python编写子域名爆破小工具

字典生成工具编写

这里主要使用的python的exrex模块:

此处有详细介绍,

1
https://github.com/asciimoo/exrex

这个模块的主要功能:

  • 生成所有匹配的字符串
  • 生成随机匹配的字符串
  • 计算匹配字符串的数量
  • 简化正则表达式

安装方法:

1
pip install exrex

我们主要使用该模块的generate()方法。

  • generate(s,limit=20)
  • 函数的作用:创建一个生成器,生成给定正则表达式的所有匹配字符串
  • 参数s:正则表达式
  • limit:范围限制,要求limit的类型为整型数
简单的例子:
1
2
3
4
5
6
7
8
9
import exrex

web_dic='demo'
dic_pass='admin'
rule = '{web_dic}[!@#]{dic_pass}'
s = rule.format(web_dic=web_dic,dic_pass=dic_pass)
dics = list(exrex.generate(s))
for i in dics:
    print i

编写子域名爆破脚本

自己编写的理解脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import exrex  #导入生成字典模块


def host_replace(hosts):         #域名处理方法
    if '://' in hosts:
        hosts = hosts.split('://')[1]
    if '/' in hosts: 
        hosts = hosts.replace('/','')              
    hosts = "".join(hosts)
    return hosts

def dic_create(hosts):        #子域名字典生成方法
    web_white = ['com', 'cn', 'gov', 'edu', 'org']
    web_dics = hosts.split('.')
    for web_dic in web_dics:
        if web_dic not in web_white:
            f_rule = open('rule.ini', 'r')
            for i in f_rule:
                dics = list(exrex.generate(web_dic+i.strip('\r\n')))
                for dic in dics:
                    if len(dic)>3:
                        dic_out = open('mypass.txt','a+')
                        dic_out.write(dic+'\r\n')
                        dic_out.close()
                        print dic
    f_rule.close()
def main():       #主函数
    hosts = raw_input("Write Your Hosts :")
    host =host_replace(hosts)
    dic_create(host)

if __name__ == '__main__':
    main()

参考:https://www.jianshu.com/p/a481a341eaa4

子域名爆破脚本进阶版:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import dns.resolver
import threading
import Queue 
import optparse
import sys                    

queue = Queue.Queue()
lock = threading.Lock()

class GetSubDomain(threading.Thread):
    """docstring for SubDomain"""
    def __init__(self, target,queue,outfile):
        threading.Thread.__init__(self)
        self.target = target
        self.queue = queue
        self.rsv = dns.resolver.Resolver()
        outfile = target + '.txt' if not outfile else outfile
        self.f = open('./output/'+outfile,'a+')
        self.ip_list = []

    def _scan(self):
        while not self.queue.empty():
            self.ip_list = []
            ips = None
            sub_domain = self.queue.get() + '.' + self.target
            for _ in range(3):
                try:
                    answers = self.rsv.query(sub_domain)
                    if answers:
                        for answer in answers:
                            if answer.address not in self.ip_list:
                                self.ip_list.append(answer.address)
                except dns.resolver.NoNameservers, e:
                    break
                except Exception, e:
                    pass
            if len(self.ip_list)>0:
                ips = ','.join(self.ip_list)
                msg = sub_domain.ljust(30) + ips + '\n'
                lock.acquire()
                print msg
                self.f.write(msg)
                lock.release()
            self.queue.task_done()

    def run(self):
        self._scan()

def get_target(domain_list):
    targets = []
    for line in open(domain_list,'r'):
        if line:
            targets.append(line.strip())
    return targets

def get_sub_queue(sub_file): #得到所有子域名的queue
    for line in open(sub_file,'r'):
        if line:
            queue.put(line.strip())

def main():
    parser = optparse.OptionParser()
    parser.add_option('-u', '--url', dest='url',
        type='string', help='Get a single top-level domain names.')
    parser.add_option('-l', '--list', dest='domain_list',
        type='string', help='Top-level domain name list.')
    parser.add_option('-f', '--file', dest='sub_file', default='sub.txt',
        type='string', help='Dict file used to brute sub names')
    parser.add_option('-t', '--threads', dest='threads_num', default=60, 
        type='int', help='Number of threads. default = 60')
    parser.add_option('-o', '--outfile', dest='outfile', default=None,
        type='string', help='Output file name. default is {target}.txt')

    (options, args) = parser.parse_args()
    if options.url:
        urls = [options.url]
    elif options.domain_list:
        urls = get_target(options.domain_list)
    else:
        parser.print_help()
        print "Example: "
        print "\tpython getsub.py -u baidu.com"
        print "\tpython getsub.py -l domain.txt -f sub.txt -t 50"
        sys.exit(0)

    for url in urls:
        get_sub_queue(options.sub_file)
        for x in xrange(1,options.threads_num+1):
            t = GetSubDomain(url,queue,options.outfile)
            t.setDaemon(True)
            t.start()
        queue.join()

if __name__ == '__main__':
    main()