comment
IRC Chat
play_arrow
Este sitio utiliza cookies propias y de terceros. Si continúa navegando consideramos que acepta el uso de cookies. OK Más Información.

Knock Subdomain Scan

  • 0 Respuestas
  • 7843 Vistas

0 Usuarios y 27 Visitantes están viendo este tema.

Desconectado ZanGetsu

  • *
  • Underc0der
  • Mensajes: 325
  • Actividad:
    1.67%
  • Reputación 0
  • I ZanGetsu
    • Ver Perfil
  • Skype: thenicox
  • Twitter: black_zangetsu
« en: Julio 26, 2013, 09:23:45 pm »

Holas, les paso a dejar esta herramienta llamada Knock, la cual sirve para
encontrar subdominios de un dominio, esta escrito en python,
y tiene soporte para linux y Windows,

Código: Python
  1. #!/usr/bin/env python
  2.  
  3. # -------------------------------------------------------
  4. # Knock v1.5 - 23/08/2011
  5. # By Gianni 'guelfoweb' Amato http://knock.googlecode.com
  6. #
  7. # This code is released under the GNU / GPL v3
  8. # You are free to use, edit and redistribuite it
  9. # under the terms of the GNU / GPL license.
  10. # -------------------------------------------------------
  11.  
  12. import sys
  13. import os
  14. import httplib
  15. import socket
  16. from time import strftime
  17. import random
  18. import time
  19.  
  20. wlist_array = ["0","01","02","03","1","10","11","12","13","14","15","16","17","18","19","2","20","3","3com","4","5","6","7","8","9","ILMI","a","a.auth-ns","a01","a02","a1","a2","abc","about","ac","academico","acceso","access","accounting","accounts","acid","activestat","ad","adam","adkit","admin","administracion","administrador","administrator","administrators","admins","ads","adserver","adsl","ae","af","affiliate","affiliates","afiliados","ag","agenda","agent","ai","aix","ajax","ak","akamai","al","alabama","alaska","albuquerque","alerts","alpha","alterwind","am","amarillo","americas","an","anaheim","analyzer","announce","announcements","antivirus","ao","ap","apache","apollo","app","app01","app1","apple","application","applications","apps","appserver","aq","ar","archie","arcsight","argentina","arizona","arkansas","arlington","as","as400","asia","asterix","at","athena","atlanta","atlas","att","au","auction","austin","auth","auto","av","aw","ayuda","az","b","b.auth-ns","b01","b02","b1","b2","b2b","b2c","ba","back","backend","backup","baker","bakersfield","balance","balancer","baltimore","banking","bayarea","bb","bbdd","bbs","bd","bdc","be","bea","beta","bf","bg","bh","bi","billing","biz","biztalk","bj","black","blackberry","blog","blogs","blue","bm","bn","bnc","bo","bob","bof","boise","bolsa","border","boston","boulder","boy","br","bravo","brazil","britian","broadcast","broker","bronze","brown","bs","bsd","bsd0","bsd01","bsd02","bsd1","bsd2","bt","bug","buggalo","bugs","bugzilla","build","bulletins","burn","burner","buscador","buy","bv","bw","by","bz","c","c.auth-ns","ca","cache","cafe","calendar","california","call","calvin","canada","canal","canon","careers","catalog","cc","cd","cdburner","cdn","cert","certificates","certify","certserv","certsrv","cf","cg","cgi","ch","channel","channels","charlie","charlotte","chat","chats","chatserver","check","checkpoint","chi","chicago","ci","cims","cincinnati","cisco","citrix","ck","cl","class","classes","classifieds","classroom","cleveland","clicktrack","client","clientes","clients","club","clubs","cluster","clusters","cm","cmail","cms","cn","co","cocoa","code","coldfusion","colombus","colorado","columbus","com","commerce","commerceserver","communigate","community","compaq","compras","con","concentrator","conf","conference","conferencing","confidential","connect","connecticut","consola","console","consult","consultant","consultants","consulting","consumer","contact","content","contracts","core","core0","core01","corp","corpmail","corporate","correo","correoweb","cortafuegos","counterstrike","courses","cr","cricket","crm","crs","cs","cso","css","ct","cu","cust1","cust10","cust100","cust101","cust102","cust103","cust104","cust105","cust106","cust107","cust108","cust109","cust11","cust110","cust111","cust112","cust113","cust114","cust115","cust116","cust117","cust118","cust119","cust12","cust120","cust121","cust122","cust123","cust124","cust125","cust126","cust13","cust14","cust15","cust16","cust17","cust18","cust19","cust2","cust20","cust21","cust22","cust23","cust24","cust25","cust26","cust27","cust28","cust29","cust3","cust30","cust31","cust32","cust33","cust34","cust35","cust36","cust37","cust38","cust39","cust4","cust40","cust41","cust42","cust43","cust44","cust45","cust46","cust47","cust48","cust49","cust5","cust50","cust51","cust52","cust53","cust54","cust55","cust56","cust57","cust58","cust59","cust6","cust60","cust61","cust62","cust63","cust64","cust65","cust66","cust67","cust68","cust69","cust7","cust70","cust71","cust72","cust73","cust74","cust75","cust76","cust77","cust78","cust79","cust8","cust80","cust81","cust82","cust83","cust84","cust85","cust86","cust87","cust88","cust89","cust9","cust90","cust91","cust92","cust93","cust94","cust95","cust96","cust97","cust98","cust99","customer","customers","cv","cvs","cx","cy","cz","d","dallas","data","database","database01","database02","database1","database2","databases","datastore","datos","david","db","db0","db01","db02","db1","db2","dc","de","dealers","dec","def","default","defiant","delaware","dell","delta","delta1","demo","demonstration","demos","denver","depot","des","desarrollo","descargas","design","designer","detroit","dev","dev0","dev01","dev1","devel","develop","developer","developers","development","device","devserver","devsql","dhcp","dial","dialup","digital","dilbert","dir","direct","directory","disc","discovery","discuss","discussion","discussions","disk","disney","distributer","distributers","dj","dk","dm","dmail","dmz","dnews","dns","dns-2","dns0","dns1","dns2","dns3","do","docs","documentacion","documentos","domain","domains","dominio","domino","dominoweb","doom","download","downloads","downtown","dragon","drupal","dsl","dyn","dynamic","dynip","dz","e","e-com","e-commerce","e0","eagle","earth","east","ec","echo","ecom","ecommerce","edi","edu","education","edward","ee","eg","eh","ejemplo","elpaso","email","employees","empresa","empresas","en","enable","eng","eng01","eng1","engine","engineer","engineering","enterprise","epsilon","er","erp","es","esd","esm","espanol","estadisticas","esx","et","eta","europe","events","domain","exchange","exec","extern","external","extranet","f","f5","falcon","farm","faststats","fax","feedback","feeds","fi","field","file","files","fileserv","fileserver","filestore","filter","find","finger","firewall","fix","fixes","fj","fk","fl","flash","florida","flow","fm","fo","foobar","formacion","foro","foros","fortworth","forum","forums","foto","fotos","foundry","fox","foxtrot","fr","france","frank","fred","freebsd","freebsd0","freebsd01","freebsd02","freebsd1","freebsd2","freeware","fresno","front","frontdesk","fs","fsp","ftp","ftp-","ftp0","ftp2","ftp_","ftpserver","fw","fw-1","fw1","fwsm","fwsm0","fwsm01","fwsm1","g","ga","galeria","galerias","galleries","gallery","games","gamma","gandalf","gate","gatekeeper","gateway","gauss","gd","ge","gemini","general","george","georgia","germany","gf","gg","gh","gi","gl","glendale","gm","gmail","gn","go","gold","goldmine","golf","gopher","gp","gq","gr","green","group","groups","groupwise","gs","gsx","gt","gu","guest","gw","gw1","gy","h","hal","halflife","hawaii","hello","help","helpdesk","helponline","henry","hermes","hi","hidden","hk","hm","hn","hobbes","hollywood","home","homebase","homer","honeypot","honolulu","host","host1","host3","host4","host5","hotel","hotjobs","houstin","houston","howto","hp","hpov","hr","ht","http","https","hu","hub","humanresources","i","ia","ias","ibm","ibmdb","id","ida","idaho","ids","ie","iis","il","illinois","im","images","imail","imap","imap4","img","img0","img01","img02","in","inbound","inc","include","incoming","india","indiana","indianapolis","info","informix","inside","install","int","intern","internal","international","internet","intl","intranet","invalid","investor","investors","invia","invio","io","iota","iowa","iplanet","ipmonitor","ipsec","ipsec-gw","iq","ir","irc","ircd","ircserver","ireland","iris","irvine","irving","is","isa","isaserv","isaserver","ism","israel","isync","it","italy","ix","j","japan","java","je","jedi","jm","jo","jobs","john","jp","jrun","juegos","juliet","juliette","juniper","k","kansas","kansascity","kappa","kb","ke","kentucky","kerberos","keynote","kg","kh","ki","kilo","king","km","kn","knowledgebase","knoxville","koe","korea","kp","kr","ks","kw","ky","kz","l","la","lab","laboratory","labs","lambda","lan","laptop","laserjet","lasvegas","launch","lb","lc","ldap","legal","leo","li","lib","library","lima","lincoln","link","linux","linux0","