control | |
75 | data | |
76 | dec | |
77 | demo | |
78 | dev | |
79 | dev1 | |
80 | developer | |
81 | devops | |
82 | docker | |
83 | docs | |
84 | drop | |
85 | edge | |
86 | elasticbeanstalk | |
87 | elb | |
88 | ||
89 | eng | |
90 | engima | |
91 | engine | |
92 | engineering | |
93 | eu | |
94 | europe | |
95 | europewest | |
96 | euw | |
97 | euwe | |
98 | evelynn | |
99 | events | |
100 | feb | |
101 | fet | |
102 | firewall | |
103 | forms | |
104 | forum | |
105 | frontpage | |
106 | fw | |
107 | games | |
108 | germany | |
109 | gh | |
110 | ghcpi | |
111 | git | |
112 | github | |
113 | global | |
114 | hkg | |
115 | hw | |
116 | hwcdn | |
117 | i | |
118 | ids | |
119 | int | |
120 | internal | |
121 | jenkins | |
122 | jinx | |
123 | july | |
124 | june | |
125 | kor | |
126 | korea | |
127 | kr | |
128 | lan | |
129 | las | |
130 | latin | |
131 | latinamerica | |
132 | lax | |
133 | lax1 | |
134 | lb | |
135 | loadbalancer | |
136 | login | |
137 | machine | |
138 | ||
139 | march | |
140 | merch | |
141 | mirror | |
142 | na | |
143 | nautilus | |
144 | net | |
145 | netherlands | |
146 | nginx | |
147 | nl | |
148 | node | |
149 | northamerica | |
150 | nov | |
151 | oceania | |
152 | oct | |
153 | ops | |
154 | org | |
155 | origin | |
156 | page | |
157 | pantheon | |
158 | pass | |
159 | pay | |
160 | payment | |
161 | pc | |
162 | php | |
163 | pl | |
164 | poland | |
165 | preferences | |
166 | priv | |
167 | private | |
168 | prod | |
169 | production | |
170 | profile | |
171 | profiles | |
172 | promo | |
173 | promotion | |
174 | proxy | |
175 | redirector | |
176 | region | |
177 | repo | |
178 | repository | |
179 | reset | |
180 | restrict | |
181 | restricted | |
182 | reviews | |
183 | s | |
184 | s3 | |
185 | sandbox | |
186 | search | |
187 | secure | |
188 | security | |
189 | sept | |
190 | server | |
191 | service | |
192 | singed | |
193 | skins | |
194 | spring | |
195 | ssl | |
196 | staff | |
197 | stage | |
198 | stage1 | |
199 | staging | |
200 | static | |
201 | support | |
202 | swagger | |
203 | system | |
204 | t | |
205 | train | |
206 | training | |
207 | team | |
208 | test | |
209 | test1 | |
210 | testbed | |
211 | testing | |
212 | testing1 | |
213 | tomcat | |
214 | tpe | |
215 | tr | |
216 | trial | |
217 | tur | |
218 | turk | |
219 | turkey | |
220 | twitch | |
221 | uat | |
222 | v1 | |
223 | v2 | |
224 | vi | |
225 | vpn | |
226 | w3 | |
227 | web | |
228 | web1 | |
229 | webapp | |
230 | westeurope | |
231 | z |