|
|
@@ -14,6 +14,7 @@ fi
|
|
|
|
|
|
DOMAIN=$(echo $DOMAIN | sed -e 's|^[^/]*//||' -e 's|/.*$||')
|
|
|
|
|
|
+
|
|
|
echo "[ ] Resolving IP-Address…"
|
|
|
output=$(resolveip $DOMAIN 2>&1)
|
|
|
status=$(echo $?)
|
|
|
@@ -22,16 +23,31 @@ if ! [[ $status == 0 ]] ; then
|
|
|
exit
|
|
|
fi
|
|
|
|
|
|
+function sni () {
|
|
|
+ protocol=$1
|
|
|
+ sni=$2
|
|
|
+ if ! [[ "$sni" =~ ".*:[0-9]+" ]]; then
|
|
|
+ if [[ $protocol == "https" ]]; then
|
|
|
+ sni="$sni:443"
|
|
|
+ else
|
|
|
+ sni="$sni:80"
|
|
|
+ fi
|
|
|
+ fi
|
|
|
+
|
|
|
+ echo $sni
|
|
|
+}
|
|
|
+
|
|
|
IP_ADDRESS=$(echo $output | head -n 1 | awk '{print $NF}')
|
|
|
echo "[+] IP-Address: ${IP_ADDRESS}"
|
|
|
-
|
|
|
echo "[ ] Retrieving default site…"
|
|
|
+rnd=$(uuidgen)
|
|
|
+sni=$(sni ${PROTOCOL} ${rnd}.${DOMAIN})
|
|
|
charcountDomain=$(curl -s "${PROTOCOL}://${DOMAIN}" -k -m 5 | wc -m)
|
|
|
charcountIpAddress=$(curl -s "${PROTOCOL}://${IP_ADDRESS}" -k -m 5 | wc -m)
|
|
|
-charcountNonExistent=$(curl -s "${PROTOCOL}://$(uuidgen).${DOMAIN}" -k -m 5 | wc -m)
|
|
|
+charcountNonExistent=$(curl -s "${PROTOCOL}://${rnd}.${DOMAIN}" --resolve "${sni}:${IP_ADDRESS}" -k -m 5 | wc -m)
|
|
|
echo "[+] Chars: ${charcountDomain}, ${charcountIpAddress}, ${charcountNonExistent}"
|
|
|
echo "[ ] Fuzzing…"
|
|
|
|
|
|
(set -x; ffuf --fs ${charcountDomain},${charcountIpAddress},${charcountNonExistent} --fc 400 --mc all \
|
|
|
-w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \
|
|
|
- -u "${PROTOCOL}://${IP_ADDRESS}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")
|
|
|
+ -u "${PROTOCOL}://${DOMAIN}" -H "Host: FUZZ.${DOMAIN}" "${@:2}")
|
Roman Hergenreder