Skip to content
/ verifHostname Public

Find all hostnames in given folder and checks (with recursive dig function) which are in perimeter.

License

GPL-3.0 license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jtof-fap/verifHostname

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

requirements.txt

requirements.txt

 
 

verifHostname.py

verifHostname.py

 
 

Repository files navigation

FindHostname

Introduction

Find all hostnames in given folder and checks (with recursive dig function) which are in perimeter.

First, you should populate a folder with text files containing hostnames. The script identifies all hostnames which presents in files with one regular expression, sort -u the list and tries to filter the noise in order to reduce the size of initial input. If you have no idea for populate the initial list, you can add:

  • Nessus xml output,
  • Maltego hostname list,
  • Sublist3r, theHarvester results exports,
  • Burp "site map" txt export,
  • DNS brute force/ Zone transfert,
  • Any export of tools finding hostnames from IP (ex: bing search IP:"X.X.X.X"),
  • Etc...

Second, populate a txt file with your pentest scope (IP, IP/32, network/cidr).

Then, this tool finds those of which the dig command returns an IP belonging to the perimeter file. No more of blah blah, a good schema is better:

The script resolves and keeps, in the final result, all discovered CNAMEs and all IPs associated with one DNS name. The output is in nessus target format:hostname / vhost [IP].

Installation, dependencies and requirements

Installation

git clone https://github.com/jtof-fap/verifHostname.git

Python version

This script currently supports Python 2 and Python 3.

Dependencies

verifHostname.py depends on the docopt, and netaddr python modules :

# pip install -r requirements.txt

Requirements

This script need the following requirements to run:

  • On Linux : dig command (# apt-get install dnsutils)
  • On Windows : require dig.exe on the same folder and bind libs in system32

Command line -h (RTFM)

Arguments:

FOLDER_OR_FILE           File or Folder which gathers the text files containing hostnames.
PERIMETER_FILE           Perimeter file 1 element/line (IP, IP/32, network/cidr).
-t, --thread = <num>     Thread number (default (10)).
-s, --server = <X.X.X.X> DNS Server, prefer robust for multithreading (default (8.8.8.8)).

Options:

-h, --help       Print Help
-v, --version    Print Version
-d, --debug      Print Debug

Usage:

verifHostname.py FOLDER_OR_FILE PERIMETER_FILE
verifHostname.py FOLDER_OR_FILE PERIMETER_FILE -d
verifHostname.py FOLDER_OR_FILE PERIMETER_FILE -t xx
verifHostname.py FOLDER_OR_FILE PERIMETER_FILE -s X.X.X.X
verifHostname.py FOLDER_OR_FILE PERIMETER_FILE [-d] [-t 5] [-s 8.8.4.4]

Example usage

Inputs:

# cat targets.txt
www.twitter.com
https://fiber.google.com/
/www.google.com 08237
mail.google.com
maps.google.com
yahoo.fr
testfile.php
testline
google.com
<host>gsuite.google.com/</host>
<img src="https://store.google.com/">
firebase.google.com

# cat perimeter.txt
172.217.17.0/24
216.58.204.96/29
216.58.204.142/32
216.58.64/29

Program:

# python3 verifHostname.py targets.txt perimeter.txt
INFO > Thread number : 10
INFO > Check that hostname present in file or folder 'targets.txt' be part of perimeter given in 'perimeter.txt' file
INFO > Search hostname in 'targets.txt'
INFO > Program check 10 hostname
fiber.google.com[216.58.204.142]
firebase.google.com[216.58.204.142]
google.com[216.58.204.142]
gsuite.google.com[216.58.204.142]
maps.google.com[216.58.204.142]
store.google.com[216.58.204.142]
www.google.com[216.58.204.100]
www3.l.google.com[216.58.204.142]
INFO > End process.

