new subdomains are probed with typical hostnames to initialize brute …

…forcing
owasp-amass · Jul 26, 2019 · 8d37737 · 8d37737
1 parent 01b9a62
commit 8d37737
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/services/namesrv.go b/services/namesrv.go
@@ -16,6 +16,23 @@ import (
 	"github.com/OWASP/Amass/utils"
 )
 
+var (
+	topNames = []string{
+		"www",
+		"online",
+		"webserver",
+		"ns1",
+		"mail",
+		"smtp",
+		"webmail",
+		"prod",
+		"test",
+		"vpn",
+		"ftp",
+		"ssh",
+	}
+)
+
 type timesRequest struct {
 	Subdomain string
 	Times     chan int
@@ -54,6 +71,7 @@ func (ns *NameService) OnStart() error {
 
 	ns.Bus().Subscribe(requests.NewNameTopic, ns.newNameEvent)
 	ns.Bus().Subscribe(requests.NameResolvedTopic, ns.Resolved)
+	ns.Bus().Subscribe(requests.NewSubdomainTopic, ns.probeSubdomain)
 	go ns.processTimesRequests()
 	go ns.processRequests()
 	return nil
@@ -122,6 +140,21 @@ func (ns *NameService) Resolved(req *requests.DNSRequest) {
 	}
 }
 
+func (ns *NameService) probeSubdomain(req *requests.DNSRequest, times int) {
+	if ns.Config().Passive || times > 1 {
+		return
+	}
+
+	for _, name := range topNames {
+		go ns.newNameEvent(&requests.DNSRequest{
+			Name:   name + "." + req.Name,
+			Domain: req.Domain,
+			Tag:    requests.ALT,
+			Source: ns.String(),
+		})
+	}
+}
+
 func (ns *NameService) checkSubdomain(req *requests.DNSRequest) {
 	labels := strings.Split(req.Name, ".")
 	num := len(labels)