linux01","linux02","linux1","linux2","lista","lists","listserv","listserver","live","lk","load","loadbalancer","local","localhost","log","log0","log01","log02","log1","log2","logfile","logfiles","logger","logging","loghost","login","logs","london","longbeach","losangeles","lotus","louisiana","lr","ls","lt","lu","luke","lv","ly","lyris","m","ma","mac","mac1","mac10","mac11","mac2","mac3","mac4","mac5","mach","macintosh","madrid","mail","mail2","mailer","mailgate","mailhost","mailing","maillist","maillists","mailroom","mailserv","mailsite","mailsrv","main","maine","maint","mall","manage","management","manager","manufacturing","map","mapas","maps","marketing","marketplace","mars","marvin","mary","maryland","massachusetts","master","max","mc","mci","md","mdaemon","me","media","member","members","memphis","mercury","merlin","messages","messenger","mg","mgmt","mh","mi","miami","michigan","mickey","midwest","mike","milwaukee","minneapolis","minnesota","mirror","mis","mississippi","missouri","mk","ml","mm","mn","mngt","mo","mobile","mom","monitor","monitoring","montana","moon","moscow","movies","mozart","mp","mp3","mpeg","mpg","mq","mr","mrtg","ms","ms-exchange","ms-sql","msexchange","mssql","mssql0","mssql01","mssql1","mt","mta","mtu","mu","multimedia","music","mv","mw","mx","my","mysql","mysql0","mysql01","mysql1","mz","n","na","name","names","nameserv","nameserver","nas","nashville","nat","nc","nd","nds","ne","nebraska","neptune","net","netapp","netdata","netgear","netmeeting","netscaler","netscreen","netstats","network","nevada","new","newhampshire","newjersey","newmexico","neworleans","news","newsfeed","newsfeeds","newsgroups","newton","newyork","newzealand","nf","ng","nh","ni","nigeria","nj","nl","nm","nms","nntp","no","node","nokia","nombres","nora","north","northcarolina","northdakota","northeast","northwest","noticias","novell","november","np","nr","ns","ns-","ns0","ns01","ns02","ns1","ns2","ns3","ns4","ns5","ns_","nt","nt4","nt40","ntmail","ntp","ntserver","nu","null","nv","ny","nz","o","oakland","ocean","odin","office","offices","oh","ohio","ok","oklahoma","oklahomacity","old","om","omaha","omega","omicron","online","ontario","open","openbsd","openview","operations","ops","ops0","ops01","ops02","ops1","ops2","opsware","or","oracle","orange","order","orders","oregon","orion","orlando","oscar","out","outbound","outgoing","outlook","outside","ov","owa","owa01","owa02","owa1","owa2","ows","oxnard","p","pa","page","pager","pages","paginas","papa","paris","parners","partner","partners","patch","patches","paul","payroll","pbx","pc","pc01","pc1","pc10","pc101","pc11","pc12","pc13","pc14","pc15","pc16","pc17","pc18","pc19","pc2","pc20","pc21","pc22","pc23","pc24","pc25","pc26","pc27","pc28","pc29","pc3","pc30","pc31","pc32","pc33","pc34","pc35","pc36","pc37","pc38","pc39","pc4","pc40","pc41","pc42","pc43","pc44","pc45","pc46","pc47","pc48","pc49","pc5","pc50","pc51","pc52","pc53","pc54","pc55","pc56","pc57","pc58","pc59","pc6","pc60","pc7","pc8","pc9","pcmail","pda","pdc","pe","pegasus","pennsylvania","peoplesoft","personal","pf","pg","pgp","ph","phi","philadelphia","phoenix","phoeniz","phone","phones","photos","pi","pics","pictures","pink","pipex-gw","pittsburgh","pix","pk","pki","pl","plano","platinum","pluto","pm","pm1","pn","po","policy","polls","pop","pop3","portal","portals","portfolio","portland","post","posta","posta01","posta02","posta03","postales","postoffice","ppp1","ppp10","ppp11","ppp12","ppp13","ppp14","ppp15","ppp16","ppp17","ppp18","ppp19","ppp2","ppp20","ppp21","ppp3","ppp4","ppp5","ppp6","ppp7","ppp8","ppp9","pptp","pr","prensa","press","print >> sys.stdout,er","print >> sys.stdout,serv","print >> sys.stdout,server","priv","privacy","private","problemtracker","products","profiles","project","projects","promo","proxy","prueba","pruebas","ps","psi","pss","pt","pub","public","pubs","purple","pw","py","q","qa","qmail","qotd","quake","quebec","queen","quotes","r","r01","r02","r1","r2","ra","radio","radius","rapidsite","raptor","ras","rc","rcs","rd","re","read","realserver","recruiting","red","redhat","ref","reference","reg","register","registro","registry","regs","relay","rem","remote","remstats","reports","research","reseller","reserved","resumenes","rho","rhodeisland","ri","ris","rmi","ro","robert","romeo","root","rose","route","router","router1","rs","rss","rtelnet","rtr","rtr01","rtr1","ru","