Class: Ronin::Recon::DNS::SubdomainEnum

Inherits:

Ronin::Recon::DNSWorker

• Object
• Worker
• Ronin::Recon::DNSWorker
• Ronin::Recon::DNS::SubdomainEnum

Defined in:

lib/ronin/recon/builtin/dns/subdomain_enum.rb

Overview

Finds common subdomains of a domain using a wordlist of commong subdomains.

Constant Summary

DEFAULT_WORDLIST =

The path to the default common subdomains wordlist.

File.join(WORDLISTS_DIR, 'subdomains-1000.txt.gz')

Constants included from Mixins::DNS

Mixins::DNS::IDN, Mixins::DNS::RECORD_TYPES

Instance Attribute Summary

Attributes included from Mixins::DNS

#dns_resolver

Instance Method Summary

• #process(domain) {|host| ... } ⇒ Object

  Bruteforce resolves the subdomains of a given domain.

Methods included from Mixins::DNS

#dns_get_a_address, #dns_get_a_addresses, #dns_get_a_record, #dns_get_a_records, #dns_get_aaaa_address, #dns_get_aaaa_addresses, #dns_get_aaaa_record, #dns_get_aaaa_records, #dns_get_address, #dns_get_addresses, #dns_get_any_records, #dns_get_cname, #dns_get_cname_record, #dns_get_hinfo_record, #dns_get_loc_record, #dns_get_mailservers, #dns_get_minfo_record, #dns_get_mx_records, #dns_get_name, #dns_get_names, #dns_get_nameservers, #dns_get_ns_records, #dns_get_ptr_name, #dns_get_ptr_names, #dns_get_ptr_record, #dns_get_ptr_records, #dns_get_record, #dns_get_records, #dns_get_soa_record, #dns_get_srv_records, #dns_get_txt_record, #dns_get_txt_records, #dns_get_txt_string, #dns_get_txt_strings, #dns_get_wks_records, #initialize

Methods inherited from Worker

accepts, concurrency, #initialize, intensity, outputs, register, run

Instance Method Details

#process(domain) {|host| ... } ⇒ Object

Bruteforce resolves the subdomains of a given domain.

Parameters:

• domain (Values::Domain, Values::Wildcard) —

  The domain or wildcard host name to bruteforce.

Yields:

• (host) —

  Subdomains that have DNS records will be yielded.

Yield Parameters:

• host (Values::Host) —

  A valid subdomain of the domain.

# File 'lib/ronin/recon/builtin/dns/subdomain_enum.rb', line 67

def process(domain)
  wordlist = Wordlist.open(params[:wordlist] || DEFAULT_WORDLIST)
  queue    = Async::LimitedQueue.new(params[:concurrency])

  Async do |task|
    task.async do
      case domain
      when Domain
        wordlist.each do |name|
          queue << "#{name}.#{domain.name}"
        end
      when Wildcard
        wordlist.each do |name|
          queue << domain.template.sub('*',name)
        end
      end

      # send stop messages for each sub-task
      params[:concurrency].times do
        queue << nil
      end
    end

    # spawn the sub-tasks
    params[:concurrency].times do
      task.async do
        while (subdomain = queue.dequeue)
          if dns_get_address(subdomain)
            yield Host.new(subdomain)
          end
        end
      end
    end
  end
end