GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nscuro → fdnssearch

nscuro / fdnssearch

Licence: GPL-3.0 license
Swiftly search FDNS datasets from Rapid7 Open Data

Programming Languages

go
31211 projects - #10 most used programming language
Makefile
30231 projects
Dockerfile
14818 projects

Labels

dnsopendatabugbountysubdomainsrapid7fdns

Projects that are alternatives of or similar to fdnssearch

flydns
Related subdomains finder
Stars: ✭ 29 (+52.63%)
Mutual labels:  bugbounty, subdomains
Passivehunter
Subdomain discovery using the power of 'The Rapid7 Project Sonar datasets'
Stars: ✭ 83 (+336.84%)
Mutual labels:  bugbounty, rapid7
ICU
An Extended, Modulair, Host Discovery Framework
Stars: ✭ 40 (+110.53%)
Mutual labels:  bugbounty, subdomains
tugarecon
Pentest: Subdomains enumeration tool for penetration testers.
Stars: ✭ 142 (+647.37%)
Mutual labels:  bugbounty, subdomains
Inventus
Inventus is a spider designed to find subdomains of a specific domain by crawling it and any subdomains it discovers.
Stars: ✭ 80 (+321.05%)
Mutual labels:  bugbounty, subdomains
2017-wmata-ridership-data
Intraday ridership data from Washington Metro Area Transit Authority for 2009 and 2017 inaugurations and the Women's March.
Stars: ✭ 15 (-21.05%)
Mutual labels:  opendata
urldedupe
Pass in a list of URLs with query strings, get back a unique list of URLs and query string combinations
Stars: ✭ 208 (+994.74%)
Mutual labels:  bugbounty
EconData
R package containing a host of datasets useful for economic research. Complete with raw data and cleaning functions.
Stars: ✭ 28 (+47.37%)
Mutual labels:  opendata
SuperLibrary
Information Security Library
Stars: ✭ 60 (+215.79%)
Mutual labels:  bugbounty
project-black
Pentest/BugBounty progress control with scanning modules
Stars: ✭ 279 (+1368.42%)
Mutual labels:  bugbounty
simple-rest-api
😎 A simple RESTful API in three easy steps.
Stars: ✭ 25 (+31.58%)
Mutual labels:  opendata
coronavirus-dresden
Collects official SARS-CoV-2 infection statistics published by the city of Dresden.
Stars: ✭ 19 (+0%)
Mutual labels:  opendata
boxer
Boxer: A fast directory bruteforce tool written in Python with concurrency.
Stars: ✭ 15 (-21.05%)
Mutual labels:  bugbounty
allsafe
Intentionally vulnerable Android application.
Stars: ✭ 135 (+610.53%)
Mutual labels:  bugbounty
bhedak
A replacement of "qsreplace", accepts URLs as standard input, replaces all query string values with user-supplied values and stdout.
Stars: ✭ 77 (+305.26%)
Mutual labels:  bugbounty
BurpSQLTruncSanner
Messy BurpSuite plugin for SQL Truncation vulnerabilities.
Stars: ✭ 53 (+178.95%)
Mutual labels:  bugbounty
who-owns-what
Who owns what in nyc?
Stars: ✭ 146 (+668.42%)
Mutual labels:  opendata
coletores
Coletores de dados sobre remunerações do sistema de justiça brasileiro
Stars: ✭ 18 (-5.26%)
Mutual labels:  opendata
HostPanic
Find host header injections and perform Host Header attacks with other kind of bugs like web cache poissoning
Stars: ✭ 23 (+21.05%)
Mutual labels:  bugbounty
WhoEnum
Mass querying whois records
Stars: ✭ 24 (+26.32%)
Mutual labels:  bugbounty
View All Similar Projects ➔

fdnssearch

Build Status

Swiftly search FDNS datasets from Rapid7 Open Data

Disclaimer: You can do most of what fdnssearch does with bash, curl, pigz and jq. This is nothing revolutionary. fdnssearch simply offers a nicer UX and some QoL features. If you prefer a server-based solution, take a look at the amazing Crobat project.

Installation

go install github.com/nscuro/fdnssearch/cmd/fdnssearch@latest

Alternatively, clone this repo and run make install. Make sure $GOPATH/bin is in your $PATH.

fdnssearch requires Go >= 1.17

Prebuilt binaries are available as well.

Docker

Clone this repository, cd into it and run make docker.
The image can then be used as follows: docker -it --rm nscuro/fdnssearch -h

Usage

Usage:
  fdnssearch [flags]

Flags:
      --amass-config string    Amass config to load domains from
  -a, --any                    Additionally search ANY dataset (ignored when -f is set)
      --any-only               Only search ANY dataset (ignored when -f is set)
  -d, --domains stringArray    Domains to search for
  -e, --excludes stringArray   Domains to exclude from search
  -f, --files stringArray      Dataset files
  -h, --help                   help for fdnssearch
  -o, --output string          Output file
      --plain                  Disable colored output
  -q, --quiet                  Only print results, no errors or log messages
      --timeout int            Timeout in seconds
  -t, --types stringArray      Record types to search for (a, aaaa, cname, txt, mx) (default [a])
  -v, --version                Show version

Errors and log messages are written to STDERR, search results to STDOUT. This allows for easy piping without the need to use --quiet. When piping results to other commands, make sure to disable colored output with --plain.

Examples

Searching for A and CNAME records of subdomains of example.de and example.com:

$ fdnssearch -d example.de -d example.com -t a -t cname

Searching for AAAA and TXT records of subdomains of example.com, disabling colored output and writing results to results.txt:

$ fdnssearch -d example.com -t aaaa -t txt --plain | tee results.txt

Searching for A records of subdomains of example.com, excluding (*.)acme.example.com and writing results to results.txt:

$ fdnssearch -d example.com -e acme.example.com -o results.txt

Remote Datasets

When no local dataset files are provided using -f / --files, fdnssearch will fetch the current datasets from Rapid7's website. It will search all datasets that match the record types provided with -t / --types.

This requires a fairly good internet connection, but doesn't pollute your storage with huge files that get outdated quickly. The slower your connection, the fewer search workers are required.

Rapid7 provides a dataset with ANY records in addition to the specific datasets:

Until early November 2017, all of these were for the 'ANY' record with a fallback A and AAAA request if neccessary. After that, the ANY study represents only the responses to ANY requests, and dedicated studies were created for the A, AAAA, CNAME and TXT record lookups with appropriately named files.

If you want your search to include this dataset as well, use the --any flag. Be aware that you will get a lot of duplicate results this way. Be sure to deduplicate your results. If you want to save time however, additionally pass the --any-only flag. fdnssearch will then exclusively search search the ANY dataset. While this may yield results faster, you may not get as many results as without --any-only.

Local Datasets

It is possible to search local dataset files as well:

$ fdnssearch -f /path/to/datasets/2020-05-23-1590208726-fdns_a.json.gz -d example.com

Performance

fdnssearch uses klauspost's pgzip for performant decompression of the datasets. Thanks to pgzip, the performance of fdnssearch is pretty much on par with the pigz, grep and jq approach:

$ time pigz -dc /path/to/datasets/2020-06-28-1593366733-fdns_cname.json.gz \
    | grep 'google\.com' \
    | jq '. | select(.name | endswith(".google.com")) | select(.type == "cname") | .name' \
    > /dev/null
pigz -dc /path/to/datasets/2020-06-28-1593366733-fdns_cname.json.gz  57.22s user 41.11s system 212% cpu 46.269 total
grep --color=auto --exclude-dir={.bzr,CVS,.git,.hg,.svn,.idea,.tox}   18.78s user 6.91s system 55% cpu 46.268 total
jq  > /dev/null  2.59s user 0.07s system 5% cpu 46.268 total
$ time fdnssearch -d google.com -t cname --quiet \
    -f /path/to/datasets/2020-06-28-1593366733-fdns_cname.json.gz \
    > /dev/null
fdnssearch -d google.com -t cname -f  --quiet > /dev/null  64.58s user 0.85s system 144% cpu 45.266 total

This is with an Intel i7 8700K and a Samsung 970 EVO NVMe M.2 SSD on Windows 10 in WSL 2.
Your mileage may vary.

Deduplication

fdnssearch will not perform deduplication in order to provide search results as quickly and efficiently as possible. Use tools like uniq or sort for this.

Given a file results.txt which only contains record names, deduplication can be achieved with:

$ sort --unique -o results.txt results.txt

Interoparability

Amass

fdnssearch can parse target domains and exclusions from Amass config files:

$ grep -A 3 "\[domains\]" amass.ini
[domains]
domain = example.com
domain = example.de
domain = example.fr

$ grep -A 1 "\[blacklisted\]" amass.ini
[blacklisted]
subdomain = acme.example.com

$ fdnssearch --amass-config amass.ini

This is equivalent to

$ fdnssearch -d example.com -d example.de -d example.fr -e acme.example.com
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].