rune","rw","rwhois","s","s1","s2","sa","sac","sacramento","sadmin","safe","sales","saltlake","sam","san","sanantonio","sandiego","sanfrancisco","sanjose","saskatchewan","saturn","sb","sbs","sc","scanner","schedules","scotland","scotty","sd","se","search","seattle","sec","secret","secure","secured","securid","security","sendmail","seri","serv","serv2","server","server1","servers","service","services","servicio","servidor","setup","sg","sh","shared","sharepoint","shareware","shipping","shop","shoppers","shopping","si","siebel","sierra","sigma","signin","signup","silver","sim","sirius","site","sj","sk","skywalker","sl","slackware","slmail","sm","smc","sms","smtp","smtphost","sn","sniffer","snmp","snmpd","snoopy","snort","so","socal","software","sol","solaris","solutions","soporte","source","sourcecode","sourcesafe","south","southcarolina","southdakota","southeast","southwest","spain","spam","spider","spiderman","splunk","spock","spokane","springfield","sprint >> sys.stdout,","sqa","sql","sql0","sql01","sql1","sql7","sqlserver","squid","sr","ss","ssh","ssl","ssl0","ssl01","ssl1","st","staff","stage","staging","start","stat","static","statistics","stats","stlouis","stock","storage","store","storefront","streaming","stronghold","strongmail","studio","submit","subversion","sun","sun0","sun01","sun02","sun1","sun2","superman","supplier","suppliers","support","sv","sw","sw0","sw01","sw1","sweden","switch","switzerland","sy","sybase","sydney","sysadmin","sysback","syslog","syslogs","system","sz","t","tacoma","taiwan","talk","tampa","tango","tau","tc","tcl","td","team","tech","technology","techsupport","telephone","telephony","telnet","temp","tennessee","terminal","terminalserver","termserv","test","test2k","testbed","testing","testlab","testlinux","testo","testserver","testsite","testsql","testxp","texas","tf","tftp","tg","th","thailand","theta","thor","tienda","tiger","time","titan","tivoli","tj","tk","tm","tn","to","tokyo","toledo","tom","tool","tools","toplayer","toronto","tour","tp","tr","tracker","train","training","transfers","trinidad","trinity","ts","ts1","tt","tucson","tulsa","tumb","tumblr","tunnel","tv","tw","tx","tz","u","ua","uddi","ug","uk","um","uniform","union","unitedkingdom","unitedstates","unix","unixware","update","updates","upload","ups","upsilon","uranus","urchin","us","usa","usenet","user","users","ut","utah","utilities","uy","uz","v","va","vader","vantive","vault","vc","ve","vega","vegas","vend","vendors","venus","vermont","vg","vi","victor","video","videos","viking","violet","vip","virginia","vista","vm","vmserver","vmware","vn","vnc","voice","voicemail","voip","voyager","vpn","vpn0","vpn01","vpn02","vpn1","vpn2","vt","vu","w","w1","w2","w3","wa","wais","wallet","wam","wan","wap","warehouse","washington","wc3","web","webaccess","webadmin","webalizer","webboard","webcache","webcam","webcast","webdev","webdocs","webfarm","webhelp","weblib","weblogic","webmail","webmaster","webproxy","webring","webs","webserv","webserver","webservices","website","websites","websphere","websrv","websrvr","webstats","webstore","websvr","webtrends","welcome","west","westvirginia","wf","whiskey","white","whois","wi","wichita","wiki","wililiam","win","win01","win02","win1","win2","win2000","win2003","win2k","win2k3","windows","windows01","windows02","windows1","windows2","windows2000","windows2003","windowsxp","wingate","winnt","winproxy","wins","winserve","winxp","wire","wireless","wisconsin","wlan","wordpress","work","world","write","ws","ws1","ws10","ws11","ws12","ws13","ws2","ws3","ws4","ws5","ws6","ws7","ws8","ws9","wusage","wv","ww","www","www-","www-01","www-02","www-1","www-2","www-int","www0","www01","www02","www1","www2","www3","www_","wwwchat","wwwdev","wwwmail","wy","wyoming","x","x-ray","xi","xlogan","xmail","xml","xp","y","yankee","ye","yellow","young","yt","yu","z","z-log","za","zebra","zera","zeus","zlog","zm","zulu","zw"]
  21.  
  22. def zonetransfer(URL): # Zone Transfer
  23.         try:
  24.                 import dns.query, dns.zone, dns.resolver
  25.                 print >> sys.stdout, "[+] Getting NS records for", URL+"\n"
  26.                 answers = dns.resolver.query(URL, 'NS')
  27.                 ns = []
  28.                 for rdata in answers:
  29.                                 n = str(rdata)
  30.                                 print >> sys.stdout, "\tFound name server:", n
