-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathscript.sh
executable file
·115 lines (91 loc) · 4.83 KB
/
script.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
#!/bin/bash
# Title: Project Landlord
# Author: Evan Ottinger @evanottinger
# Website: evanottinger.com
# A script to check for DNS squatters.
#
# Runs dnstwist for a given domain. Using a sqlite database,
# stores the output of dnstwist and fingerprints the DNS records
# of each cousin domain. If a record for the given cousin domain
# already exists, compares the DNS record fingerprint in the database
# with the DNS record fingerprint of the current output of dnstwist.
# If the fingerprints do not match, the user is notified and the
# fingerprint for the given domain is updated.
#
# This script was inspired by SEC530: Defensible Security
# Architecture and Engineering: Implementing Zero
# Trust for the Hybrid Enterprise from the SANS Institute in pursuit
# of a red coin from the instructors.
if [ "$#" -ne 1 ]; then
echo """
Ottinger Digital Labs Presents:
░█▀█░█▀▄░█▀█░▀▀█░█▀▀░█▀▀░▀█▀░░░█░░░█▀█░█▀█░█▀▄░█░░░█▀█░█▀▄░█▀▄
░█▀▀░█▀▄░█░█░░░█░█▀▀░█░░░░█░░░░█░░░█▀█░█░█░█░█░█░░░█░█░█▀▄░█░█
░▀░░░▀░▀░▀▀▀░▀▀░░▀▀▀░▀▀▀░░▀░░░░▀▀▀░▀░▀░▀░▀░▀▀░░▀▀▀░▀▀▀░▀░▀░▀▀░
Hunting Down Squatters
"""
echo "Usage: $0 [domain]"
exit 1
fi
domain=$1
email_address="[email protected]"
# Check if dnstwist is installed
if ! [ -x "$(command -v dnstwist)" ]; then
echo "dnstwist is not installed. Please install dnstwist and try again."
exit 1
fi
# Check if dnspython is installed
if [ -z "$(pip list | grep dnspython)" ]; then
echo "dnspython is not installed. Please install dnspython and try again."
exit 1
fi
# Check if sqlite3 is installed
if ! [ -x "$(command -v sqlite3)" ]; then
echo "sqlite3 is not installed. Please install sqlite3 and try again."
exit 1
fi
# Remove dots from domain name to be used in sqlite database table names
safe_domain=${domain//[.]/dot}
safe_domain=${safe_domain//[-]/dash}
# Create a sqlite database in the current directory if it does not exist
if [ ! -f "dnstwist.db" ]; then
echo "[+] Creating SQLite database and the table for $domain..."
sqlite3 dnstwist.db "CREATE TABLE $safe_domain (cousin_domain VARCHAR(255), type VARCHAR(64), records_md5sum VARCHAR(128));"
fi
# If a database exists, but a table for the given domain does not, create the table
table_exists=$(sqlite3 dnstwist.db "SELECT name FROM sqlite_master WHERE type='table' AND name='$safe_domain';")
if [ -z "$table_exists" ]; then
echo "[+] Creating table for ${domain}..."
sqlite3 dnstwist.db "CREATE TABLE $safe_domain (cousin_domain VARCHAR(255), type VARCHAR(64), records_md5sum VARCHAR(128));"
fi
# Run dnstwist and parse each line of output
echo "[!] Rent's due! The Landlord is going to work."
echo "[>] Running dnstwist and parsing output...this will take some time."
while read -r line; do
# Normalize the whitespace in each line, then split the lines into variables by column
normalized=$(echo "$line" | xargs)
cousin_domain=$(echo "$normalized" | cut -d " " -f 2) # The cousin domain generated by dnstwist
type=$(echo "$normalized" | cut -d " " -f 1) # The type of modulation on the original domain
records=$(echo "$normalized" | cut -d " " -f 3-) # The DNS records registered to the cousin domain
records_md5sum=$(echo "$records" | md5sum | cut -d " " -f 1) # An md5sum of the records column
fingerprint=""
# Check to see if a record for the cousin exists
exists=$(sqlite3 dnstwist.db "SELECT cousin_domain FROM $safe_domain WHERE (cousin_domain='$cousin_domain')")
# If the record doesn't exist, creates it
if [ -z "$exists" ]; then
sqlite3 dnstwist.db "INSERT INTO $safe_domain (cousin_domain, type, records_md5sum) VALUES ('$cousin_domain', '$type', '$records_md5sum')"
# If the record does exist, queries the md5sum fingerprint of the DNS records at last run
# and compares it to the fingerprint from the current session
else
fingerprint=$(sqlite3 dnstwist.db "SELECT records_md5sum FROM $safe_domain WHERE (cousin_domain='$cousin_domain')")
# If the fingerprint in the database doesn't match the current records md5sum, the user is alerted
# and the new fingerprint is inserted into the row
if [ "$fingerprint" != "$records_md5sum" ]; then
echo "[!] Fingerprints do not match for domain $cousin_domain!"
echo " - DNS records for this domain are: $records"
sqlite3 dnstwist.db "UPDATE $safe_domain SET records_md5sum = '$records_md5sum' WHERE cousin_domain='$cousin_domain'"
fi
fi
done < <(dnstwist $domain)
echo "[>] The Landlord has finished his work."
exit 0