Under the wood / Debug Trace:

# python3 verifHostname.py targets.txt perimeter.txt -d
INFO > Thread number : 10
DEBUG > Command line argument :
  #>FILE OR FOLDER : 'targets.txt'
  #>PERIMETER : '/tmp/perimeter.txt'
  #>CUSTOM DNS SERVER : 8.8.8.8
  #>THREAD NUMBER : 10
INFO > Check that hostname present in file or folder 'targets.txt' be part of perimeter given in 'perimeter.txt' file
DEBUG > Perimeter : [['172.217.17.0/24'], ['216.58.204.96/29'], ['216.58.204.142/32'], ['216.58.64/29']]
DEBUG > Files in folder 'targets.txt' : ['targets.txt']
INFO > Search hostname in 'targets.txt'
DEBUG > Hostname list : {'fiber.google.com', 'yahoo.fr', 'google.com', 'firebase.google.com', 'store.google.com', 'www.google.com', 'gsuite.google.com', 'mail.google.com', 'www.twitter.com', 'maps.google.com'}
INFO > Program check 10 hostname
DEBUG > dig fiber.google.com +short
DEBUG > dig yahoo.fr +short
DEBUG > dig google.com +short
DEBUG > dig firebase.google.com +short
DEBUG > dig store.google.com +short
DEBUG > dig www.google.com +short
DEBUG > dig gsuite.google.com +short
DEBUG > dig mail.google.com +short
DEBUG > dig www.twitter.com +short
DEBUG > dig maps.google.com +short
DEBUG > yahoo.fr match 77.238.184.24 but it is not on perimeter... next...
DEBUG > yahoo.fr match 98.137.236.24 but it is not on perimeter... next...
DEBUG > yahoo.fr match 106.10.212.24 but it is not on perimeter... next...
DEBUG > yahoo.fr match 124.108.105.24 but it is not on perimeter... next...
DEBUG > yahoo.fr match 74.6.50.24 but it is not on perimeter... next...
DEBUG > CNAME Found for fiber.google.com : www3.l.google.com.
DEBUG > dig www3.l.google.com. +short
DEBUG > MATCH SINGLE: www.google.com match 216.58.204.100
DEBUG > CNAME Found for www.twitter.com : twitter.com.
DEBUG > MATCH SINGLE: google.com match 216.58.204.142
DEBUG > CNAME Found for gsuite.google.com : www3.l.google.com.
DEBUG > dig www3.l.google.com. +short
DEBUG > CNAME Found for firebase.google.com : www3.l.google.com.
DEBUG > dig www3.l.google.com. +short
DEBUG > dig twitter.com. +short
DEBUG > MATCH SINGLE: maps.google.com match 216.58.204.142
DEBUG > CNAME Found for mail.google.com : googlemail.l.google.com.
DEBUG > dig googlemail.l.google.com. +short
DEBUG > MATCH SINGLE: store.google.com match 216.58.204.142
DEBUG > MATCH CNAME Recursive call : CNAME fiber.google.com match IP : 216.58.204.142
DEBUG > MATCH CNAME Recursive call : CNAME www3.l.google.com. match IP : 216.58.204.142
DEBUG > MATCH CNAME Recursive call : CNAME gsuite.google.com match IP : 216.58.204.142
DEBUG > MATCH CNAME Recursive call : CNAME www3.l.google.com. match IP : 216.58.204.142
DEBUG > googlemail.l.google.com. match 216.58.204.133 but it is not in perimeter... next...
DEBUG > mail.google.com match 216.58.204.133 but it is not in perimeter... next...
DEBUG > twitter.com. match 104.244.42.129 but it is not in perimeter... next...
DEBUG > MATCH CNAME Recursive call : CNAME firebase.google.com match IP : 216.58.204.142
DEBUG > twitter.com. match 104.244.42.1 but it is not in perimeter... next...
DEBUG > MATCH CNAME Recursive call : CNAME www3.l.google.com. match IP : 216.58.204.142
DEBUG > www.twitter.com match 104.244.42.65 but it is not in perimeter... next...
DEBUG > www.twitter.com match 104.244.42.1 but it is not in perimeter... next...
fiber.google.com[216.58.204.142]
firebase.google.com[216.58.204.142]
google.com[216.58.204.142]
gsuite.google.com[216.58.204.142]
maps.google.com[216.58.204.142]
store.google.com[216.58.204.142]
www.google.com[216.58.204.100]
www3.l.google.com[216.58.204.142]
INFO > End process.

Tips and tricks

If you just wanna check which hostnames are valid (with CNAME resolve), put in the perimeter file:

0.0.0.0/0

License

verifHostname is licensed under the GNU GPL license(Version 3). Take a look at the LICENSE for more information.

Version

Current version is 1.0

About

Find all hostnames in given folder and checks (with recursive dig function) which are in perimeter.

Topics

pentest pentest-scripts insecurity

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages