Commit 10e3f21bb8082e36ae2ae19c08ebcc88db776c8a - altdns

+61

-0

PKG-INFO less more

	0	Metadata-Version: 2.1
	1	Name: py-altdns
	2	Version: 1.0.2
	3	Summary: Generates permutations, alterations and mutations of subdomains and then resolves them.
	4	Home-page: https://github.com/infosec-au/altdns
	5	Author: Shubham Shah
	6	Author-email: [email protected]
	7	License: UNKNOWN
	8	Platform: UNKNOWN
	9	Classifier: Programming Language :: Python :: 3.9
	10	Classifier: License :: OSI Approved :: Apache Software License
	11	Classifier: Operating System :: OS Independent
	12	Classifier: Topic :: Security
	13	Description-Content-Type: text/markdown
	14	License-File: LICENSE
	15
	16	# Altdns - Subdomain discovery through alterations and permutations
	17
	18	Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
	19
	20	From these two lists that are provided as input to altdns, the tool then generates a _massive_ output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool.
	21
	22	Alternatively, the `-r` flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file.
	23
	24	Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated.
	25
	26	Further information on attack methodology and this tool release can be found here: https://docs.google.com/presentation/d/1PCnjzCeklOeGMoWiE2IUzlRGOBxNp8K5hLQuvBNzrFY/
	27
	28	# Installation
	29
	30	Python 2:
	31
	32	`pip install py-altdns==1.0.0`
	33
	34	Python 3:
	35
	36	`pip3 install py-altdns==1.0.2`
	37
	38	# Usage
	39
	40	`# altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt`
	41
	42	- `subdomains.txt` contains the known subdomains for an organization
	43	- `data_output` is a file that will contain the _massive_ list of altered and permuted subdomains
	44	- `words.txt` is your list of words that you'd like to permute your current subdomains with (i.e. `admin`, `staging`, `dev`, `qa`) - one word per line
	45	- the `-r` command resolves each generated, permuted subdomain
	46	- the `-s` command tells altdns where to save the results of the resolved permuted subdomains. `results_output.txt` will contain the final list of permuted subdomains found that are valid and have a DNS record.
	47	- the `-t` command limits how many threads the resolver will use simultaneously
	48	- `-d 1.2.3.4` overrides the system default DNS resolver and will use the specified IP address as the resolving server. Setting this to the authoritative DNS server of the target domain may increase resolution performance
	49
	50	# Screenshots
	51
	52	<img src="https://i.imgur.com/fkfZqkl.png" width="600px"/>
	53
	54	<img src="https://i.imgur.com/Jyfue26.png" width="600px"/>
	55
	56	# Show some love
	57
	58	If this tool was useful at all to you during DNS recon stages - we'd love to know. Any suggestions or ideas for this tool are welcome - just tweet [@infosec_au](https://twitter.com/infosec_au) or [@nnwakelam](https://twitter.com/nnwakelam) and we'll work on it.
	59
	60

+7

-1

README.md less more

11	11
12	12	# Installation
13	13
14		`pip install py-altdns`
	14	Python 2:
	15
	16	`pip install py-altdns==1.0.0`
	17
	18	Python 3:
	19
	20	`pip3 install py-altdns==1.0.2`
15	21
16	22	# Usage
17	23

+13

-10

altdns/__main__.py less more

6	6	import time
7	7	import datetime
8	8	from threading import Lock
9		from queue import Queue as Queue
	9	try:
	10	import Queue as queue
	11	except ImportError:
	12	import queue as queue
10	13
11	14	import tldextract
12	15	from tldextract.tldextract import LOG

41	44	# save full URL as line in file
42	45	full_url = "{0}.{1}.{2}\n".format(
43	46	actual_sub, ext.domain, ext.suffix)
44		if actual_sub[-1:] is not ".":
	47	if actual_sub[-1:] != ".":
45	48	write_domain(args, wp, full_url)
46	49	current_sub.pop(index)
47	50	current_sub.append(word.strip())

98	101	# save full URL as line in file
99	102	full_url = "{0}.{1}.{2}\n".format(
100	103	actual_sub, ext.domain, ext.suffix)
101		if len(current_sub[0]) > 0 and actual_sub[:1] is not "-":
	104	if len(current_sub[0]) > 0 and actual_sub[:1] != "-":
102	105	write_domain(args, wp, full_url)
103	106	current_sub[index] = original_sub
104	107	# second dash alteration

108	111	# save second full URL as line in file
109	112	full_url = "{0}.{1}.{2}\n".format(
110	113	actual_sub, ext.domain, ext.suffix)
111		if actual_sub[-1:] is not "-":
	114	if actual_sub[-1:] != "-":
112	115	write_domain(args, wp, full_url)
113	116	current_sub[index] = original_sub
114	117

164	167	result = list()
165	168	result.append(target)
166	169	resolver = dns.resolver.Resolver()
167		if(resolverName is not None): #if a DNS server has been manually specified
	170	if(resolverName != None): #if a DNS server has been manually specified
168	171	resolver.nameservers = [resolverName]
169	172	try:
170	173	for rdata in resolver.query(final_hostname, 'CNAME'):
171	174	result.append(rdata.target)
172	175	except:
173	176	pass
174		if len(result) is 1:
	177	if len(result) == 1:
175	178	try:
176	179	A = resolver.query(final_hostname, "A")
177	180	if len(A) > 0:

244	247
245	248
246	249	def main():
247		q = Queue()
	250	q = queue.Queue()
248	251
249	252	parser = argparse.ArgumentParser()
250	253	parser.add_argument("-i", "--input",

290	293	alteration_words = get_alteration_words(args.wordlist)
291	294
292	295	# if we should remove existing, save the output to a temporary file
293		if args.ignore_existing is True:
	296	if args.ignore_existing == True:
294	297	args.output_tmp = args.output + '.tmp'
295	298	else:
296	299	args.output_tmp = args.output

300	303
301	304	insert_all_indexes(args, alteration_words)
302	305	insert_dash_subdomains(args, alteration_words)
303		if args.add_number_suffix is True:
	306	if args.add_number_suffix == True:
304	307	insert_number_suffix_subdomains(args, alteration_words)
305	308	join_words_subdomains(args, alteration_words)
306	309
307	310	threadhandler = []
308	311
309	312	# Removes already existing + dupes from output
310		if args.ignore_existing is True:
	313	if args.ignore_existing == True:
311	314	remove_existing(args)
312	315	else:
313	316	remove_duplicates(args)

+61

-0

py_altdns.egg-info/PKG-INFO less more

	0	Metadata-Version: 2.1
	1	Name: py-altdns
	2	Version: 1.0.2
	3	Summary: Generates permutations, alterations and mutations of subdomains and then resolves them.
	4	Home-page: https://github.com/infosec-au/altdns
	5	Author: Shubham Shah
	6	Author-email: [email protected]
	7	License: UNKNOWN
	8	Platform: UNKNOWN
	9	Classifier: Programming Language :: Python :: 3.9
	10	Classifier: License :: OSI Approved :: Apache Software License
	11	Classifier: Operating System :: OS Independent
	12	Classifier: Topic :: Security
	13	Description-Content-Type: text/markdown
	14	License-File: LICENSE
	15
	16	# Altdns - Subdomain discovery through alterations and permutations
	17
	18	Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
	19
	20	From these two lists that are provided as input to altdns, the tool then generates a _massive_ output of "altered" or "mutated" potential subdomains that could be present. It saves this output so that it can then be used by your favourite DNS bruteforcing tool.
	21
	22	Alternatively, the `-r` flag can be passed to altdns so that once this output is generated, the tool can then resolve these subdomains (multi-threaded) and save the results to a file.
	23
	24	Altdns works best with large datasets. Having an initial dataset of 200 or more subdomains should churn out some valid subdomains via the alterations generated.
	25
	26	Further information on attack methodology and this tool release can be found here: https://docs.google.com/presentation/d/1PCnjzCeklOeGMoWiE2IUzlRGOBxNp8K5hLQuvBNzrFY/
	27
	28	# Installation
	29
	30	Python 2:
	31
	32	`pip install py-altdns==1.0.0`
	33
	34	Python 3:
	35
	36	`pip3 install py-altdns==1.0.2`
	37
	38	# Usage
	39
	40	`# altdns -i subdomains.txt -o data_output -w words.txt -r -s results_output.txt`
	41
	42	- `subdomains.txt` contains the known subdomains for an organization
	43	- `data_output` is a file that will contain the _massive_ list of altered and permuted subdomains
	44	- `words.txt` is your list of words that you'd like to permute your current subdomains with (i.e. `admin`, `staging`, `dev`, `qa`) - one word per line
	45	- the `-r` command resolves each generated, permuted subdomain
	46	- the `-s` command tells altdns where to save the results of the resolved permuted subdomains. `results_output.txt` will contain the final list of permuted subdomains found that are valid and have a DNS record.
	47	- the `-t` command limits how many threads the resolver will use simultaneously
	48	- `-d 1.2.3.4` overrides the system default DNS resolver and will use the specified IP address as the resolving server. Setting this to the authoritative DNS server of the target domain may increase resolution performance
	49
	50	# Screenshots
	51
	52	<img src="https://i.imgur.com/fkfZqkl.png" width="600px"/>
	53
	54	<img src="https://i.imgur.com/Jyfue26.png" width="600px"/>
	55
	56	# Show some love
	57
	58	If this tool was useful at all to you during DNS recon stages - we'd love to know. Any suggestions or ideas for this tool are welcome - just tweet [@infosec_au](https://twitter.com/infosec_au) or [@nnwakelam](https://twitter.com/nnwakelam) and we'll work on it.
	59
	60

+11

-0

py_altdns.egg-info/SOURCES.txt less more

	0	LICENSE
	1	README.md
	2	setup.py
	3	altdns/__init__.py
	4	altdns/__main__.py
	5	py_altdns.egg-info/PKG-INFO
	6	py_altdns.egg-info/SOURCES.txt
	7	py_altdns.egg-info/dependency_links.txt
	8	py_altdns.egg-info/entry_points.txt
	9	py_altdns.egg-info/requires.txt
	10	py_altdns.egg-info/top_level.txt⏎

+1

-0

py_altdns.egg-info/dependency_links.txt less more

0

+3

-0

py_altdns.egg-info/entry_points.txt less more

	0	[console_scripts]
	1	altdns = altdns.__main__:main
	2

+4

-0

py_altdns.egg-info/requires.txt less more

	0	argparse
	1	dnspython
	2	termcolor
	3	tldextract

+1

-0

py_altdns.egg-info/top_level.txt less more

0

altdns

+0

-4

~~requirements.txt~~ less more

0		tldextract
1		argparse
2		termcolor
3		dnspython

+4

-0

setup.cfg less more

	0	[egg_info]
	1	tag_build =
	2	tag_date = 0
	3

+3

-3

setup.py less more

4	4
5	5	setuptools.setup(
6	6	name="py-altdns",
7		version="1.0.0",
	7	version="1.0.2",
8	8	author="Shubham Shah",
9	9	author_email="[email protected]",
10	10	description="Generates permutations, alterations and mutations of subdomains and then resolves them.",

19	19	},
20	20	install_requires=["tldextract","argparse","termcolor","dnspython"],
21	21	classifiers=[
22		"Programming Language :: Python :: 2.7",
	22	"Programming Language :: Python :: 3.9",
23	23	"License :: OSI Approved :: Apache Software License",
24	24	"Operating System :: OS Independent",
25	25	"Topic :: Security"
26	26	],
27		)⏎
	27	)

+0

-232

~~words.txt~~ less more

0		1
1		10
2		11
3		12
4		13
5		14
6		15
7		16
8		17
9		18
10		19
11		2
12		20
13		2009
14		2010
15		2011
16		2012
17		2013
18		2014
19		2015
20		2016
21		2017
22		2018
23		2019
24		3
25		4
26		5
27		6
28		7
29		8
30		9
31		a
32		acc
33		accept
34		accounts
35		admin
36		admin1
37		administrator
38		akali
39		akamai
40		alpha
41		alt
42		america
43		analytics
44		api
45		api1
46		api-docs
47		apollo
48		april
49		aws
50		b
51		backend
52		beta
53		billing
54		boards
55		box
56		brand
57		brasil
58		brazil
59		bucket
60		bucky
61		c
62		cdn
63		cf
64		chef
65		ci
66		client
67		cloudfront
68		cms
69		cms1
70		cn
71		com
72		confluence
73		container
74		control
75		data
76		dec
77		demo
78		dev
79		dev1
80		developer
81		devops
82		docker
83		docs
84		drop
85		edge
86		elasticbeanstalk
87		elb
88		email
89		eng
90		engima
91		engine
92		engineering
93		eu
94		europe
95		europewest
96		euw
97		euwe
98		evelynn
99		events
100		feb
101		fet
102		firewall
103		forms
104		forum
105		frontpage
106		fw
107		games
108		germany
109		gh
110		ghcpi
111		git
112		github
113		global
114		hkg
115		hw
116		hwcdn
117		i
118		ids
119		int
120		internal
121		jenkins
122		jinx
123		july
124		june
125		kor
126		korea
127		kr
128		lan
129		las
130		latin
131		latinamerica
132		lax
133		lax1
134		lb
135		loadbalancer
136		login
137		machine
138		mail
139		march
140		merch
141		mirror
142		na
143		nautilus
144		net
145		netherlands
146		nginx
147		nl
148		node
149		northamerica
150		nov
151		oceania
152		oct
153		ops
154		org
155		origin
156		page
157		pantheon
158		pass
159		pay
160		payment
161		pc
162		php
163		pl
164		poland
165		preferences
166		priv
167		private
168		prod
169		production
170		profile
171		profiles
172		promo
173		promotion
174		proxy
175		redirector
176		region
177		repo
178		repository
179		reset
180		restrict
181		restricted
182		reviews
183		s
184		s3
185		sandbox
186		search
187		secure
188		security
189		sept
190		server
191		service
192		singed
193		skins
194		spring
195		ssl
196		staff
197		stage
198		stage1
199		staging
200		static
201		support
202		swagger
203		system
204		t
205		train
206		training
207		team
208		test
209		test1
210		testbed
211		testing
212		testing1
213		tomcat
214		tpe
215		tr
216		trial
217		tur
218		turk
219		turkey
220		twitch
221		uat
222		v1
223		v2
224		vi
225		vpn
226		w3
227		web
228		web1
229		webapp
230		westeurope
231		z