scoper.py is designed to enumerate hostnames for in-scope IP addresses. It uses several different methods to do so:
- Nmap reverse DNS lookup
- Masscan port 443 then carves Cnames and subjectAltNames
- Bing IP Search
- Crt.sh certificate transperency
- Fierce DNS scanner
Each method can be turned on individually with the appropriate switch, or -a can be used to enable all. All output is saved to a directory. Primarily inscope-hostnames.txt, and inscope-ips.txt.
-i,--filein: File with IP Addresses, accepts many formats-d,--domains: Additional domain to search. Not required.-n,--nmap: Executes Nmap Reverse DNS lookup. Not required.-m,--mass: Executes masscan for port 443 against all IPs, then pulls names from SSL certs. Not required.-b,--bing: Bing IP search against each IP. Can take a while for a lot of IPs. Results are either great or terrible. Not required.-c,--crtsh: Searches crt.sh (certificate transparency) for all previously identified base domains. Pretty quick with decent results. Not required.-s,--shodan: Searches shodan for each IP addresses, outputs dns records discovered and open ports (separate files). Not required.-k,--key: Shodan API key. Only required w/ -s (--shodan).-f,--fierce: Executes fierce DNS bruteforcer against all previously identified base domains. This can take a while. Results can be worth it though. Not required.-t,--timeout: Change default socket timeout. Defaults to 10. Not sure this is working right. Not required.-o,--outdir: Output directory to create. Default./scoper/. Not required.-a,--execall: Executes all tests. Same as -n -m -b -c -f. Not required.-q,--quick: Executes most tests. Same as -n -m -b -c. Basicaly -a without fierce or shodan. Not required.-N,--noscope: Ignore "scope" requirements. Do not compare to provide IPs and output all discovered records. Not required.-S,--synack: Take the terrible c/p from Synack and parse into something useable first. Not required.
scoper.py relies on two external tools, masscan and fierce. These can be installed with apt-get:
apt-get update && apt-get -y install fierce masscan python-libnmap python-m2crypto
All scripts use Python 2.7. Python requirements can be installed with:
pip install -r requirements.txt
One of the requirements installed with the above command is python-masscan. python-masscan, but default, prints a debug message for each time a scan is initated. It's very annoying. I've included a patch to disable the debug messages and keep output clean. Additionally, an older version is used because the latest version (at the time of testing) wasn't building.
patch -b /usr/local/lib/python2.7/dist-packages/masscan/masscan.py ./files/masscan.diff