OneForAll

OneForAll is a powerful subdomain collection tool

The importance of information collection in penetration testing is self-evident. Subdomain collection is an essential and very important part of information collection. At present, there are many open-source tools for subdomain collection on the Internet, but there are always some of the following problems:

• Not powerful enough，there are not enough interfaces to collect subdomains automatically, and there are no functions such as automatic subdomain resolve, verification, FUZZ, and information expansion.
• Not friendly enough，although the command line module is more convenient, but when there are a lot of optional parameters and the operation to be implemented is complex, using command line mode is a bit unfriendly. If there is a good interaction, With a highly operable front end, the experience will be much better.
• Lack of maintenance，Many tools have not been updated once in years, what issues and PR are, do not exist.
• Efficiency issues，do not take advantage of multi-process, multi-threading and asynchronous cooperation technology, the speed is slow.

👍Features

• Powerful collection capability，For more information, please see collection module description.
  1. Collect subdomains using certificate transparency (there are currently 6 modules: censys_api，certspotter，crtsh，entrust，google，spyse_api）
  2. General check collection subdomains (there are currently 4 modules: domain transfer vulnerability exploitationaxfr, cross-domain policy file cdx, HTTPS certificate cert, content security policy csp, robots file robots, and sitemap file sitemap. Check NSEC record, NSEC3 record and other modules will be added later).
  3. Collect subdomains using web crawler files (there are currently 2 modules: archirawl, commoncrawl, which is still being debugged and needs to be added and improved).
  4. Collect subdomains using DNS datasets (there are currently 23 modules: binaryedge_api, bufferover, cebaidu, chinaz, chinaz_api, circl_api, dnsdb_api, dnsdumpster, hackertarget, ip138, ipv4info_api, netcraft, passivedns_api, ptrarchive, qianxun, rapiddns, riddler, robtex, securitytrails_api, sitedossier, threatcrowd, wzpc, ximcx）
  5. Collect subdomains using DNS queries (There are currently 5 modules: collecting subdomains srv by enumerating common SRV records and making queries, and collecting subdomains by querying MX,NS,SOA,TXT records in DNS records of domain names).
  6. Collect subdomains using threat intelligence platform data (there are currently 6 modules: alienvault, riskiq_ api, threatbook_ api, threatkeeper , virustotal, virustotal_ api, which need to be added and improved).
  7. Use search engines to discover subdomains (there are currently 18 modules: ask, baidu, bing, bing_api, duckduckgo, exalead, fofa_api, gitee, github, github_api, google, google_api, shodan_api, so, sogou, yahoo, yandex, zoomeye_api), except for special search engines in the search module. General search engines support automatic exclusion of search, full search, recursive search.
• Support subdomain blasting，This module has both conventional dictionary blasting and custom fuzz mode. It supports batch blasting and recursive blasting, and automatically judges pan-parsing and processing.
• Support subdmain verification，default to enable subdomain verification, automatically resolve subdomain DNS, automatically request subdomain to obtain title and banner, and comprehensively determine subdomain survival.
• Support subdomain takeover，By default, subdomain takeover risk checking is enabled. Automatic subdomain takeover is supported (only Github, remains to be improved at present), and batch inspection is supported.
• Powerful processing feature，The found subdomain results support automatic removal, automatic DNS parsing, HTTP request detection, automatic filtering of valid subdomains, and expansion of Banner information for subdomains. The final supported export formats are rst, csv, tsv, json, yaml, html, xls, xlsx, dbf, latex, ods.
• Very fast，collection module uses multithreaded calls, blasting module uses massdns, the speed can at least reach 10000pps under the default configuration, and DNS parsing and HTTP requests use asynchronous multiprogramming in subdomain verification. Multithreaded check subdomain takeover risk.
• Good experience，Each module has a progress bar, and the results of each module are saved asynchronously.

Install && Use

Copyright (C) 2019 shmilylty