GitHub - tomsteele/blacksheepwall: blacksheepwall is a hostname reconnaissance t...
source link: https://github.com/tomsteele/blacksheepwall
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
blacksheepwall
Archive Notice
I am no longer maintaing this tool. BSW has served me well, and was written in Go in 2013. I would suggest using amass as it is actively supported.
blacksheepwall is a hostname reconnaissance tool written in Go. It can also be used as a stand-alone package in your tools.
Download
Binary packages for every supported operating system are available here.
Install
You can download a compiled binary and just run it. Alternatively, if you have Go installed and configured with a workspace, you can run:
$ go get github.com/tomsteele/blacksheepwall
Usage
Usage: blacksheepwall [options] <ip address or CIDR>
Options:
-h, --help Show Usage and exit.
-version Show version and exit.
-debug Enable debugging and show errors returned from tasks.
-config Location of a YAML file containing any of the options below.
Hypens should be replaced with underscores (e.g. bing-html, bing_html).
Options that do not take an argument are booleans and should be represented
using true/false (e.g. bing_html: true).
-timeout Maximum timeout in seconds for SOCKET connections. [default .5 seconds]
-concurrency <int> Max amount of concurrent tasks. [default: 100]
-server <string> DNS server address. [default: "8.8.8.8"]
-input <string> Line separated file of networks (CIDR) or IP Addresses.
-ipv6 Look for additional AAAA records where applicable.
-domain <string> Target domain to use for certain tasks, can be a single
domain or a file of line separated domains.
-fcrdns Verify results by attempting to retrieve the A or AAAA record for
each result previously identified hostname.
-parse <string> Generate output by parsing JSON from a file from a previous scan.
-validate Validate hostnames using a RFC compliant regex.
Passive:
-dictionary <string> Attempt to retrieve the CNAME and A record for
each subdomain in the line separated file.
-ns Lookup the ip and hostname of any nameservers for the domain.
-mx Lookup the ip and hostmame of any mx records for the domain.
-yandex <string> Provided a Yandex search XML API url. Use the Yandex
search 'rhost:' operator to find subdomains of a
provided domain.
-bing <string> Provided a base64 encoded API key. Use the Bing search
API's 'ip:' operator to lookup hostnames for each ip, and the
'domain:' operator to find ips/hostnames for a domain.
-bing-html Use Bing search 'ip:' operator to lookup hostname for each ip, and the
'domain:' operator to find ips/hostnames for a domain. Only
the first page is scraped. This does not use the API.
-shodan <string> Provided a Shodan API key. Use Shodan's API '/dns/reverse' to lookup hostnames for
each ip, and '/shodan/host/search' to lookup ips/hostnames for a domain.
A single call is made for all ips.
-reverse Retrieve the PTR for each host.
-viewdns-html Lookup each host using viewdns.info's Reverse IP
Lookup function. Use sparingly as they will block you.
-viewdns <string> Lookup each host using viewdns.info's API and Reverse IP Lookup function.
-logontube Lookup each host and/or domain using logontube.com's API. As of this release
the site is down.
-exfiltrated Lookup hostnames returned from exfiltrated.com's hostname search.
-censys <string> Searches censys.io for a domain. Names are gathered from TLS certificates for each host
returned from this search. The provided string should be your API ID and Secret separated
by a colon.
-crtsh Searches crt.sh for certificates related to the provided domain.
-vt Searches VirusTotal for subdomains for the provided domain.
-srv Find DNS SRV record and retrieve associated hostname/IP info.
-cmn-crawl <string> Search commoncrawl.org for subdomains of a domain. The provided argument should be the index
to be used. For example: "CC-MAIN-2017-04-index"
Active:
-axfr Attempt a zone transfer on the domain.
-headers Perform HTTP(s) requests to each host and look for
hostnames in a possible Location header.
-tls Attempt to retrieve names from TLS certificates
(CommonName and Subject Alternative Name).
Output Options:
-clean Print results as unique hostnames for each host.
-csv Print results in csv format.
-json Print results as JSON.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK