search

projectdiscovery / chaos-client

Go client to communicate with Chaos DB API.
https://chaos.projectdiscovery.io
MIT License
611 stars 88 forks source link

Updating client to query public bugbounty recon data #21

Closed ehsandeep closed 4 years ago

ehsandeep commented 4 years ago

Newly added flags:- 

dns-status-code
dns-record-type
filter-wildcard
resp 
resp-only
http-url
http-title
http-status-code
http-content-length

Expected input for dns-status-code

Example:- 

chaos -d hackerone.com -silent -filter-wildcard

// this will print all wildcard filtered active subdomains. 

a.ns.hackerone.com
api.hackerone.com
b.ns.hackerone.com
docs.hackerone.com
mta-sts.forwarding.hackerone.com
mta-sts.hackerone.com
mta-sts.managed.hackerone.com
resources.hackerone.com
support.hackerone.com
www.hackerone.com
chaos -d hackerone.com -silent -dns-status-code noerror 

// will print all subdomains with dns status code = noerror
// dns-status-code is case insenstive, it could be "noerror" or "NOERROR"
// NOERROR = subdomains with valid A record
// -active flag can be also added for the same result. 

a.ns.hackerone.com
api.hackerone.com
b.ns.hackerone.com
docs.hackerone.com
mta-sts.forwarding.hackerone.com
mta-sts.hackerone.com
mta-sts.managed.hackerone.com
resources.hackerone.com
support.hackerone.com
www.hackerone.com

chaos -d hackerone.com -silent -dns-status-code nxdomain 

// will print all subdomains with dns status code = nxdomain
// nxdomain = subdomains with no valid A record

email.hackerone.com
go.hackerone.com
info.hackerone.com
links.hackerone.com
ns.hackerone.com 
o1.email.hackerone.com
o2.email.hackerone.com
o3.email.hackerone.com

Expected input for dns-record-type

Example:- 

chaos -d hackerone.com -silent -dns-record-type cname 

// this will print all the dns records having cname entry 
//  dns-record-type is case insensitive, it could be "cname" or "CNAME"

docs.hackerone.com
mta-sts.hackerone.com
support.hackerone.com
mta-sts.managed.hackerone.com
mta-sts.forwarding.hackerone.com
resources.hackerone.com
chaos -d hackerone.com -silent -dns-status-code nxdomain -dns-record-type cname 

// this will print subdomains with `nxdomain` status code but still have `cname` record associated with it. 
chaos -d hackerone.com -silent -dns-record-type cname -resp-only

// this will print all the cnames of the requested domain 
// i.e only print the resp-onlyonse record.

hacker0x01.github.io
hacker0x01.github.io
hackerone.zendesk.com
hacker0x01.github.io
hacker0x01.github.io
read.uberflip.com
chaos -d hackerone.com -silent -dns-record-type cname -resp

// this will print all the cnames of the requested domain 
// i.e only print the resp-onlyonse record.

hacker0x01.github.io
hacker0x01.github.io
hackerone.zendesk.com
hacker0x01.github.io
hacker0x01.github.io
read.uberflip.com
chaos -d hackerone.com -silent -dns-record-type a 

// this will print all the dns records having A entry 

a.ns.hackerone.com
api.hackerone.com
b.ns.hackerone.com
docs.hackerone.com
mta-sts.forwarding.hackerone.com
mta-sts.hackerone.com
mta-sts.managed.hackerone.com
resources.hackerone.com
support.hackerone.com
www.hackerone.com
> chaos -d hackerone.com -silent -dns-record-type a -resp

// prints subdomain and A records of input subdomain/domains

www.hackerone.com 104.16.99.52
www.hackerone.com 104.16.100.52
api.hackerone.com 104.16.99.52
api.hackerone.com 104.16.100.52
a.ns.hackerone.com 162.159.0.31
b.ns.hackerone.com 162.159.1.31
mta-sts.hackerone.com 185.199.108.153
mta-sts.hackerone.com 185.199.109.153
mta-sts.hackerone.com 185.199.110.153
mta-sts.hackerone.com 185.199.111.153
support.hackerone.com 104.16.53.111
support.hackerone.com 104.16.51.111
resources.hackerone.com 52.60.160.16
resources.hackerone.com 52.60.165.183
mta-sts.managed.hackerone.com 185.199.109.153
mta-sts.managed.hackerone.com 185.199.111.153
mta-sts.managed.hackerone.com 185.199.110.153
mta-sts.managed.hackerone.com 185.199.108.153
docs.hackerone.com 185.199.109.153
docs.hackerone.com 185.199.111.153
docs.hackerone.com 185.199.110.153
docs.hackerone.com 185.199.108.153
mta-sts.forwarding.hackerone.com 185.199.109.153
mta-sts.forwarding.hackerone.com 185.199.111.153
mta-sts.forwarding.hackerone.com 185.199.110.153
mta-sts.forwarding.hackerone.com 185.199.108.153
chaos -d hackerone.com -silent -dns-record-type a -resp-only

// this will print all the A records of the requested domain. 

162.159.1.31
104.16.99.52
104.16.100.52
104.16.99.52
104.16.100.52
185.199.111.153
185.199.109.153
185.199.110.153
185.199.108.153
162.159.0.31
104.16.53.111
104.16.51.111
185.199.109.153
185.199.108.153
185.199.110.153
185.199.111.153
52.60.165.183
52.60.160.16
185.199.108.153
185.199.108.153
185.199.110.153
185.199.109.153
185.199.111.153
185.199.110.153
185.199.109.153
185.199.111.153
chaos -d hackerone.com -silent -dns-record-type ns 

// this will print all the NS records of the requested domain. 

4460893.sodigital.uber.com
assets-share.uber.com
et.uber.com
info.uber.com
mobile-content.uber.com
prod.uber.com
sptrans.uber.com
tbs-static.uber.com
tb-static.uber.com
chaos -d hackerone.com -silent -dns-record-type ns -resp-only

// this will print all the dns records having NS entry 

 ns-1485.awsdns-57.org
 ns-2040.awsdns-63.co.uk
 ns-457.awsdns-57.com
 ns-651.awsdns-17.net
 edns126.ultradns.com
 edns126.ultradns.net
 edns126.ultradns.biz
 edns126.ultradns.org
 ns-1415.awsdns-48.org
 ns-1679.awsdns-17.co.uk
 ns-285.awsdns-35.com
 ns-612.awsdns-12.net
 ns-1037.awsdns-01.org
 ns-2031.awsdns-61.co.uk
 ns-242.awsdns-30.com
 ns-878.awsdns-45.net
 ns1.exacttarget.com
 ns3.exacttarget.com
 ns2.exacttarget.com

Expected input for http-url

chaos -d hackerone.com -silent -http-url

// will print all the subdomains running http web server. 

https://docs.hackerone.com
https://mta-sts.managed.hackerone.com
https://mta-sts.hackerone.com
https://mta-sts.forwarding.hackerone.com
https://api.hackerone.com
https://www.hackerone.com
https://support.hackerone.com
https://resources.hackerone.com

Expected input for http-title

chaos -d hackerone.com -silent -http-title

// will print the all the URLs with titles in it. 

https://mta-sts.managed.hackerone.com [Page not found · GitHub Pages]
https://mta-sts.hackerone.com [Page not found · GitHub Pages]
https://mta-sts.forwarding.hackerone.com [Page not found · GitHub Pages]
https://docs.hackerone.com [HackerOne Platform Documentation]
https://www.hackerone.com [Hacker-Powered Security Testing & Bug Bounty | HackerOne]
https://api.hackerone.com [HackerOne API]

Expected input for http-status-code

chaos -d hackerone.com -silent -http-status-code

//this will print all the URLs with resp-onlyective status-codes 

https://mta-sts.hackerone.com [404]
https://mta-sts.forwarding.hackerone.com [404]
https://docs.hackerone.com [200]
https://api.hackerone.com [200]
https://www.hackerone.com [200]
https://mta-sts.managed.hackerone.com [404]
https://support.hackerone.com [301]
https://resources.hackerone.com [301]
chaos -d hackerone.com -silent -http-url -http-status-code 200

//this will print all the URLs with 200 status-codes (client-side filtering)

https://docs.hackerone.com [200]
https://www.hackerone.com [200]
https://api.hackerone.com [200]
chaos -d hackerone.com -silent -http-status-code 404

https://mta-sts.managed.hackerone.com [404]
https://mta-sts.hackerone.com [404]
https://mta-sts.forwarding.hackerone.com [404]

Expected input for http-content-length

chaos -d hackerone.com -silent -http-content-length

https://mta-sts.forwarding.hackerone.com [9339]
https://mta-sts.hackerone.com [9339]
https://docs.hackerone.com [65781]
https://mta-sts.managed.hackerone.com [9339]
https://api.hackerone.com [7781]
https://www.hackerone.com [68464]
https://support.hackerone.com [489]
https://resources.hackerone.com [0]
chaos -d hackerone.com -silent -http-title -http-status-code -http-content-length

https://mta-sts.hackerone.com [404] [9339] [Page not found · GitHub Pages]
https://mta-sts.managed.hackerone.com [404] [9339] [Page not found · GitHub Pages]
https://docs.hackerone.com [200] [65781] [HackerOne Platform Documentation]
https://www.hackerone.com [200] [68464] [Hacker-Powered Security Testing & Bug Bounty | HackerOne]
https://api.hackerone.com [200] [7781] [HackerOne API]
https://mta-sts.forwarding.hackerone.com [404] [9339] [Page not found · GitHub Pages]
https://resources.hackerone.com [404] [6680] [Sorry, no Folders found.]
https://support.hackerone.com [200] [4385] [HackerOne]
ehsandeep commented 4 years ago

Notes and validations:-

Notes:-

  1. http-url is implicit when any of the http-* flag is used, so you don't need to use http-url each time.

Validations:-

  1. dns-status-code,dns-record-type can not be used along with any http-* flags.
  2. resp and resp-only flag used only with dns-status-code and dns-record-type flag.
  3. both above flag can't be used at same time.
  4. http-* flags can not be used along with dns-status-code,dns-record-type.
  5. all flags are case insensitive.