#imports from colorama import init, Fore, Back, Style import requests import json import argparse import socket import time import urllib3 import subprocess from subprocess import call import os import sys import time # Copyright (c) 2018 - Nathan Corbin/w3w3w3 # YouTube channel: youtube.com/w3w3w3 # Tip me @ BitCoin:1EHmioBmujNAyVs5A6Uo1nfto9JZhGBDLd # Colour only works when using CMD on Windows init(autoreset=True) print(Back.BLACK+Fore.GREEN+r''' ,----------------, ,---------, ,-----------------------, ," ,"| ," ,"| ," ," | +-----------------------+ | ," ," | | .-----------------. | | +---------+ | | | | | | | -==----'| | | | SUBZONE | | | | | | | |created by:w3w3w3| | |/----|`---= | | | | C:> sub to my | | | ,/|==== ooo | ; | | channel | | | // |(((( [14]| ," | `-----------------' |," .;'| |(((( | ," +-----------------------+ ;; | | |," /_)______________(_/ //' | +---------+ ___________________________/___ `, / oooooooooooooooo .o. oooo /, \,"----------- / ==ooooooooooooooo==.o. ooo= // ,`\--{)B ," /_==__==========__==_ooo__ooo=_/' /___________," `-----------------------------''') a = (Back.BLACK+Fore.RED+r''' ____ _ _ ___ ___ ____ _ _ ____ _ _ _ ____ [__ | | |__] | \ | | |\/| |__| | |\ | [__ ___] |__| |__] |__/ |__| | | | | | | \| ___],''') b = (Back.BLACK+Fore.WHITE+r''' ___ _ _ ____ ____ ____ ____ ____ ____ ___ ____ | \ |\ | [__ |__/ |___ | | | |__/ | \ [__ |__/ | \| ___] | \ |___ |___ |__| | \ |__/ ___],''') d = (Back.BLACK+Fore.BLUE+r''' ____ __ _ ___ |--| | \| |__>''') e = (Back.BLACK+Fore.BLUE+r''' _ _ ____ ____ ____ |\/| | | |__/ |___ | | |__| | \ |___ !''') print('%s %s %s %s' % (a,b,d,e)) print('') time.sleep(1) def args_parser(): #parse required argument/s needed for program parser = argparse.ArgumentParser() parser.add_argument('-d', '--domain', type=str, required=True, help='domain - ssubdomains(ex use. http(s)://facebook.com)') parser.add_argument('-o', '--output', type=str, required=False, help='filename - filename for output data(ex use. facebook.txt)') args = parser.parse_args() return args active_subdomains = [] nameservers = [] class Abuse_certificate_transparency: def __init__(self): self.domain = args_parser().domain self.output = args_parser().output def parse_url(self): #parse host from scheme, to use for certificate transparency abuse try: host = urllib3.util.url.parse_url(self.domain).host except Exception as e: print(f'Invalid - Domain, try again...') sys.exit(1) return host def request_json(self): #request json data to get list of registered subdomains with cert trans records subdomains = [] try: r = requests.get(f'https://crt.sh/?q=%.{abuse.parse_url()}&output=json') #r = requests.get('https://crt.sh/?q=%.facebook.com&output=json') if r.status_code != 200: print('{!} host status-code: %s\n ~ unable to access records using this abuse certificate transparency method' % (r.status_code)) else: try: json_data = json.loads(r.text) for sub in (json_data): subdomains.append(sub['name_value']) except Exception as e: print(f'json_data:Error {e}') pass except Exception as e: print(f'request_json//Error: {e}') pass return subdomains def active_subs(self): #check registered subdomains to see if active or not global active_subdomains for sub in abuse.request_json(): try: sub = socket.gethostbyname_ex(sub) if sub in active_subdomains: pass else: active_subdomains.append(sub) except: continue number_all = len(abuse.request_json()) number_active = len(active_subdomains) Style.RESET_ALL try: print('\n',Fore.GREEN+'''\n\n{!} There are %s %s %s''' % (Fore.RED+Back.BLACK+str(number_all), Fore.RED+Back.BLACK+'REGISTERED', Fore.GREEN+'subdomains for this domain.')) time.sleep(2) index = Fore.GREEN+Back.BLACK+str('INDEX:green') sub_red = Fore.RED+Back.BLACK+str('SUBDOMAIN:red') line = Fore.CYAN+Back.BLACK+str('*****************************') print('\n%s\n%s %s\n%s\n' % (line, index, sub_red, line)) time.sleep(1.3) for index, sub in enumerate(abuse.request_json()): print(Fore.GREEN+str(index+1),Fore.RED+str(sub)) print('\n',Fore.GREEN+'''\n\n{!