-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
134 lines (107 loc) · 2.88 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
/*
reads in subdomains from stdin
attempts to identify misconfigured cloudfront instances
in future, more checks will be added.
*/
package main
import (
"bufio"
"flag"
"fmt"
"io"
"log"
"net"
"net/http"
"os"
"strings"
"sync"
"github.com/cybercdh/isaws/awschecker"
"github.com/gookit/color"
)
var concurrency int
var verbose bool
func main() {
flag.IntVar(&concurrency, "c", 20, "set the concurrency level")
flag.BoolVar(&verbose, "v", false, "Show hostname with the corresponding IP")
flag.Parse()
var wg sync.WaitGroup
subdomains := make(chan string, concurrency)
// Call GetAWSPrefixes to fetch AWS IP ranges
prefixes, err := awschecker.GetAWSPrefixes()
if err != nil {
log.Fatalf("Error fetching AWS prefixes: %v", err)
}
// Start a fixed number of goroutines to handle subdomains
for i := 0; i < concurrency; i++ {
wg.Add(1)
go worker(subdomains, &wg, prefixes)
}
// Read subdomains from stdin
scanner := bufio.NewScanner(os.Stdin)
for scanner.Scan() {
subdomain := scanner.Text()
subdomains <- subdomain
}
close(subdomains)
wg.Wait()
}
// startsWithHTTP checks if the subdomain starts with http:// or https://
func startsWithHTTP(subdomain string) bool {
return strings.HasPrefix(subdomain, "http://") || strings.HasPrefix(subdomain, "https://")
}
func worker(subdomains <-chan string, wg *sync.WaitGroup, prefixes []awschecker.Prefix) {
defer wg.Done()
for subdomain := range subdomains {
// get IP addresses for the subdomain
IPs, err := net.LookupIP(subdomain)
if err != nil {
continue
}
// for each IP, check if it's in the AWS range
for _, ip := range IPs {
matchingPrefixes, err := awschecker.IsAWSIPAddress(ip, prefixes)
if err != nil {
continue
}
// if this is an AWS IP then check the subdomain for Cloudfront issue
if len(matchingPrefixes) > 0 {
checkSubdomain(subdomain, wg)
}
}
}
}
// checkSubdomain makes an HTTP GET request to the subdomain and checks the response.
func checkSubdomain(subdomain string, wg *sync.WaitGroup) {
// Correctly ensure subdomain starts with http:// or https://
if !startsWithHTTP(subdomain) {
subdomain = "http://" + subdomain
}
resp, err := http.Get(subdomain)
if err != nil {
return
}
defer resp.Body.Close()
// debugging
if verbose {
fmt.Printf("%s,%d\n", subdomain, resp.StatusCode)
}
// Check if the response status code is 403 Forbidden
if resp.StatusCode == http.StatusForbidden {
bodyBytes, err := io.ReadAll(resp.Body)
if err != nil {
if verbose {
fmt.Printf("Error reading response body for %s: %v\n", subdomain, err)
}
return
}
bodyString := string(bodyBytes)
// Check for specific error messages in the response body, if necessary
if strings.Contains(bodyString, "Bad request") {
if verbose {
color.Green.Println("Potential CloudFront misconfiguration found:", subdomain)
} else {
fmt.Println(subdomain)
}
}
}
}