added subdomain scanner tutorial

Author: x4nth055

README.md

@@ -17,6 +17,7 @@ This is a repository of all the tutorials of [The Python Code](https://www.thepy
     - [Making a Port Scanner using sockets in Python](https://www.thepythoncode.com/article/make-port-scanner-python). ([code](ethical-hacking/port_scanner))
     - [How to Create a Reverse Shell in Python](https://www.thepythoncode.com/article/create-reverse-shell-python). ([code](ethical-hacking/reverse_shell))
     - [How to Encrypt and Decrypt Files in Python](https://www.thepythoncode.com/article/encrypt-decrypt-files-symmetric-python). ([code](ethical-hacking/file-encryption))
+    - [How to Make a Subdomain Scanner in Python](https://www.thepythoncode.com/article/make-subdomain-scanner-python). ([code](ethical-hacking/subdomain-scanner))
 
 - ### [Machine Learning](https://www.thepythoncode.com/topic/machine-learning)
     - ### [Natural Language Processing](https://www.thepythoncode.com/topic/nlp)

ethical-hacking/subdomain-scanner/README.md

@@ -0,0 +1,40 @@
+# [How to Make a Subdomain Scanner in Python](https://www.thepythoncode.com/article/make-subdomain-scanner-python)
+To run this:
+- `pip3 install -r requirements.txt`
+- To run the fast subdomain scanner:
+    ```
+    python fast_subdomain_scanner.py --help
+    ```
+    **Output:**
+    ```
+    usage: fast_subdomain_scanner.py [-h] [-l WORDLIST] [-t NUM_THREADS] domain
+
+    Faster Subdomain Scanner using Threads
+
+    positional arguments:
+    domain                Domain to scan for subdomains without protocol (e.g
+                            without 'http://' or 'https://')
+
+    optional arguments:
+    -h, --help            show this help message and exit
+    -l WORDLIST, --wordlist WORDLIST
+                            File that contains all subdomains to scan, line by
+                            line. Default is subdomains.txt
+    -t NUM_THREADS, --num-threads NUM_THREADS
+                            Number of threads to use to scan the domain. Default
+                            is 10
+    ```
+- If you want to scan hackthissite.org for subdomains using only 10 threads with a word list of 100 subdomains (`subdomains.txt`):
+    ```
+    python fast_subdomain_scanner.py hackthissite.org -l subdomains.txt -t 10
+    ```
+    After a while, it **outputs:**
+    ```
+    [+] Discovered subdomain: http://mail.hackthissite.org
+    [+] Discovered subdomain: http://www.hackthissite.org
+    [+] Discovered subdomain: http://forum.hackthissite.org
+    [+] Discovered subdomain: http://admin.hackthissite.org
+    [+] Discovered subdomain: http://stats.hackthissite.org
+    [+] Discovered subdomain: http://forums.hackthissite.org
+    ```
+- For bigger subdomain wordlists, check [this repository](https://github.com/rbsec/dnscan).

ethical-hacking/subdomain-scanner/fast_subdomain_scanner.py

@@ -0,0 +1,68 @@
+import requests
+from threading import Thread, active_count
+from queue import Queue
+import time
+
+q = Queue()
+
+def scan_subdomains(domain):
+    global q
+    while True:
+        # get the subdomain from the queue
+        subdomain = q.get()
+        # scan the subdomain
+        url = f"http://{subdomain}.{domain}"
+        try:
+            requests.get(url)
+        except requests.ConnectionError:
+            pass
+        else:
+            print("[+] Discovered subdomain:", url)
+
+        # we're done with scanning that subdomain
+        q.task_done()
+
+
+def main(domain, n_threads, subdomains):
+    global q
+
+    # fill the queue with all the subdomains
+    for subdomain in subdomains:
+        q.put(subdomain)
+
+    for t in range(n_threads):
+        # start all threads
+        worker = Thread(target=scan_subdomains, args=(domain,))
+        # daemon thread means a thread that will end when the main thread ends
+        worker.daemon = True
+        worker.start()
+
+    
+
+
+def print_n_threads():
+    while True:
+        print("Number of alive threads:", active_count())
+        time.sleep(10)
+
+
+if __name__ == "__main__":
+    import argparse
+    parser = argparse.ArgumentParser(description="Faster Subdomain Scanner using Threads")
+    parser.add_argument("domain", help="Domain to scan for subdomains without protocol (e.g without 'http://' or 'https://')")
+    parser.add_argument("-l", "--wordlist", help="File that contains all subdomains to scan, line by line. Default is subdomains.txt",
+                        default="subdomains.txt")
+    parser.add_argument("-t", "--num-threads", help="Number of threads to use to scan the domain. Default is 10", default=10, type=int)
+    
+    args = parser.parse_args()
+    domain = args.domain
+    wordlist = args.wordlist
+    num_threads = args.num_threads
+
+    # t = Thread(target=print_n_threads)
+    # t.daemon = True
+    # t.start()
+
+    main(domain=domain, n_threads=num_threads, subdomains=open(wordlist).read().splitlines())
+    q.join()
+    

ethical-hacking/subdomain-scanner/requirements.txt

@@ -0,0 +1 @@
+requests

ethical-hacking/subdomain-scanner/subdomain_scanner.py

@@ -0,0 +1,23 @@
+import requests
+
+# the domain to scan for subdomains
+domain = "google.com"
+
+# read all subdomains
+file = open("subdomains.txt")
+# read all content
+content = file.read()
+# split by new lines
+subdomains = content.splitlines()
+
+for subdomain in subdomains:
+    # construct the url
+    url = f"http://{subdomain}.{domain}"
+    try:
+        # if this raises an ERROR, that means the subdomain does not exist
+        requests.get(url)
+    except requests.ConnectionError:
+        # if the subdomain does not exist, just pass, print nothing
+        pass
+    else:
+        print("[+] Discovered subdomain:", url)

ethical-hacking/subdomain-scanner/subdomains.txt

@@ -0,0 +1,100 @@
+www
+mail
+ftp
+localhost
+webmail
+smtp
+pop
+ns1
+webdisk
+ns2
+cpanel
+whm
+autodiscover
+autoconfig
+m
+imap
+test
+ns
+blog
+pop3
+dev
+www2
+admin
+forum
+news
+vpn
+ns3
+mail2
+new
+mysql
+old
+lists
+support
+mobile
+mx
+static
+docs
+beta
+shop
+sql
+secure
+demo
+cp
+calendar
+wiki
+web
+media
+email
+images
+img
+www1
+intranet
+portal
+video
+sip
+dns2
+api
+cdn
+stats
+dns1
+ns4
+www3
+dns
+search
+staging
+server
+mx1
+chat
+wap
+my
+svn
+mail1
+sites
+proxy
+ads
+host
+crm
+cms
+backup
+mx2
+lyncdiscover
+info
+apps
+download
+remote
+db
+forums
+store
+relay
+files
+newsletter
+app
+live
+owa
+en
+start
+sms
+office
+exchange
+ipv4