Skip to content

Commit a0b261c

Browse files
x4nth055x4nth055
committed
added subdomain scanner tutorial
1 parent e7fe8ee commit a0b261c

File tree

6 files changed

+233
-0
lines changed

6 files changed

+233
-0
lines changed

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ This is a repository of all the tutorials of [The Python Code](https://www.thepy
1717
- [Making a Port Scanner using sockets in Python](https://www.thepythoncode.com/article/make-port-scanner-python). ([code](ethical-hacking/port_scanner))
1818
- [How to Create a Reverse Shell in Python](https://www.thepythoncode.com/article/create-reverse-shell-python). ([code](ethical-hacking/reverse_shell))
1919
- [How to Encrypt and Decrypt Files in Python](https://www.thepythoncode.com/article/encrypt-decrypt-files-symmetric-python). ([code](ethical-hacking/file-encryption))
20+
- [How to Make a Subdomain Scanner in Python](https://www.thepythoncode.com/article/make-subdomain-scanner-python). ([code](ethical-hacking/subdomain-scanner))
2021

2122
- ### [Machine Learning](https://www.thepythoncode.com/topic/machine-learning)
2223
- ### [Natural Language Processing](https://www.thepythoncode.com/topic/nlp)

ethical-hacking/subdomain-scanner/README.md

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
# [How to Make a Subdomain Scanner in Python](https://www.thepythoncode.com/article/make-subdomain-scanner-python)
2+
To run this:
3+
- `pip3 install -r requirements.txt`
4+
- To run the fast subdomain scanner:
5+
```
6+
python fast_subdomain_scanner.py --help
7+
```
8+
**Output:**
9+
```
10+
usage: fast_subdomain_scanner.py [-h] [-l WORDLIST] [-t NUM_THREADS] domain
11+
12+
Faster Subdomain Scanner using Threads
13+
14+
positional arguments:
15+
domain Domain to scan for subdomains without protocol (e.g
16+
without 'http://' or 'https://')
17+
18+
optional arguments:
19+
-h, --help show this help message and exit
20+
-l WORDLIST, --wordlist WORDLIST
21+
File that contains all subdomains to scan, line by
22+
line. Default is subdomains.txt
23+
-t NUM_THREADS, --num-threads NUM_THREADS
24+
Number of threads to use to scan the domain. Default
25+
is 10
26+
```
27+
- If you want to scan hackthissite.org for subdomains using only 10 threads with a word list of 100 subdomains (`subdomains.txt`):
28+
```
29+
python fast_subdomain_scanner.py hackthissite.org -l subdomains.txt -t 10
30+
```
31+
After a while, it **outputs:**
32+
```
33+
[+] Discovered subdomain: http://mail.hackthissite.org
34+
[+] Discovered subdomain: http://www.hackthissite.org
35+
[+] Discovered subdomain: http://forum.hackthissite.org
36+
[+] Discovered subdomain: http://admin.hackthissite.org
37+
[+] Discovered subdomain: http://stats.hackthissite.org
38+
[+] Discovered subdomain: http://forums.hackthissite.org
39+
```
40+
- For bigger subdomain wordlists, check [this repository](https://github.com/rbsec/dnscan).

