bbhunter / lepus3 Goto Github PK

Lepus V3

ZephrFish Fork

I have been using Lepus for a number of years as it is one of the better subdomain enumeration tools. I integrated some of the lessons learned from DNS Queue and added additional functionality to a project that had not been updated in over 2 years. So here is my forked edition with some fixes, additional features and active development to fix and add new things. If you want to help, make sure you document any pull requests :-).

In addition to new features, I have also added the dataset from research I did in 2015 and integrated various lists to make a master subdomains.txt list.

About

Lepus is a utility for identifying and collecting subdomains for a given domain. Subdomain discovery is a crucial part during the reconnaissance phase. It uses three (3) modes:

• Services (Collecting subdomains from the below services)
• Dictionary mode for identifying domains (optional)
• Reverse DNS lookups on identified public IPs (optional)

Wildcard Identification

The utility checks if the given domain or any generated subdomain is a wildcard domain or not.

RDAP Lookups

The utility collects ASN and network information for the identified domains that resolve to public IP Addresses.

Services

The utility is collecting data from the following services:

Webhooks [Work In Progress]

In addition to API integration, the tool also enables you to post content to various services such as Slack, Discord and Telegram.

In a case that you want to consume services that support API keys then you have to place your API keys in the config.ini file.

[Cencys]
UID=<YourCensysUID>
SECRET=<YourCensysSecret>

[DNSTrails]
DNSTrail_API_KEY=<YourDNSTrailsAPIKey>

[PassiveTotal]
PT_KEY=<YourPassiveTotalKey>
PT_SECRET=<YourPassiveTotalSecret>

[Riddler]
RIDDLER_USERNAME=<YourRiddlerUsername>
RIDDLER_PASSWORD=<YourRiddlerPassword>

[Shodan]
SHODAN_API_KEY=<YourShodanAPIKey>

[VirusTotal]
VT_API_KEY=<YourVirusTotalAPIKey>

[Slack]
SLACK_LEGACY_TOKEN=<YourSlackAPIKey>
SLACK_CHANNEL=<YourSlackAPIKey>

[Spyse]
SPYSE_API_TOKEN=<YourSpyseAPIKey>

[Chaos]
CHAOS_KEY=<YourChaosAPIKey>

Dictionary Mode

A file can be given as an input to the -w (--wordlist) switch for performing a dictionary discovery. Forward DNS lookup is performed during this time for identifying subdomains.

Reverse Mode

Reverse Mode is enabled by providing the --reverse switch. This mode will perform reverse DNS lookups on the identified public IPs. IP ranges can also be provided using the --ranges switch.

Portscan

Performs a portscan on well-known web ports. The mode can be enabled with --portscan and a specific set of ports can be defined with the -p switch. By default --portscan scans for default ports 80, 443, 8000, 8080, 8443. Alternatively, use with --portscan -p small/medium/large/huge or even --portscan -p 80,443,444,555 for a custom set of ports. Furthermore, http or https is identified, and the resulting URLs for all identified ports are written in the respective urls.txt in the respective directory for the domain.

Takeover

(experimental) Performs several checks on identified domains for potential subdomain-takeover vulnerabilities. The module is enabled with --takeover and is executed after all others. Checks are performed for the following services:

• Acquia
• Activecampaign
• Aftership
• Aha!
• Airee
• Amazon AWS/S3
• Apigee
• Azure
• Bigcartel
• Bitbucket
• Brightcove
• Campaign Monitor
• Cargo Collective
• Desk
• Feedpress
• Fly.io
• Getresponse
• Ghost.io
• Github
• Hatena
• Helpjuice
• Helpscout
• Heroku
• Instapage
• Intercom
• JetBrains
• Kajabi
• Launchrock
• Mashery
• Maxcdn
• Pantheon
• Pingdom
• Readme.io
• Simplebooklet
• Smugmug
• Statuspage
• Strikingly
• Surge.sh
• Surveygizmo
• Tave
• Teamwork
• Thinkific
• Tictail
• Tilda
• Tumblr
• Uptime Robot
• UserVoice
• Vend
• Webflow
• Wishpond
• Wordpress
• Zendesk

This module also supports slack notifications on newly identified potential takeover vulnerabilities.

Requirements

Installation

1. Normal installation:

$ python3.7 -m pip install -r requirements.txt

2. Preferably install in a virtualenv:

$ pyenv virtualenv 3.7.4 lepus
$ pyenv activate lepus
$ pip install -r requirements.txt

3. Installing latest python on debian:

$ apt install build-essential zlib1g-dev libncurses5-dev libgdbm-dev libnss3-dev libssl-dev libreadline-dev libffi-dev libsqlite3-dev wget
$ curl -O https://www.python.org/ftp/python/3.7.4/Python-3.7.4.tar.xz
$ tar -xf Python-3.7.4.tar.xz
$ cd Python-3.7.4
$ ./configure --enable-optimizations --enable-loadable-sqlite-extensions
$ make
$ make altinstall

Help

usage: lepus.py [-h] [-w WORDLIST] [-hw] [-t THREADS] [-nc] [-zt] [--reverse] [--portscan] 
[-p PORTS] [--takeover] [-v] domain

e.g. python3 lepus.py domain.com 

Infrastructure OSINT

positional arguments:
  domain                domain to search

optional arguments:
  -h, --help            show this help message and exit
  -w WORDLIST, --wordlist WORDLIST
                        wordlist with subdomains
  -hw, --hide-wildcards
                        hide wildcard resolutions
  -t THREADS, --threads THREADS
                        number of threads [default is 100]
  -nc, --no-collectors  skip passive subdomain enumeration
  -zt, --zone-transfer  attempt to zone transfer from identified name servers
  --reverse             perform reverse dns lookups on resolved public IP
                        addresses
  -r RANGES, --ranges RANGES
                        comma seperated ip ranges to perform reverse dns
                        lookups on
  --portscan            scan resolved public IP addresses for open ports
  -p PORTS, --ports PORTS
                        set of ports to be used by the portscan module
                        [default is medium]
  --takeover            check identified hosts for potential subdomain take-
                        overs
  -v, --version         show program's version number and exit