python编写子域名爆破小工具

字典生成工具编写

这里主要使用的python的exrex模块:

此处有详细介绍,

1
https://github.com/asciimoo/exrex

这个模块的主要功能:

  • 生成所有匹配的字符串
  • 生成随机匹配的字符串
  • 计算匹配字符串的数量
  • 简化正则表达式

安装方法:

1
pip install exrex

我们主要使用该模块的generate()方法。

  • generate(s,limit=20)
  • 函数的作用:创建一个生成器,生成给定正则表达式的所有匹配字符串
  • 参数s:正则表达式
  • limit:范围限制,要求limit的类型为整型数
简单的例子:
1
2
3
4
5
6
7
8
9
import exrex

web_dic='demo'
dic_pass='admin'
rule = '{web_dic}[!@#]{dic_pass}'
s = rule.format(web_dic=web_dic,dic_pass=dic_pass)
dics = list(exrex.generate(s))
for i in dics:
print i

编写子域名爆破脚本

自己编写的理解脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import exrex  #导入生成字典模块


def host_replace(hosts): #域名处理方法
if '://' in hosts:
hosts = hosts.split('://')[1]
if '/' in hosts:
hosts = hosts.replace('/','')
hosts = "".join(hosts)
return hosts

def dic_create(hosts): #子域名字典生成方法
web_white = ['com', 'cn', 'gov', 'edu', 'org']
web_dics = hosts.split('.')
for web_dic in web_dics:
if web_dic not in web_white:
f_rule = open('rule.ini', 'r')
for i in f_rule:
dics = list(exrex.generate(web_dic+i.strip('\r\n')))
for dic in dics:
if len(dic)>3:
dic_out = open('mypass.txt','a+')
dic_out.write(dic+'\r\n')
dic_out.close()
print dic
f_rule.close()
def main(): #主函数
hosts = raw_input("Write Your Hosts :")
host =host_replace(hosts)
dic_create(host)

if __name__ == '__main__':
main()

参考:https://www.jianshu.com/p/a481a341eaa4

子域名爆破脚本进阶版:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
#!/usr/bin/env python
# -*- coding: utf-8 -*-

import dns.resolver
import threading
import Queue
import optparse
import sys

queue = Queue.Queue()
lock = threading.Lock()

class GetSubDomain(threading.Thread):
"""docstring for SubDomain"""
def __init__(self, target,queue,outfile):
threading.Thread.__init__(self)
self.target = target
self.queue = queue
self.rsv = dns.resolver.Resolver()
outfile = target + '.txt' if not outfile else outfile
self.f = open('./output/'+outfile,'a+')
self.ip_list = []

def _scan(self):
while not self.queue.empty():
self.ip_list = []
ips = None
sub_domain = self.queue.get() + '.' + self.target
for _ in range(3):
try:
answers = self.rsv.query(sub_domain)
if answers:
for answer in answers:
if answer.address not in self.ip_list:
self.ip_list.append(answer.address)
except dns.resolver.NoNameservers, e:
break
except Exception, e:
pass
if len(self.ip_list)>0:
ips = ','.join(self.ip_list)
msg = sub_domain.ljust(30) + ips + '\n'
lock.acquire()
print msg
self.f.write(msg)
lock.release()
self.queue.task_done()

def run(self):
self._scan()

def get_target(domain_list):
targets = []
for line in open(domain_list,'r'):
if line:
targets.append(line.strip())
return targets

def get_sub_queue(sub_file): #得到所有子域名的queue
for line in open(sub_file,'r'):
if line:
queue.put(line.strip())

def main():
parser = optparse.OptionParser()
parser.add_option('-u', '--url', dest='url',
type='string', help='Get a single top-level domain names.')
parser.add_option('-l', '--list', dest='domain_list',
type='string', help='Top-level domain name list.')
parser.add_option('-f', '--file', dest='sub_file', default='sub.txt',
type='string', help='Dict file used to brute sub names')
parser.add_option('-t', '--threads', dest='threads_num', default=60,
type='int', help='Number of threads. default = 60')
parser.add_option('-o', '--outfile', dest='outfile', default=None,
type='string', help='Output file name. default is {target}.txt')

(options, args) = parser.parse_args()
if options.url:
urls = [options.url]
elif options.domain_list:
urls = get_target(options.domain_list)
else:
parser.print_help()
print "Example: "
print "\tpython getsub.py -u baidu.com"
print "\tpython getsub.py -l domain.txt -f sub.txt -t 50"
sys.exit(0)

for url in urls:
get_sub_queue(options.sub_file)
for x in xrange(1,options.threads_num+1):
t = GetSubDomain(url,queue,options.outfile)
t.setDaemon(True)
t.start()
queue.join()

if __name__ == '__main__':
main()