} There are %s %s %s''' % (Fore.RED+Back.BLACK+str(number_active), Fore.RED+Back.BLACK+'ACTIVE', Fore.GREEN+'subdomains for this domain.')) time.sleep(2) index = Fore.GREEN+Back.BLACK+str('INDEX:green') dns_white = Fore.WHITE+Back.BLACK+str('DNS SERVER:white') sub_red = Fore.RED+Back.BLACK+str('SUBDOMAIN:red') ip_yell = Fore.BLUE+Back.BLACK+str('IP_ADDR:blue') line = Fore.CYAN+Back.BLACK+str('************************************************************') print('\n%s\n%s %s %s %s\n%s\n' % (line, index, dns_white, sub_red, ip_yell, line)) time.sleep(1.3) for index, sub in enumerate(active_subdomains): print(Fore.GREEN+str(index+1), Fore.WHITE+Back.BLACK+str(sub[0]), Fore.RED+Back.BLACK+str(sub[1]), Fore.BLUE+Back.BLACK+str(sub[2])) except Exception as e: print(f'active_subdomains//Error: {e}') pass return active_subdomains def write_file(self,): #write registerd subdomains and active subdomains to file global active_subdomains try: if self.output is not None: reg = 'REGISTERED_'+self.output active = 'ACTIVE_'+self.output with open(reg,'w') as r: for index, sub in enumerate(abuse.request_json()): text = f'{index} {sub}\n' r.write(text) with open(active,'w') as a: for index, sub in enumerate(active_subdomains): text = f'{index} {sub}\n' a.write(text) except Exception as e: print(f'write_file//Error: {e}') pass class Dns_zone_transfer: def __init__(self): self.domain = abuse.parse_url() self.output = args_parser().output def nslookup(self): global nameservers #nslookup to find nameservers of target domain dns_white = Fore.RED+Back.BLACK+str('Dns records') sec_bit = Fore.GREEN+Back.BLACK+str('for this domain.\n') print(Fore.GREEN+Back.BLACK+str('\n\n\n{!} %s %s' % (dns_white, sec_bit))) line = Fore.CYAN+Back.BLACK+str('************************************************************') records = Fore.GREEN+Back.BLACK+str('DNS RECORDS:green') print('%s\n%s\n%s\n' % (line, records, line)) try: with open('dig.txt','w') as output_vale: cmd = subprocess.call(f'dig -t ns {self.domain}', shell=True, stdout=output_vale) with open('dig.txt','r') as ns2: for line in ns2.readlines(): if '\tNS\t' in line: line = line.split()[4] nameservers.append(line) #os.remove('dig.txt') #print(nameservers) except Exception as e: #print(e) pass return nameservers def dns_records(self): global nameservers #zone transfer - to get dns records if dns server is not configured properly count = 0 try: for ns in nameservers: if self.output is not None: filename = 'DNS_RECORDS_%s' % (self.output) if count == 0: with open(filename,'w') as fp: fp.write('**********DNS RECORDS**********\n\n') cmd = subprocess.call(f'dig axfr {abuse.parse_url()} @{ns}\n.\n', shell=True, stdout=fp) count +=1 else: with open(filename,'a') as write_here: cmd = subprocess.call(f'dig axfr {abuse.parse_url()} @{ns}\n.\n', shell=True, stdout=write_here) else: cmd = subprocess.call(f'dig axfr {abuse.parse_url()} @{ns} \n.\n', shell=True) except Exception as e: print(e) try: with open(filename,'r') as rd: for line in rd.readlines(): print(line) except: pass if __name__=='__main__': # Abuse certificate authority to get all and active subdomains of a domain abuse = Abuse_certificate_transparency() abuse.parse_url() abuse.request_json() abuse.active_subs() abuse.write_file() # Dns zone transfer to see if any information is leaking zone = Dns_zone_transfer() zone.nslookup() zone.dns_records() print(':> SubZone Completed') sys.exit(0) # Copyright (c) 2018 - Nathan Corbin/w3w3w3 # YouTube channel: youtube.com/w3w3w3 # Tip me @ BitCoin:1EHmioBmujNAyVs5A6Uo1nfto9JZhGBDLd