  31.                                 ns.append(n)
  32.                 print >> sys.stdout
  33.                 for n in ns:
  34.                                 print >> sys.stdout, "[+] Trying a zone transfer for %s from name server %s" % (URL, n)
  35.                                 try:
  36.                                           zone = dns.zone.from_xfr(dns.query.xfr(ns[0], URL))
  37.                                           for name, node in zone.nodes.items():
  38.                                               rdataset = node.rdatasets
  39.                                               for record in rdataset:
  40.                                                   print >> sys.stdout, "\n%s\t%s" % (name, record)
  41.                                           #break
  42.                                           print >> sys.stdout
  43.                                 except:
  44.                                           pass
  45.  
  46.         except(ImportError):
  47.                 print >> sys.stdout, "\nSorry, dnspython module missing."
  48.                 print >> sys.stdout, "\tDownload dnspython module from [ http://www.dnspython.org/ ]\n"
  49.                 sys.exit(0)
  50.  
  51. def rnd(): # Random String
  52.                 alphabet = 'abcdefghijklmnopqrstuvwxyz'
  53.                 min = 5
  54.                 max = 15
  55.                 total = 2
  56.                 global rndString
  57.                 for count in xrange(1,total):
  58.                   for x in random.sample(alphabet,random.randint(min,max)):
  59.                       rndString+=x
  60.  
  61. errcode=''
  62. def get_url(host): # Test Wildcard
  63.  try:
  64.                 h = httplib.HTTP(host)
  65.                 h.putrequest('GET', '/')
  66.                 h.putheader('Accept', 'text/xml')
  67.                 h.putheader('User-Agent', 'knock.py')
  68.                 h.endheaders()
  69.                 global errcode
  70.                 errcode, errmsg, headers = h.getreply()
  71.                 f = h.getfile()
  72.                 global data
  73.                 data = f.read() # Get HTML Data
  74.                 #print >> sys.stdout, data
  75.                 f.close()
  76.                 h.close()
  77.                 print >> sys.stdout, line+"."+URL
  78.  except:
  79.                 pass
  80.  
  81. def bypasswildcard(URL,EXCLUDE): # bypass wildcard, use internal wordlist
  82.                 hostlist = ''
  83.                 count = 0
  84.                 print >> sys.stdout, "[+] Bypass wildcard"
  85.                 startTime = time.time()
  86.                 for line in wlist_array:
  87.                         get_url(line+'.'+URL)
  88.                         if not EXCLUDE in data:
  89.                                 count = count + 1
  90.                                 subdomain = line+"."+URL
  91.                                 print >> sys.stdout, "".join([s.center(25) for s in (subdomain,'')])
  92.  
  93.                 seconds = time.time() - t
  94.                 print >> sys.stdout, "\nFound %s subdomain(s) in %s second(s)" % (str(count),str(round(seconds,2)))
  95.  
  96. def bypasswildcardwl(URL,EXCLUDE,WORDLIST): # bypass wildcard, use external wordlist
  97.                 hostlist = ''
  98.                 count = 0
  99.                 print >> sys.stdout, "[+] Bypass wildcard"
  100.                 startTime = time.time()
  101.                 try:
  102.                         wordlist = open(WORDLIST,'r')
  103.                         wlist = wordlist.read().split('\n')
  104.                         #timestimed = len(wlist) * endTime
  105.                 except:
  106.                         print >> sys.stdout, "[!] Error wordlist\n\n\tNo wordlist. File not found."
  107.                         sys.exit(0)            
  108.                 for line in wlist:
  109.                         if line != '':
  110.                                 get_url(line+'.'+URL)
  111.                                 if not EXCLUDE in data:
  112.                                         count = count + 1
  113.                                         subdomain = line+"."+URL
  114.                                         print >> sys.stdout, "".join([s.center(25) for s in (subdomain,'')])
