update subdomain scanner tutorial

x4nth055 · x4nth055 · commit 04a4f7979148 · 2020-12-12T11:50:13.000+01:00
diff --git a/ethical-hacking/subdomain-scanner/README.md b/ethical-hacking/subdomain-scanner/README.md
@@ -7,7 +7,9 @@ To run this:
     ```
     **Output:**
     ```
-    usage: fast_subdomain_scanner.py [-h] [-l WORDLIST] [-t NUM_THREADS] domain
+    usage: fast_subdomain_scanner.py [-h] [-l WORDLIST] [-t NUM_THREADS]       
+                                 [-o OUTPUT_FILE]
+                                 domain
 
     Faster Subdomain Scanner using Threads
 
@@ -23,6 +25,9 @@ To run this:
     -t NUM_THREADS, --num-threads NUM_THREADS
                             Number of threads to use to scan the domain. Default
                             is 10
+    -o OUTPUT_FILE, --output-file OUTPUT_FILE
+                            Specify the output text file to write discovered
+                            subdomains
     ```
 - If you want to scan hackthissite.org for subdomains using only 10 threads with a word list of 100 subdomains (`subdomains.txt`):
     ```
@@ -37,4 +42,9 @@ To run this:
     [+] Discovered subdomain: http://stats.hackthissite.org
     [+] Discovered subdomain: http://forums.hackthissite.org
     ```
+    If you want to output the discovered URLs to a file:
+    ```
+    python fast_subdomain_scanner.py hackthissite.org -l subdomains.txt -t 10 -o discovered_urls.txt
+    ```
+    This will create a new file `discovered_urls.txt` that includes the discovered subdomains.
 - For bigger subdomain wordlists, check [this repository](https://github.com/rbsec/dnscan).
diff --git a/ethical-hacking/subdomain-scanner/fast_subdomain_scanner.py b/ethical-hacking/subdomain-scanner/fast_subdomain_scanner.py
@@ -1,8 +1,10 @@
 import requests
-from threading import Thread
+from threading import Thread, Lock
 from queue import Queue
 
 q = Queue()
+list_lock = Lock()
+discovered_domains = []
 
 def scan_subdomains(domain):
     global q
@@ -17,6 +19,9 @@ def scan_subdomains(domain):
             pass
         else:
             print("[+] Discovered subdomain:", url)
+            # add the subdomain to the global list
+            with list_lock:
+                discovered_domains.append(url)
 
         # we're done with scanning that subdomain
         q.task_done()
@@ -44,12 +49,19 @@ def main(domain, n_threads, subdomains):
     parser.add_argument("-l", "--wordlist", help="File that contains all subdomains to scan, line by line. Default is subdomains.txt",
                         default="subdomains.txt")
     parser.add_argument("-t", "--num-threads", help="Number of threads to use to scan the domain. Default is 10", default=10, type=int)
+    parser.add_argument("-o", "--output-file", help="Specify the output text file to write discovered subdomains")
     
     args = parser.parse_args()
     domain = args.domain
     wordlist = args.wordlist
     num_threads = args.num_threads
+    output_file = args.output_file
 
     main(domain=domain, n_threads=num_threads, subdomains=open(wordlist).read().splitlines())
     q.join()
+
+    # save the file
+    with open(output_file, "w") as f:
+        for url in discovered_domains:
+            print(url, file=f)
     
diff --git a/ethical-hacking/subdomain-scanner/subdomain_scanner.py b/ethical-hacking/subdomain-scanner/subdomain_scanner.py
@@ -9,7 +9,8 @@
 content = file.read()
 # split by new lines
 subdomains = content.splitlines()
-
+# a list of discovered subdomains
+discovered_subdomains = []
 for subdomain in subdomains:
     # construct the url
     url = f"http://{subdomain}.{domain}"
@@ -20,4 +21,11 @@
         # if the subdomain does not exist, just pass, print nothing
         pass
     else:
-        print("[+] Discovered subdomain:", url)
+        print("[+] Discovered subdomain:", url)
+        # append the discovered subdomain to our list
+        discovered_subdomains.append(url)
+
+# save the discovered subdomains into a file
+with open("discovered_subdomains.txt", "w") as f:
+    for subdomain in discovered_subdomains:
+        print(subdomain, file=f)
