From 2ffc84928b9c0a7c34d2ff02fac318c3c026060e Mon Sep 17 00:00:00 2001 From: ugomeguerditchian Date: Sun, 26 Mar 2023 01:32:34 +0100 Subject: [PATCH] added dns check when dead subdomains, debug jinja template when no vulns and added filtered ports detection --- libs/domain_parser.py | 8 +++ libs/ip_scan.py | 27 +++++++++- libs/result_parser.py | 6 ++- main.py | 10 +++- manifest | 2 +- website/jinja_template.html | 100 ++++++++++++++++++++++-------------- 6 files changed, 110 insertions(+), 43 deletions(-) diff --git a/libs/domain_parser.py b/libs/domain_parser.py index 11a39be..87a621f 100644 --- a/libs/domain_parser.py +++ b/libs/domain_parser.py @@ -1,4 +1,5 @@ import requests +import dns from pythonping import ping from concurrent.futures import ThreadPoolExecutor from urllib3.exceptions import InsecureRequestWarning @@ -139,6 +140,13 @@ def check_up(url: str) -> bool: else: return False +def check_dns(domain: str) -> bool: + try: + dns.resolver.resolve(domain, 'A') + return True + except: + return False + if __name__ == "__main__": print(check_up("benoit.fage.fr")) print(detect_redirect("benoit.fage.fr")) diff --git a/libs/ip_scan.py b/libs/ip_scan.py index 7066e1c..db1e8da 100644 --- a/libs/ip_scan.py +++ b/libs/ip_scan.py @@ -14,6 +14,9 @@ from datetime import datetime import copy from scapy.all import ARP, Ether, srp +import time +import random + def get_ip(domain): #get the ip address from the domain @@ -46,6 +49,20 @@ def get_ip_from_network(network: str) : return clients +def check_filtered(host): + target_ports = range(30000, 65535) + start = time.time() + for i in random.sample(target_ports, 10): + try: + s = socket(AF_INET, SOCK_STREAM) + s.settimeout(1) + s.connect((host, i)) + s.close() + except: + pass + end = time.time() + if end - start < 5: + return True # returns True if a connection can be made, False otherwise def test_port_number(host, port): @@ -56,13 +73,17 @@ def test_port_number(host, port): # connecting may fail try: # attempt to connect + start = time.time() sock.connect((host, port)) # a successful connection was made + end = time.time() + #close the socket + sock.close() return True except: # ignore the failure return False - + def port_scan(host, ports): open_ports = [] logger.info(f'Scanning {host}...') @@ -80,6 +101,10 @@ def port_scan(host, ports): def port_scan_with_thread_limit(host: str, ports:range, thread_number: int): #scan the host with the ports with a thread limit #return the open ports + logger.info(f'Checking if {host} filtered...') + if check_filtered(host): + logger.warning(f'{host} is filtered') + return [] open_ports = [] logger.info(f'Scanning {host}...') # create the thread pool diff --git a/libs/result_parser.py b/libs/result_parser.py index b92c03a..9989187 100644 --- a/libs/result_parser.py +++ b/libs/result_parser.py @@ -19,7 +19,7 @@ def delete_star(list : list) -> list: if i != "*": new_list.append(i) return new_list -def result_filter(list : list, domain : str, subdomain_with_redirect:list, dead_subdomains:list) -> dict : +def result_filter(list : list, domain : str, subdomain_with_redirect:list, dead_subdomains:list, dns_exist:list) -> dict : #from the list of sudbomains return all subomains containing the domain """ dict = { @@ -32,7 +32,8 @@ def result_filter(list : list, domain : str, subdomain_with_redirect:list, dead_ "subdomain_withdomain": [], "subdomain_withoutdomain": [], "subdomain_with_redirect": [], - "dead_subdomains": [] + "dead_subdomains": [], + "dns_exist": [] } for subdomain in list: if domain in subdomain: @@ -41,6 +42,7 @@ def result_filter(list : list, domain : str, subdomain_with_redirect:list, dead_ dict["subdomain_withoutdomain"].append(subdomain) dict["subdomain_with_redirect"] = subdomain_with_redirect dict["dead_subdomains"] = dead_subdomains + dict["dns_exist"] = dns_exist return dict def dynamic_save(all_results: dict, domain : str, mode : str): diff --git a/main.py b/main.py index c8d4723..14beead 100644 --- a/main.py +++ b/main.py @@ -224,7 +224,11 @@ def menu(): subdomains_with_redirect=[] temp_all_results = [] dead_subdomains = [] + dns_exist = [] temp_all_results, subdomains_with_redirect, dead_subdomains = dp.detect_redirect_with_thread_limit(all_results, args.subdomainsThreads) + for dead in dead_subdomains: + if dp.check_dns(dead): + dns_exist.append(dead) all_results = temp_all_results cl.logger.info("Checking subdomains done") @@ -233,9 +237,10 @@ def menu(): else : subdomains_with_redirect = [] dead_subdomains = [] + dns_exist = [] logger.info("All done") - final_dict= rp.result_filter(all_results, domain, subdomains_with_redirect, dead_subdomains) + final_dict= rp.result_filter(all_results, domain, subdomains_with_redirect, dead_subdomains, dns_exist) logger.info(f"Subdomains containing {domain}:") for subdomain in final_dict["subdomain_withdomain"]: print(subdomain) @@ -258,9 +263,11 @@ def menu(): final_dict_result= ip_dict #pop dead_subdomains final_dict_result["dead_subdomains"] = final_dict["dead_subdomains"] + final_dict_result["dns_exist"] = final_dict["dns_exist"] pprint(final_dict_result) logger.info("Done") deads= final_dict_result.pop("dead_subdomains") + dns_exist = final_dict_result.pop("dns_exist") logger.info("IP scanning...") if args.IPScanType == "W": for ip in final_dict_result : @@ -296,6 +303,7 @@ def menu(): logger.info("Detecting web ports done") logger.info("IP scanning results:") final_dict_result["dead_subdomains"]= deads + final_dict_result["dns_exist"] = dns_exist pprint(final_dict_result) logger.info("Done") diff --git a/manifest b/manifest index 7ea4e06..e8fbede 100644 --- a/manifest +++ b/manifest @@ -1 +1 @@ -V2.1 \ No newline at end of file +V2.2 \ No newline at end of file diff --git a/website/jinja_template.html b/website/jinja_template.html index 7ecdbc2..f089346 100644 --- a/website/jinja_template.html +++ b/website/jinja_template.html @@ -136,7 +136,7 @@

