Subdomain scanner, asynchronous dns packets, use pcap to scan 1600,000 subdomains in 1 second

类似Subfinder Go library

buf := bytes.Buffer{}
	err = runnerInstance.EnumerateSingleDomain(context.Background(), "projectdiscovery.io", []io.Writer{&buf})
	if err != nil {
		log.Fatal(err)
	}

	data, err := io.ReadAll(&buf)

我看了师傅的代码，目前只支持写入文件。

if isWrite {
      .........
}

简单点的，可以弄成

buf := bytes.Buffer{}
if api{
			_, err = buf.WriteString(msg + "\n")
		}

ProductName:	macOS
ProductVersion:	11.3.1
BuildVersion:	20E241

╰─➤  ./ksubdomain e -d baidu.com

 _              _         _                       _
| | _____ _   _| |__   __| | ___  _ __ ___   __ _(_)_ __
| |/ / __| | | | '_ \ / _' |/ _ \| '_ ' _ \ / _| | | '_ \
|   <\__ \ |_| | |_) | (_| | (_) | | | | | | (_| | | | | |
|_|\_\___/\__,_|_.__/ \__,_|\___/|_| |_| |_|\__,_|_|_| |_|

[INFO] Current Version: 1.8.3
[INFO] libpcap version 1.9.1
[INFO] 读取配置ksubdomain.yaml成功!
[INFO] Use Device: en0
[INFO] Use IP:192.168.1.2
[INFO] Local Mac: f8:ff:c2:50:42:86
[INFO] GateWay Mac: c8:5a:9f:1d:88:0a
[INFO] DNS:[223.5.5.5 223.6.6.6 180.76.76.76 119.29.29.29 182.254.116.116 114.114.114.115]
[INFO] 检测域名:[baidu.com]
[INFO] Rate:14696pps
[INFO] FreePort:49763
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0xb01dfacedebac1e pc=0x7fff2052dc9e]