  115.  
  116.  
  117.                 seconds = time.time() - t
  118.                 print >> sys.stdout, "\nFound %s subdomain(s) in %s second(s)" % (str(count),str(round(seconds,2)))
  119.  
  120.  
  121. def subdomainAuto(URL): # wordlist by array
  122.                 domain = ''
  123.                 hostlist = ''
  124.                 count = 0
  125.                 totcount = 0
  126.                 print >> sys.stdout, "\n[+] Scanning for subdomain on " + str(URL)             
  127.                 print >> sys.stdout, "[!] Wordlist not specified. I scannig with my internal wordlist..."
  128.                 timestimed = len(wlist_array) * endTime
  129.                 print >> sys.stdout, "    Estimated time about "+str(round(timestimed,2))+" seconds\n"
  130.                 print >> sys.stdout, "".join([s.center(25) for s in ("Subdomain","Ip address","Name server\n")])
  131.                 for line in wlist_array:
  132.                         try:
  133.                                 s = socket.gethostbyname(line+"."+URL)         
  134.                                 if (s):
  135.                                                 soc = socket.gethostbyname_ex(line+"."+URL)
  136.                                                 if (soc):
  137.                                                                 dnsarray = len(soc[2])
  138.                                                                 for dns in range(0, dnsarray):
  139.                                                                                 name = socket.gethostbyaddr(soc[2][dns])
  140.                                                                                
  141.                                                 if hostlist.find(s) < 0:
  142.                                                                 count = count + 1
  143.                                                 totcount = totcount + 1
  144.                                                 subdomain = line+"."+URL
  145.                                                 print >> sys.stdout, "".join([s.center(25) for s in (subdomain,soc[2][dns],name[0])])
  146.                                                
  147.                                 soc.close()            
  148.                                 s.close()
  149.                         except:
  150.                                 pass           
  151.                 seconds = time.time() - t
  152.                 print >> sys.stdout, "\nFound %s subdomain(s) in %s host(s) in %s second(s)" % (str(totcount),str(count),str(round(seconds,2)))
  153.  
  154.  
  155.  
  156. def subdomain(URL, WORDLIST): # wordlist by file
  157.                 hostlist = ''
  158.                 count = 0
  159.                 totcount = 0
  160.                 try:
  161.                         wordlist = open(WORDLIST,'r')
  162.                         wlist = wordlist.read().split('\n')
  163.                         timestimed = len(wlist) * endTime
  164.                 except:
  165.                         print >> sys.stdout, "[!] Error wordlist\n\n\tNo wordlist. File not found."
  166.                         sys.exit(0)
  167.                 print >> sys.stdout, "[+] Scanning for subdomain on " + str(URL)
  168.                 print >> sys.stdout, "\tEstimated time about "+str(round(timestimed,2))+" seconds\n"
  169.                 print >> sys.stdout, "".join([s.center(25) for s in ("Subdomain","Ip address","Name server\n")])
  170.                 for line in wlist:
  171.                         try:
  172.                                 s = socket.gethostbyname(line+"."+URL) 
  173.                                 if (s):
  174.                                                 soc = socket.gethostbyname_ex(line+"."+URL)
  175.                                                 if (soc):
  176.                                                                 dnsarray = len(soc[2])
  177.                                                                 for dns in range(0, dnsarray):
  178.                                                                                 name = socket.gethostbyaddr(soc[2][dns])
  179.                                                                        
  180.                                                 if hostlist.find(s) < 0:
  181.                                                                 count = count + 1
  182.                                                 totcount = totcount + 1
  183.                                                 subdomain = line+"."+URL
  184.                                                 print >> sys.stdout, "".join([s.center(25) for s in (subdomain,soc[2][dns],name[0])])
  185.                                        
  186.                                 soc.close()                                                                                                    
  187.                                 s.close()
  188.                         except:
  189.                                 pass
  190.                 wordlist.close()
  191.                 seconds = time.time() - t
  192.                 print >> sys.stdout, "\nFound %s subdomain(s) in %s host(s) in %s second(s)" % (str(totcount),str(count),str(round(seconds,2)))
  193.  
  194.  
  195. def help():
  196.                 print >> sys.stdout, "USAGE:"
  197.                 print >> sys.stdout, "\tScanning with internal wordlist:"
  198.                 print >> sys.stdout, "\t\tknock [url]\n\t\te.g.\tknock domain.com"
  199.                 print >> sys.stdout, "\tScanning with external wordlist:"
  200.                 print >> sys.stdout, "\t\tknock [url] [wordlist]\n\t\te.g.\tknock domain.com wordlist.txt"
  201.                 print >> sys.stdout, "OPTIONS:\n"
  202.                 print >> sys.stdout, "\t-zt\tZone Transfer discovery:"
  203.                 print >> sys.stdout, "\t\tknock -zt [url]\n\t\te.g.\tknock -zt domain.com"
  204.                 print >> sys.stdout, "\t-wc\tWildcard testing:"
  205.                 print >> sys.stdout, "\t\tknock -wc [url]\n\t\te.g.\tknock -wc domain.com"
  206.                 print >> sys.stdout, "\t-dns\tDns resolving:"
  207.                 print >> sys.stdout, "\t\tknock -dns [url]\n\t\te.g.\tknock -dns domain.com"
  208.                 print >> sys.stdout, "\t-bw\tBypass wildcard:"
  209.                 print >> sys.stdout, "\t\tknock -bw [stringexclude] [url]\n\t\te.g.\tknock -bw 404 domain.com"
  210.                 sys.exit()
  211.  
  212. def testdomain():
  213.                 try:
  214.                         stest = socket.gethostbyname("www."+URL)
  215.                         if (stest):
  216.                                         print >> sys.stdout, "[+] Testing domain"
  217.                                         domaintest = "\twww."+URL
  218.                                         stest = stest
  219.                                         print >> sys.stdout, "".join([s.center(25) for s in (domaintest, stest)])
  220.                 except:
  221.                         help()
  222.                         #print >> sys.stdout, "Error:\n\tHost not valid."
  223.                         #sys.exit(0)
  224.                
  225. def testwildcard():
  226.                 print >> sys.stdout, "[+] Testing wildcard"
  227.                 a = 0
  228.                 global rndString
  229.                 global errcode
  230.                 global endTime
  231.                 startTime = time.time()
  232.                 rndString=''
  233.                 rnd()
  234.                 #print >> sys.stdout, rndString
  235.                 get_url(rndString+'.'+URL) # test wildcard
  236.                 #print >> sys.stdout, errcode
  237.                 endTime = (time.time() - startTime) / 4
  238.                 if errcode <> '':
  239.                                 print >> sys.stdout, data
  240.                                 #print >> sys.stdout, "\tRequest response:", errcode
  241.                                 print >> sys.stdout, '\tWildcard enabled! Try with -bw option'
  242.                                 print >> sys.stdout, '\tExample: knock -bw 404 '+URL
  243.                                 sys.exit(0)
  244.                 else:
  245.                                 print >> sys.stdout, "\tOk, no wildcard found."
  246.  
  247. def dnsresolve(foo):
  248.                 print >> sys.stdout, "[+] Dns resolving"
  249.                 try:
  250.                                 s_dns = socket.gethostbyname_ex(foo)
  251.                                 if (s_dns):