ethical-hacking/subdomain-scanner/fast_subdomain_scanner.py

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
import requests
2+
from threading import Thread, active_count
3+
from queue import Queue
4+
import time
5+
6+
q = Queue()
7+
8+
def scan_subdomains(domain):
9+
global q
10+
while True:
11+
# get the subdomain from the queue
12+
subdomain = q.get()
13+
# scan the subdomain
14+
url = f"http://{subdomain}.{domain}"
15+
try:
16+
requests.get(url)
17+
except requests.ConnectionError:
18+
pass
19+
else:
20+
print("[+] Discovered subdomain:", url)
21+
22+
# we're done with scanning that subdomain
23+
q.task_done()
24+
25+
26+
def main(domain, n_threads, subdomains):
27+
global q
28+
29+
# fill the queue with all the subdomains
30+
for subdomain in subdomains:
31+
q.put(subdomain)
32+
33+
for t in range(n_threads):
34+
# start all threads
35+
worker = Thread(target=scan_subdomains, args=(domain,))
36+
# daemon thread means a thread that will end when the main thread ends
37+
worker.daemon = True
38+
worker.start()
39+
40+
41+
42+
43+
def print_n_threads():
44+
while True:
45+
print("Number of alive threads:", active_count())
46+
time.sleep(10)
47+
48+
49+
if __name__ == "__main__":
50+
import argparse
51+
parser = argparse.ArgumentParser(description="Faster Subdomain Scanner using Threads")
52+
parser.add_argument("domain", help="Domain to scan for subdomains without protocol (e.g without 'http://' or 'https://')")
53+
parser.add_argument("-l", "--wordlist", help="File that contains all subdomains to scan, line by line. Default is subdomains.txt",
54+
default="subdomains.txt")
55+
parser.add_argument("-t", "--num-threads", help="Number of threads to use to scan the domain. Default is 10", default=10, type=int)
56+
57+
args = parser.parse_args()
58+
domain = args.domain
59+
wordlist = args.wordlist
60+
num_threads = args.num_threads
61+
62+
# t = Thread(target=print_n_threads)
63+
# t.daemon = True
64+
# t.start()
65+
66+
main(domain=domain, n_threads=num_threads, subdomains=open(wordlist).read().splitlines())
67+
q.join()
68+

ethical-hacking/subdomain-scanner/requirements.txt

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
requests

ethical-hacking/subdomain-scanner/subdomain_scanner.py

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
import requests
2+
3+
# the domain to scan for subdomains
4+
domain = "google.com"
5+
6+
# read all subdomains
7+
file = open("subdomains.txt")
8+
# read all content
9+
content = file.read()
10+
# split by new lines
11+
subdomains = content.splitlines()
12+
13+
for subdomain in subdomains:
14+
# construct the url
15+
url = f"http://{subdomain}.{domain}"
16+
try:
17+
# if this raises an ERROR, that means the subdomain does not exist
18+
requests.get(url)
19+
except requests.ConnectionError:
20+
# if the subdomain does not exist, just pass, print nothing
21+
pass
22+
else:
23+
print("[+] Discovered subdomain:", url)

ethical-hacking/subdomain-scanner/subdomains.txt

Lines changed: 100 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,100 @@
1+
www
2+
mail
3+
ftp
4+
localhost
5+
webmail
6+
smtp
7+
pop
8+
ns1
9+
webdisk
10+
ns2
11+
cpanel
12+
whm
13+
autodiscover
14+
autoconfig
15+
m
16+
imap
17+
test
18+
ns
19+
blog
20+
pop3
21+
dev
22+
www2
23+
admin
24+
forum
25+
news
26+
vpn
27+
ns3
28+
mail2
29+
new
30+
mysql
31+
old
32+
lists
33+
support
34+
mobile
35+
mx
36+
static
37+
docs
38+
beta
39+
shop
40+
sql
41+
secure
42+
demo
43+
cp
44+
calendar
45+
wiki
46+
web
47+
media
48+
email
49+
images
50+
img
51+
www1
52+
intranet
53+
portal
54+
video
55+
sip
56+
dns2
57+
api
58+
cdn
59+
stats
60+
dns1
61+
ns4
62+
www3
63+
dns
64+
search
65+
staging
66+
server
67+
mx1
68+
chat
69+
wap
70+
my
71+
svn
72+
mail1
73+
sites
74+
proxy
75+
ads
76+
host
77+
crm
78+
cms
79+
backup
80+
mx2
81+
lyncdiscover
82+
info
83+
apps
84+
download
85+
remote
86+
db
87+
forums
88+
store
89+
relay
90+
files
91+
newsletter
92+
app
93+
live
94+
owa
95+
en
96+
start
97+
sms
98+
office
99+
exchange
100+
ipv4

0 commit comments

Comments
 (0)