added subdomain scanner tutorial

Author: x4nth055

README.md

@@ -17,6 +17,7 @@ This is a repository of all the tutorials of [The Python Code](https://www.thepy
 -[Making a Port Scanner using sockets in Python](https://www.thepythoncode.com/article/make-port-scanner-python). ([code](ethical-hacking/port_scanner))
 -[How to Create a Reverse Shell in Python](https://www.thepythoncode.com/article/create-reverse-shell-python). ([code](ethical-hacking/reverse_shell))
 -[How to Encrypt and Decrypt Files in Python](https://www.thepythoncode.com/article/encrypt-decrypt-files-symmetric-python). ([code](ethical-hacking/file-encryption))
+-[How to Make a Subdomain Scanner in Python](https://www.thepythoncode.com/article/make-subdomain-scanner-python). ([code](ethical-hacking/subdomain-scanner))
 
 -### [Machine Learning](https://www.thepythoncode.com/topic/machine-learning)
 -### [Natural Language Processing](https://www.thepythoncode.com/topic/nlp)

ethical-hacking/subdomain-scanner/README.md

@@ -0,0 +1,40 @@
+# [How to Make a Subdomain Scanner in Python](https://www.thepythoncode.com/article/make-subdomain-scanner-python)
+To run this:
+-`pip3 install -r requirements.txt`
+- To run the fast subdomain scanner:
+```
+ python fast_subdomain_scanner.py --help
+ ```
+ **Output:**
+ ```
+ usage: fast_subdomain_scanner.py [-h] [-l WORDLIST] [-t NUM_THREADS] domain
+
+ Faster Subdomain Scanner using Threads
+
+ positional arguments:
+ domain Domain to scan for subdomains without protocol (e.g
+ without 'http://' or 'https://')
+
+ optional arguments:
+ -h, --help show this help message and exit
+ -l WORDLIST, --wordlist WORDLIST
+ File that contains all subdomains to scan, line by
+ line. Default is subdomains.txt
+ -t NUM_THREADS, --num-threads NUM_THREADS
+ Number of threads to use to scan the domain. Default
+ is 10
+ ```
+- If you want to scan hackthissite.org for subdomains using only 10 threads with a word list of 100 subdomains (`subdomains.txt`):
+ ```
+ python fast_subdomain_scanner.py hackthissite.org -l subdomains.txt -t 10
+ ```
+ After a while, it **outputs:**
+ ```
+ [+] Discovered subdomain: http://mail.hackthissite.org
+ [+] Discovered subdomain: http://www.hackthissite.org
+ [+] Discovered subdomain: http://forum.hackthissite.org
+ [+] Discovered subdomain: http://admin.hackthissite.org
+ [+] Discovered subdomain: http://stats.hackthissite.org
+ [+] Discovered subdomain: http://forums.hackthissite.org
+ ```
+- For bigger subdomain wordlists, check [this repository](https://github.com/rbsec/dnscan).

ethical-hacking/subdomain-scanner/fast_subdomain_scanner.py

@@ -0,0 +1,68 @@
+importrequests
+fromthreadingimportThread, active_count
+fromqueueimportQueue
+importtime
+
+q=Queue()
+
+defscan_subdomains(domain):
+globalq
+whileTrue:
+# get the subdomain from the queue
+subdomain=q.get()
+# scan the subdomain
+url=f"http://{subdomain}.{domain}"
+try:
+requests.get(url)
+exceptrequests.ConnectionError:
+pass
+else:
+print("[+] Discovered subdomain:", url)
+
+# we're done with scanning that subdomain
+q.task_done()
+
+
+defmain(domain, n_threads, subdomains):
+globalq
+
+# fill the queue with all the subdomains
+forsubdomaininsubdomains:
+q.put(subdomain)
+
+fortinrange(n_threads):
+# start all threads
+worker=Thread(target=scan_subdomains, args=(domain,))
+# daemon thread means a thread that will end when the main thread ends
+worker.daemon=True
+worker.start()
+
+
+
+
+defprint_n_threads():
+whileTrue:
+print("Number of alive threads:", active_count())
+time.sleep(10)
+
+
+if__name__=="__main__":
+importargparse
+parser=argparse.ArgumentParser(description="Faster Subdomain Scanner using Threads")
+parser.add_argument("domain", help="Domain to scan for subdomains without protocol (e.g without 'http://' or 'https://')")
+parser.add_argument("-l", "--wordlist", help="File that contains all subdomains to scan, line by line. Default is subdomains.txt",
+default="subdomains.txt")
+parser.add_argument("-t", "--num-threads", help="Number of threads to use to scan the domain. Default is 10", default=10, type=int)
+
+args=parser.parse_args()
+domain=args.domain
+wordlist=args.wordlist
+num_threads=args.num_threads
+
+# t = Thread(target=print_n_threads)
+# t.daemon = True
+# t.start()
+
+main(domain=domain, n_threads=num_threads, subdomains=open(wordlist).read().splitlines())
+q.join()
+

ethical-hacking/subdomain-scanner/requirements.txt

@@ -0,0 +1 @@
+requests

ethical-hacking/subdomain-scanner/subdomain_scanner.py

@@ -0,0 +1,23 @@
+importrequests
+
+# the domain to scan for subdomains
+domain="google.com"
+
+# read all subdomains
+file=open("subdomains.txt")
+# read all content
+content=file.read()
+# split by new lines
+subdomains=content.splitlines()
+
+forsubdomaininsubdomains:
+# construct the url
+url=f"http://{subdomain}.{domain}"
+try:
+# if this raises an ERROR, that means the subdomain does not exist
+requests.get(url)
+exceptrequests.ConnectionError:
+# if the subdomain does not exist, just pass, print nothing
+pass
+else:
+print("[+] Discovered subdomain:", url)

ethical-hacking/subdomain-scanner/subdomains.txt

@@ -0,0 +1,100 @@
+www
+mail
+ftp
+localhost
+webmail
+smtp
+pop
+ns1
+webdisk
+ns2
+cpanel
+whm
+autodiscover
+autoconfig
+m
+imap
+test
+ns
+blog
+pop3
+dev
+www2
+admin
+forum
+news
+vpn
+ns3
+mail2
+new
+mysql
+old
+lists
+support
+mobile
+mx
+static
+docs
+beta
+shop
+sql
+secure
+demo
+cp
+calendar
+wiki
+web
+media
+email
+images
+img
+www1
+intranet
+portal
+video
+sip
+dns2
+api
+cdn
+stats
+dns1
+ns4
+www3
+dns
+search
+staging
+server
+mx1
+chat
+wap
+my
+svn
+mail1
+sites
+proxy
+ads
+host
+crm
+cms
+backup
+mx2
+lyncdiscover
+info
+apps
+download
+remote
+db
+forums
+store
+relay
+files
+newsletter
+app
+live
+owa
+en
+start
+sms
+office
+exchange
+ipv4