runtime stack:
runtime: unexpected return pc for runtime.sigpanic called from 0x7fff2052dc9e
stack: frame={sp:0x70000c629e58, fp:0x70000c629ea8} stack=[0x70000c5aa338,0x70000c629f38)
0x000070000c629d58:  0x010070000c629d78  0x0000000000000004
0x000070000c629d68:  0x000000000000001f  0x00007fff2052dc9e
0x000070000c629d78:  0x0b01dfacedebac1e  0x0000000000000001
0x000070000c629d88:  0x00000000040362d1 <runtime.throw+0x0000000000000071>  0x000070000c629e28
0x000070000c629d98:  0x000000000431e23a  0x000070000c629de0
0x000070000c629da8:  0x0000000004036588 <runtime.fatalthrow.func1+0x0000000000000048>  0x000000c0001021a0
0x000070000c629db8:  0x0000000000000001  0x0000000000000001
0x000070000c629dc8:  0x000070000c629e28  0x00000000040362d1 <runtime.throw+0x0000000000000071>
0x000070000c629dd8:  0x000000c0001021a0  0x000070000c629e18
0x000070000c629de8:  0x0000000004036510 <runtime.fatalthrow+0x0000000000000050>  0x000070000c629df8
0x000070000c629df8:  0x0000000004036540 <runtime.fatalthrow.func1+0x0000000000000000>  0x000000c0001021a0
0x000070000c629e08:  0x00000000040362d1 <runtime.throw+0x0000000000000071>  0x000070000c629e28
0x000070000c629e18:  0x000070000c629e48  0x00000000040362d1 <runtime.throw+0x0000000000000071>
0x000070000c629e28:  0x000070000c629e30  0x0000000004036300 <runtime.throw.func1+0x0000000000000000>
0x000070000c629e38:  0x000000000432303a  0x000000000000002a
0x000070000c629e48:  0x000070000c629e98  0x000000000404b8d6 <runtime.sigpanic+0x0000000000000396>
0x000070000c629e58: <0x000000000432303a  0x000000000403f19e <runtime.checkTimers+0x000000000000005e>
0x000070000c629e68:  0x00000ac0c6167f6b  0x000070000c629e98
0x000070000c629e78:  0x000070000c629ea0  0x000000000403d78f <runtime.execute+0x000000000000012f>
0x000070000c629e88:  0x000000c0000b16f8  0x0000000200000001
0x000070000c629e98:  0x000070000c629ee0 !0x00007fff2052dc9e
0x000070000c629ea8: >0x000070000c629ee0  0x000000000464c000
0x000070000c629eb8:  0x0000000000000241  0x00000000040e4605 <golang.org/x/sys/unix.libc_ioctl_trampoline+0x0000000000000005>
0x000070000c629ec8:  0x000000000406777f <runtime.syscall+0x000000000000001f>  0x000000c000063368
0x000070000c629ed8:  0x000000c0000b16c0  0x000000c000063338
0x000070000c629ee8:  0x0000000004065610 <runtime.asmcgocall+0x0000000000000070>  0x000000000403f4cd <runtime.park_m+0x000000000000014d>
0x000070000c629ef8:  0x000000c0000001a0  0x0000000400000002
0x000070000c629f08:  0x000000c0001021a0  0x000000c0000001a0
0x000070000c629f18:  0x00000000000004f0  0x000000c0000b16c0
0x000070000c629f28:  0x000000c0000001a0  0x000070000c629f50
runtime.throw({0x432303a, 0x403f19e})
	/Users/runner/hostedtoolcache/go/1.17.7/x64/src/runtime/panic.go:1198 +0x71
runtime: unexpected return pc for runtime.sigpanic called from 0x7fff2052dc9e
stack: frame={sp:0x70000c629e58, fp:0x70000c629ea8} stack=[0x70000c5aa338,0x70000c629f38)
0x000070000c629d58:  0x010070000c629d78  0x0000000000000004
0x000070000c629d68:  0x000000000000001f  0x00007fff2052dc9e
0x000070000c629d78:  0x0b01dfacedebac1e  0x0000000000000001
0x000070000c629d88:  0x00000000040362d1 <runtime.throw+0x0000000000000071>  0x000070000c629e28
0x000070000c629d98:  0x000000000431e23a  0x000070000c629de0
0x000070000c629da8:  0x0000000004036588 <runtime.fatalthrow.func1+0x0000000000000048>  0x000000c0001021a0
0x000070000c629db8:  0x0000000000000001  0x0000000000000001
0x000070000c629dc8:  0x000070000c629e28  0x00000000040362d1 <runtime.throw+0x0000000000000071>
0x000070000c629dd8:  0x000000c0001021a0  0x000070000c629e18
0x000070000c629de8:  0x0000000004036510 <runtime.fatalthrow+0x0000000000000050>  0x000070000c629df8
0x000070000c629df8:  0x0000000004036540 <runtime.fatalthrow.func1+0x0000000000000000>  0x000000c0001021a0
0x000070000c629e08:  0x00000000040362d1 <runtime.throw+0x0000000000000071>  0x000070000c629e28
0x000070000c629e18:  0x000070000c629e48  0x00000000040362d1 <runtime.throw+0x0000000000000071>
0x000070000c629e28:  0x000070000c629e30  0x0000000004036300 <runtime.throw.func1+0x0000000000000000>
0x000070000c629e38:  0x000000000432303a  0x000000000000002a
0x000070000c629e48:  0x000070000c629e98  0x000000000404b8d6 <runtime.sigpanic+0x0000000000000396>
0x000070000c629e58: <0x000000000432303a  0x000000000403f19e <runtime.checkTimers+0x000000000000005e>
0x000070000c629e68:  0x00000ac0c6167f6b  0x000070000c629e98
0x000070000c629e78:  0x000070000c629ea0  0x000000000403d78f <runtime.execute+0x000000000000012f>
0x000070000c629e88:  0x000000c0000b16f8  0x0000000200000001
0x000070000c629e98:  0x000070000c629ee0 !0x00007fff2052dc9e
0x000070000c629ea8: >0x000070000c629ee0  0x000000000464c000
0x000070000c629eb8:  0x0000000000000241  0x00000000040e4605 <golang.org/x/sys/unix.libc_ioctl_trampoline+0x0000000000000005>
0x000070000c629ec8:  0x000000000406777f <runtime.syscall+0x000000000000001f>  0x000000c000063368
0x000070000c629ed8:  0x000000c0000b16c0  0x000000c000063338
0x000070000c629ee8:  0x0000000004065610 <runtime.asmcgocall+0x0000000000000070>  0x000000000403f4cd <runtime.park_m+0x000000000000014d>
0x000070000c629ef8:  0x000000c0000001a0  0x0000000400000002
0x000070000c629f08:  0x000000c0001021a0  0x000000c0000001a0
0x000070000c629f18:  0x00000000000004f0  0x000000c0000b16c0
0x000070000c629f28:  0x000000c0000001a0  0x000070000c629f50
runtime.sigpanic()
	/Users/runner/hostedtoolcache/go/1.17.7/x64/src/runtime/signal_unix.go:719 +0x396