tabindex="0">
{% for ip in data %} - {% if ip != "dead_subdomains" %} + {% if ip != "dead_subdomains" and ip !="dns_exist"%} {% for subs_type, value in data[ip]["subdomains"].items() %} {% if subs_type != "web_techno" and subs_type != "vulns" and data[ip]["subdomains"][subs_type]|length > @@ -206,7 +206,7 @@

{% endif %} {% endfor %} - {% else %} + {% elif ip=="dead_subdomains" %}
@@ -228,6 +228,28 @@

+ {% elif ip=="dns_exist" %} +
+
+

+ {{ buttonAccordion("Dead subdomains", [data[ip]|length], "collapseOneDns")}} +

+
+
+
    + {% for sub in data[ip] %} +
  • {{sub}}
    • + {% endfor %} +
+
+
+
+
{% endif %} {% endfor %} @@ -240,7 +262,7 @@

{% for ip in data %} - {% if ip != "dead_subdomains" %} + {% if ip != "dead_subdomains" and ip !="dns_exist"%}
@@ -307,7 +329,7 @@

Ports

id="headingOneAll"> {% set ns = namespace(info=0, low=0, medium=0, high=0, critical=0)%} {% for ip in data %} - {% if ip != "dead_subdomains" %} + {% if ip != "dead_subdomains" and ip !="dns_exist" and "vulns" in data[ip] %} {% for vuln in data[ip]["vulns"] %} {% if "info" in vuln and "severity" in vuln["info"] and vuln["info"]["severity"] == "critical" %} {% set ns.critical = ns.critical + 1 %} @@ -380,7 +402,7 @@

Ports

{% for ip in data %} - {% if ip != "dead_subdomains" %} + {% if ip != "dead_subdomains" and ip !="dns_exist" and "vulns" in data[ip]["subdomains"] %} {% for sub, vulns in data[ip]["subdomains"]["vulns"].items() %} {% for vuln in vulns %} @@ -415,38 +437,40 @@

Ports

{% endfor %} {% endfor %} - {% for vuln in data[ip]["vulns"] %} - - {% if "info" in vuln and "name" in vuln["info"] %}{{vuln["info"]["name"]}}{% endif %} - {% if "info" in vuln and "severity" in vuln["info"] %}{{vuln["info"]["severity"]}}{% endif %} - {% if "info" in vuln and "classification" in vuln["info"] and "cve-id" in vuln["info"]["classification"] %}{{vuln["info"]["classification"]["cve-id"]}}{% endif %} - {% if "info" in vuln and "classification" in vuln["info"] and "cwe-id" in vuln["info"]["classification"] %}{{vuln["info"]["classification"]["cwe-id"]}}{% endif %} - {% if "info" in vuln and "classification" in vuln["info"] and "cvss-metrics" in vuln["info"]["classification"] %}{{vuln["info"]["classification"]["cvss-metrics"]}}{% endif %} - {% if "info" in vuln and "classification" in vuln["info"] and "cvss-score" in vuln["info"]["classification"] %}{{vuln["info"]["classification"]["cvss-score"]}}{% endif %} - {% if "info" in vuln and "description" in vuln["info"] %}{{vuln["info"]["description"]}}{% endif %} - {% if "info" in vuln and "reference" in vuln["info"] %}{{vuln["info"]["reference"]}}{% endif %} - {% if "type" in vuln %}{{vuln["type"]}}{% endif %} - {% if "host" in vuln %}{{vuln["host"]}}{% endif %} - {% if "matched-at" in vuln %}{{vuln["matched-at"]}}{% endif %} - {% if "extracted-results" in vuln %}{{vuln["extracted-results"]}}{% endif %} - {% if "ip" in vuln %}{{vuln["ip"]}}{% endif %} - {% if "timestamp" in vuln %}{{vuln["timestamp"]}}{% endif %} - {% if "curl-command" in vuln %}{{vuln["curl-command"]}}{% endif %} - {% if "matcher-status" in vuln %}{{vuln["matcher-status"]}}{% endif %} - {% if "matched-line" in vuln %}{{vuln["matched-line"]}}{% endif %} - {% if "matcher-name" in vuln %}{{vuln["matcher-name"]}}{% endif %} - {% if "info" in vuln and "tags" in vuln["info"] %}{{vuln["info"]["tags"]}}{% endif %} - {% if "info" in vuln and "metadata" in vuln["info"] and "verified" in vuln["info"]["metadata"] %}{{vuln["info"]["metadata"]["verified"]}}{% endif %} - {% if "info" in vuln and "metadata" in vuln["info"] and "fofa-query" in vuln["info"]["metadata"] %}{{vuln["info"]["metadata"]["fofa-query"]}}{% endif %} - {% if "info" in vuln and "metadata" in vuln["info"] and "shodan-query" in vuln["info"]["metadata"] %}{{vuln["info"]["metadata"]["shodan-query"]}}{% endif %} - {% if "template" in vuln %}{{vuln["template"]}}{% endif %} - {% if "template-url" in vuln %}{{vuln["template-url"]}}{% endif %} - {% if "template-id" in vuln %}{{vuln["template-id"]}}{% endif %} - {% if "template-path" in vuln %}{{vuln["template-path"]}}{% endif %} - {% if "info" in vuln and "author" in vuln["info"] %}{{vuln["info"]["author"]}}{% endif %} - - - {% endfor %} + {% if "vulns" in data[ip] and data[ip]["vulns"] != [] %} + {% for vuln in data[ip]["vulns"] %} + + {% if "info" in vuln and "name" in vuln["info"] %}{{vuln["info"]["name"]}}{% endif %} + {% if "info" in vuln and "severity" in vuln["info"] %}{{vuln["info"]["severity"]}}{% endif %} + {% if "info" in vuln and "classification" in vuln["info"] and "cve-id" in vuln["info"]["classification"] %}{{vuln["info"]["classification"]["cve-id"]}}{% endif %} + {% if "info" in vuln and "classification" in vuln["info"] and "cwe-id" in vuln["info"]["classification"] %}{{vuln["info"]["classification"]["cwe-id"]}}{% endif %} + {% if "info" in vuln and "classification" in vuln["info"] and "cvss-metrics" in vuln["info"]["classification"] %}{{vuln["info"]["classification"]["cvss-metrics"]}}{% endif %} + {% if "info" in vuln and "classification" in vuln["info"] and "cvss-score" in vuln["info"]["classification"] %}{{vuln["info"]["classification"]["cvss-score"]}}{% endif %} + {% if "info" in vuln and "description" in vuln["info"] %}{{vuln["info"]["description"]}}{% endif %} + {% if "info" in vuln and "reference" in vuln["info"] %}{{vuln["info"]["reference"]}}{% endif %} + {% if "type" in vuln %}{{vuln["type"]}}{% endif %} + {% if "host" in vuln %}{{vuln["host"]}}{% endif %} + {% if "matched-at" in vuln %}{{vuln["matched-at"]}}{% endif %} + {% if "extracted-results" in vuln %}{{vuln["extracted-results"]}}{% endif %} + {% if "ip" in vuln %}{{vuln["ip"]}}{% endif %} + {% if "timestamp" in vuln %}{{vuln["timestamp"]}}{% endif %} + {% if "curl-command" in vuln %}{{vuln["curl-command"]}}{% endif %} + {% if "matcher-status" in vuln %}{{vuln["matcher-status"]}}{% endif %} + {% if "matched-line" in vuln %}{{vuln["matched-line"]}}{% endif %} + {% if "matcher-name" in vuln %}{{vuln["matcher-name"]}}{% endif %} + {% if "info" in vuln and "tags" in vuln["info"] %}{{vuln["info"]["tags"]}}{% endif %} + {% if "info" in vuln and "metadata" in vuln["info"] and "verified" in vuln["info"]["metadata"] %}{{vuln["info"]["metadata"]["verified"]}}{% endif %} + {% if "info" in vuln and "metadata" in vuln["info"] and "fofa-query" in vuln["info"]["metadata"] %}{{vuln["info"]["metadata"]["fofa-query"]}}{% endif %} + {% if "info" in vuln and "metadata" in vuln["info"] and "shodan-query" in vuln["info"]["metadata"] %}{{vuln["info"]["metadata"]["shodan-query"]}}{% endif %} + {% if "template" in vuln %}{{vuln["template"]}}{% endif %} + {% if "template-url" in vuln %}{{vuln["template-url"]}}{% endif %} + {% if "template-id" in vuln %}{{vuln["template-id"]}}{% endif %} + {% if "template-path" in vuln %}{{vuln["template-path"]}}{% endif %} + {% if "info" in vuln and "author" in vuln["info"] %}{{vuln["info"]["author"]}}{% endif %} + + + {% endfor %} + {% endif %} {% endif %} {% endfor %} @@ -457,7 +481,7 @@

Ports

{% for ip in data %} - {% if ip != "dead_subdomains" %} + {% if ip != "dead_subdomains" and ip !="dns_exist" and "vulns" in data[ip]["subdomains"] and "vulns" in data[ip] %}