  252.                                                 print >> sys.stdout, "".join([s.center(25) for s in ("Domain name","Ip address","Name server")])
  253.                                                 dnsarray = len(s_dns[2])
  254.                                                 for dns in range(0, dnsarray):
  255.                                                                 name = socket.gethostbyaddr(s_dns[2][dns])
  256.                                                                 print >> sys.stdout, "".join([s.center(25) for s in (foo, s_dns[2][dns], name[0] )])
  257.                                                 print >> sys.stdout, "Found "+str(dnsarray)+" host(s) for "+foo
  258.                 except:
  259.                                 print >> sys.stdout, "\tNo address associated with hostname " + foo
  260.                                 pass
  261.  
  262.  
  263. ################### MAIN ######################
  264.  
  265.  
  266. print >> sys.stdout, "Knock v1.5 by Gianni 'guelfoweb' Amato ( http://knock.googlecode.com )\n"
  267.  
  268. if len(sys.argv) < 2 or len(sys.argv) > 5:
  269.                 help()
  270.  
  271. if len(sys.argv) == 2:
  272.                 URL = sys.argv[1]
  273.                 t = time.time()
  274.                 testdomain()
  275.                 dnsresolve(URL)
  276.                 testwildcard()
  277.                 subdomainAuto(URL)     
  278.                 sys.exit(0)
  279.                
  280.  
  281. if len(sys.argv) == 3:
  282.                 URL = sys.argv[2]
  283.                 if sys.argv[1] == '-td': # Testing domain (out of help)
  284.                                 testdomain()
  285.                                 #dnsresolve(URL)
  286.                                 sys.exit(0)
  287.                 if sys.argv[1] == '-zt': # Zone Transfer
  288.                                 testdomain()
  289.                                 dnsresolve(URL)
  290.                                 zonetransfer(URL)
  291.                                 sys.exit(0)
  292.                 if sys.argv[1] == '-wc': # Wildcard
  293.                                 testdomain()
  294.                                 testwildcard()
  295.                                 sys.exit(0)
  296.                 if sys.argv[1] == '-dns': # Dns resolve
  297.                                 testdomain()
  298.                                 dnsresolve(URL)
  299.                                 sys.exit(0)
  300.  
  301. if len(sys.argv) == 4 and sys.argv[1] == '-bw':
  302.                 EXCLUDE = sys.argv[2]
  303.                 URL = sys.argv[3]
  304.                 t = time.time()
  305.                 testdomain()
  306.                 dnsresolve(URL)
  307.                 bypasswildcard(URL,EXCLUDE)
  308.                 sys.exit(0)
  309.  
  310. if len(sys.argv) == 5 and sys.argv[1] == '-bw':
  311.                 EXCLUDE = sys.argv[2]
  312.                 URL = sys.argv[3]
  313.                 WORDLIST = sys.argv[4]
  314.                 t = time.time()
  315.                 testdomain()
  316.                 dnsresolve(URL)
  317.                 bypasswildcardwl(URL,EXCLUDE,WORDLIST)
  318.                 sys.exit(0)
  319. else:
  320.                 URL = sys.argv[1]
  321.                 t = time.time()
  322.                 testdomain()
  323.                 dnsresolve(URL)
  324.                 testwildcard()
  325.                 WORDLIST = sys.argv[2]
  326.                 subdomain(URL, WORDLIST)
  327.                 sys.exit(0)
  328.  


Las características actuales:

Scan subdominios
Solicitud de DNS para la transferencia de zona
Resolución de DNS
Pruebas Comodín
Derivación Comodín


Es necesaria la instalacion de python,

Web de Descargas: https://code.google.com/p/knock/downloads/list

Saludos !
« Última modificación: Mayo 03, 2014, 11:41:24 am por Flemon »

 

¿Te gustó el post? COMPARTILO!



SSI-Scan [SSI injection scanner]

Iniciado por ZanGetsu

Respuestas: 1
Vistas: 1322
Último mensaje Diciembre 12, 2013, 04:37:52 pm
por ANTRAX
viSQL - Scan SQL vulnerability

Iniciado por ZanGetsu

Respuestas: 0
Vistas: 978
Último mensaje Julio 02, 2017, 04:02:23 am
por ZanGetsu
Xoops Scan Sql

Iniciado por ZanGetsu

Respuestas: 0
Vistas: 1146
Último mensaje Julio 26, 2017, 09:58:12 am
por ZanGetsu