goroutine 15 [syscall]:
syscall.syscall(0x40e4600, 0x1, 0x40087468, 0xc0000633f8)
	/Users/runner/hostedtoolcache/go/1.17.7/x64/src/runtime/sys_darwin.go:22 +0x3b fp=0xc000063368 sp=0xc000063348 pc=0x406225b
syscall.syscall(0x0, 0x0, 0x0, 0x0)
	<autogenerated>:1 +0x26 fp=0xc0000633b0 sp=0xc000063368 pc=0x4067f06
golang.org/x/sys/unix.ioctl(0x0, 0x0, 0x0)
	/Users/runner/go/pkg/mod/golang.org/x/[email protected]/unix/zsyscall_darwin_amd64.go:731 +0x39 fp=0xc0000633e0 sp=0xc0000633b0 pc=0x40e4299
golang.org/x/sys/unix.IoctlGetWinsize(...)
	/Users/runner/go/pkg/mod/golang.org/x/[email protected]/unix/ioctl.go:66
golang.org/x/crypto/ssh/terminal.GetSize(0x0)
	/Users/runner/go/pkg/mod/golang.org/x/[email protected]/ssh/terminal/util.go:80 +0x2c fp=0xc000063410 sp=0xc0000633e0 pc=0x422f2cc
github.com/boy-hack/ksubdomain/core.GetWindowWith()
	/Users/runner/work/ksubdomain/ksubdomain/core/util.go:57 +0x55 fp=0xc000063430 sp=0xc000063410 pc=0x4230675
github.com/boy-hack/ksubdomain/runner.(*runner).handleResult(0xc0000a56c0, {0x0, 0x0})
	/Users/runner/work/ksubdomain/ksubdomain/runner/result.go:20 +0x45 fp=0xc0000637b8 sp=0xc000063430 pc=0x426f045
github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration·dwrap·6()
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:224 +0x2e fp=0xc0000637e0 sp=0xc0000637b8 pc=0x4271c8e
runtime.goexit()
	/Users/runner/hostedtoolcache/go/1.17.7/x64/src/runtime/asm_amd64.s:1581 +0x1 fp=0xc0000637e8 sp=0xc0000637e0 pc=0x4065901
created by github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:224 +0x1c5

goroutine 1 [select]:
github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration(0xc0000a56c0)
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:230 +0x266
main.glob..func1(0xc000020cc0)
	/Users/runner/work/ksubdomain/ksubdomain/cmd/ksubdomain/enum.go:107 +0x76e
github.com/urfave/cli/v2.(*Command).Run(0x46689c0, 0xc0000205c0)
	/Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/command.go:163 +0x64a
github.com/urfave/cli/v2.(*App).RunContext(0xc0000b0b60, {0x444f250, 0xc00002a0d0}, {0xc000020080, 0x4, 0x4})
	/Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:313 +0x81e
github.com/urfave/cli/v2.(*App).Run(...)
	/Users/runner/go/pkg/mod/github.com/urfave/cli/[email protected]/app.go:224
main.main()
	/Users/runner/work/ksubdomain/ksubdomain/cmd/ksubdomain/cmd.go:22 +0x126

goroutine 10 [runnable]:
github.com/boy-hack/ksubdomain/runner.New.func1()
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:113
created by github.com/boy-hack/ksubdomain/runner.New
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:113 +0x565

goroutine 11 [runnable]:
github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration·dwrap·4()
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:220
runtime.goexit()
	/Users/runner/hostedtoolcache/go/1.17.7/x64/src/runtime/asm_amd64.s:1581 +0x1
created by github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:220 +0xd1

goroutine 12 [chan receive]:
github.com/boy-hack/ksubdomain/runner.(*runner).sendCycle(0xc0000a56c0, {0x0, 0x0})
	/Users/runner/work/ksubdomain/ksubdomain/runner/send.go:17 +0xaa
created by github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:222 +0xdf

goroutine 13 [runnable]:
github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration·dwrap·5()
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:222
runtime.goexit()
	/Users/runner/hostedtoolcache/go/1.17.7/x64/src/runtime/asm_amd64.s:1581 +0x1
created by github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:222 +0xdf

goroutine 14 [runnable]:
github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration·dwrap·5()
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:222
runtime.goexit()
	/Users/runner/hostedtoolcache/go/1.17.7/x64/src/runtime/asm_amd64.s:1581 +0x1
created by github.com/boy-hack/ksubdomain/runner.(*runner).RunEnumeration
	/Users/runner/work/ksubdomain/ksubdomain/runner/runner.go:222 +0xdf

场景:拥有一批二级域名，想跑三级域名 命令:./ksubdomain e --domainList domain.txt --silent -f dic/subdomains_long.txt -l 3 -o result.txt 你好，请问这样会用字典去跑字典里的二级域名的三级域名吗，想直接请教一下作者。

枚举模式好像有些问题，试了好几个域名都没结果

ksubdomain e -d google.com

[INFO] Current Version: 1.9.5 [INFO] 读取配置ksubdomain.yaml成功! [INFO] Use Device: eth0 [INFO] Use IP:10.17.0.5 [INFO] Local Mac: a6:1xxxxxx:17:bf [INFO] GateWay Mac: fe:0xxxxxx01:01 [INFO] libpcap version 1.9.1 (with TPACKET_V3) [INFO] Default DNS:[223.5.5.5,223.6.6.6,119.29.29.29,182.254.116.116,114.114.114.115] [INFO] Domain Count:103744 [INFO] Rate:14696pps [INFO] FreePort:37357 Success:0 Send:518720 Queue:0 Accept:0 Fail:103744 Elapsed:59s [INFO] 扫描完毕

自动生成的配置文件 src_ip: 10.17.0.5 device: eth0 src_mac: a6:1xxxxxx:17:bf dst_mac: fe:0xxxxxx01:01

网卡配置

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 16x.xx.xx.71 netmask 255.255.240.0 broadcast 16x.xx.xx.255 inet6 fe8xxxxxxxxxxxxxed:17bf prefixlen 64 scopeid 0x20 ether a6:12xxxxxxxxx7:bf txqueuelen 1000 (Ethernet) RX packets 57098586 bytes 21600152403 (21.6 GB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 53186680 bytes 8359693999 (8.3 GB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.108.0.2 netmask 255.255.240.0 broadcast 10.108.15.255 inet6 fe80xxxxxxxxx823 prefixlen 64 scopeid 0x20 ether fa:2xxxxxxxxx8:23 txqueuelen 1000 (Ethernet) RX packets 2239 bytes 156806 (156.8 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 2286 bytes 160156 (160.1 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

dnsx requires go1.17 to install successfully. Run the following command to get the repo -

go install -v github.com/projectdiscovery/dnsx/cmd/dnsx@latest

像这种方式

bash-5.1# ./ksubdomain Error relocating ./ksubdomain: __snprintf_chk: symbol not found Error relocating ./ksubdomain: __vfprintf_chk: symbol not found Error relocating ./ksubdomain: getnetbyname_r: symbol not found Error relocating ./ksubdomain: __asprintf_chk: symbol not found Error relocating ./ksubdomain: __memcpy_chk: symbol not found Error relocating ./ksubdomain: __vsnprintf_chk: symbol not found Error relocating ./ksubdomain: __fread_chk: symbol not found Error relocating ./ksubdomain: __longjmp_chk: symbol not found Error relocating ./ksubdomain: __memset_chk: symbol not found Error relocating ./ksubdomain: __fprintf_chk: symbol not found Error relocating ./ksubdomain: getprotobyname_r: symbol not found

docker运行报错

image python:3.8-alpine Linux aa9ec1622559 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64 Linux

是缺什么依赖么

Rate: 5000, Domain: []string{"baidu.com"}, FileName: "", Resolvers: defaultDns, Output: "", OutputCSV: false, Test: false, NetworkId: -1, ListNetwork: false, Silent: false, TTL: false, Stdin: false, DomainLevel: 1, // 爆破域名层级,默认爆破一级域名 SkipWildCard: true, // 泛解析跳过 SubNameFileName: "", FilterWildCard: false, TimeOut: 10, Retry: 3,

请问linux下面可以在non-root的情况下使用ksubdomain么 好像在linux下面 调用pcap是没权限的(可能因为我没找到给libpcap赋non-root的权限的办法) 目前临时的解决办法就是通过alias写到 .zshrc [alias ksubdomain='sudo ksubdomain']（先前我用ln -s创建了软链接） 请问会有更好的解决办法嘛 ~ 辛苦！

报错信息： [Error] pcap打开失败:eth0: You don't have permission to capture on that device (socket: Operation not permitted) [Error] pcap打开失败:docker0: You don't have permission to capture on that device (socket: Operation not permitted)

ksubdomain版本：1.9.5

使用系统：kali 2022.1

使用命令：./ksubdomain_linux e -d baidu.com

解决尝试：eth0是本地的真实网卡，docker0是docker网卡，刚开始以为是权限问题，加了sudo权限还是一样的问题。麻烦大佬看到以后回复一下吧。

./ksubdomain e -d baidu.com

[Warning] WritePacketDate error:send: Bad file descriptor [Warning] WritePacketDate error:send: Bad file descriptor [Warning] WritePacketDate error:send: Bad file descriptor [Warning] WritePacketDate error:send: Bad file descriptor [Warning] WritePacketDate error:send: Bad file descriptor [Warning] WritePacketDate error:send: Bad file descriptor [Warning] WritePacketDate error:send: Bad file descriptor

一直报这个东西

• change package name from 'ksubdomain' into 'github.com/boy-hack/ksubdomain'
• change build directory from cmd into cmd/ksubdomain

current:

~/ksubdomain-main/cmd # go install github.com/boy-hack/ksubdomain/cmd@latest
go: downloading github.com/boy-hack/ksubdomain v1.8.2
go install: github.com/boy-hack/ksubdomain/cmd@latest: github.com/boy-hack/[email protected]: parsing go.mod:
	module declares its path as: ksubdomain
	        but was required as: github.com/boy-hack/ksubdomain

expect:

$ go install github.com/boy-hack/ksubdomain/cmd/ksubdomain@latest
... ...
generate 'ksubdomain' into $GOPATH/bin

测试条件

• centos7
• vultr 1核2G
• 字典地址:https://wordlists-cdn.assetnote.io/data/manual/best-dns-wordlist.txt
• 域名:aliyun.com
• 使用命令 ./ksubdomain e --domain aliyun.com --level-dict best-dns-wordlist.txt

最终结果

[INFO] Current Version: 1.9.5
[INFO] 读取配置ksubdomain.yaml成功!
[INFO] Use Device: eth0
[INFO] Use IP:
[INFO] Local Mac: 
[INFO] GateWay Mac: 
[INFO] libpcap version 1.9.1 (with TPACKET_V3)
[INFO] Default DNS:[223.5.5.5,223.6.6.6,119.29.29.29,182.254.116.116,114.114.114.115]
[INFO] Domain Count:990157115840
[INFO] Rate:25000pps
[INFO] FreePort:42736
www.google.com.box.bentley.template4all.aliyun.com => 31.13.80.54                                                                                                  
Success:1 Send:6134769 Queue:4824813 Accept:1309956 Fail:0 Elapsed:1954s

Elapsed在变化，Send，Queue则没有变化

在爆破子域名的时候, 可以生成10(可通过参数指定)个随机子域名进行请求, 如果这10个随机子域名都能被解析到某个或某几个ip地址, 那就认定这个能够解析到这些ip地址的子域名为通配符域名, 过滤或者标记同样解析到这个ip地址的子域名. 这种情况最好不要停止爆破, 因为通配符域名下也可能存活着一些真正被使用的域名, 如果解析到新的ip地址再将其正常输出.