-
Notifications
You must be signed in to change notification settings - Fork 30
/
mild.sh
131 lines (114 loc) · 2.74 KB
/
mild.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
# mild.sh - Subdomain brute forcer inspired by fierce.pl
# https://github.com/phxbandit/scripts-n-tools/blob/master/mild.sh
#
# Usage: ./mild.sh -d DOMAIN <-n NAMESERVER> <-s X>
# -d = Set target DOMAIN
# -n = Use NAMESERVER
# -s = Sleep X number of seconds
#
# hosts-plus.txt based on hosts.txt from
# http://ha.ckers.org/fierce/hosts.txt
# Help function
help() {
cat <<EndHelp
mild.sh - Subdomain brute forcer
Usage: mild.sh -d DOMAIN [-n NAMESERVER] [-s X]
-d
Set target DOMAIN
-n
Use NAMESERVER
-s
Sleep X number of seconds
EndHelp
exit 1
}
# Main query function
query() {
# Log output
exec > >(tee $dom-$shTime.log)
# Perform dig query
for i in $(cat rand-hosts.txt); do
dig +noall +answer $i.$dom @$nam
if [ $chk -eq 1 ]; then sleep $sleep; fi
done
}
# Handle arguments
if [ $# -ne 2 ]; then
if [ $# -ne 4 ]; then
if [ $# -ne 6 ]; then
help
fi
fi
fi
while getopts :d:n:s: opt; do
case $opt
in
d) dom=${OPTARG};;
n) nam=${OPTARG};;
s) sleep=${OPTARG};;
esac
done
# Source time and date functions
[ -e "$HOME/.iso8601" ] || {
wget -q https://raw.githubusercontent.com/phxbandit/scripts-and-tools/master/iso8601
mv iso8601 $HOME/.iso8601
}
. "$HOME/.iso8601"
# Output banner
echo "Starting mild.sh ( https://github.com/phxbandit ) at $isoTime"
echo
# Check for target domain
if [ ! $dom ]; then
help
fi
# Check for and verify name server
if [ ! $nam ]; then
nam=$(dig +short NS $dom | tail -1 | sed 's/\.$//')
fi
dig +noall +answer www.$dom @$nam > /dev/null 2>&1
if [ $? -ne 0 ]; then
echo "Name server seems bad"
echo "Try a new server with -n"
exit 1
fi
# Check for sleep
if [ $sleep ]; then
if [ $sleep -eq $sleep ]; then
echo "Sleeping $sleep second(s) between queries"
chk=1
else
help
fi
else
echo "Not sleeping between queries"
chk=0
fi
# Check for dig
if [ "$(which dig)" = '' ]; then
echo "dig not found... exiting"
exit 1
fi
# Check for subdomains list
if [ -f hosts-plus.txt ]; then
echo "Subdomain list found"
else
echo "No subdomain list found... fetching"
if [ "$(which wget)" = '' ]; then
echo "No wget... exiting"
exit 1
fi
wget -q https://raw.githubusercontent.com/phxbandit/scripts-and-tools/master/hosts-plus.txt
fi
# Randomize subdomains
echo "Randomizing subdomains"
if [ $(uname) = "Darwin" ]; then
for i in $(cat hosts-plus.txt); do echo "$RANDOM $i"; done | sort | sed -E 's/^[0-9]+ //' > rand-hosts.txt
else
sort -R hosts-plus.txt > rand-hosts.txt
fi
echo "Brute forcing subdomains of $dom using name server, $nam"
echo "Logging to $dom-$shTime.log"
echo
# Call main function
query