#!/usr/bin/env python3 """ OSINT Subdomain Hunter - Uses multiple free APIs Usage: python subdomain_hunter.py """ import requests import json import sys from urllib.parse import quote def hackertarget_subdomains(domain): """Query HackerTarget API for subdomains""" print(f"\n[*] HackerTarget API...") url = f"https://api.hackertarget.com/hostsearch/?q={domain}" try: r = requests.get(url, timeout=30) if "API count exceeded" in r.text: print(" [-] Rate limited") return [] results = [] for line in r.text.strip().split('\n'): if ',' in line: subdomain, ip = line.split(',', 1) results.append({'subdomain': subdomain, 'ip': ip}) print(f" [+] {subdomain} -> {ip}") return results except Exception as e: print(f" [!] Error: {e}") return [] def crtsh_subdomains(domain): """Query crt.sh Certificate Transparency logs""" print(f"\n[*] crt.sh (Certificate Transparency)...") url = f"https://crt.sh/?q=%.{domain}&output=json" try: r = requests.get(url, timeout=60) data = r.json() subdomains = set() for entry in data: name = entry.get('name_value', '') for sub in name.split('\n'): sub = sub.strip().lower() if sub and '*' not in sub: subdomains.add(sub) for sub in sorted(subdomains): print(f" [+] {sub}") return list(subdomains) except Exception as e: print(f" [!] Error: {e}") return [] def urlscan_search(domain): """Query urlscan.io for scan data""" print(f"\n[*] URLScan.io...") url = f"https://urlscan.io/api/v1/search/?q=domain:{domain}" try: r = requests.get(url, timeout=30) data = r.json() results = [] for result in data.get('results', []): page = result.get('page', {}) task = result.get('task', {}) info = { 'url': page.get('url'), 'ip': page.get('ip'), 'asn': page.get('asn'), 'server': page.get('server'), } results.append(info) print(f" [+] {info['url']} -> {info['ip']} ({info['asn']})") return results except Exception as e: print(f" [!] Error: {e}") return [] def dns_lookup(domain): """Get DNS records via HackerTarget""" print(f"\n[*] DNS Records...") url = f"https://api.hackertarget.com/dnslookup/?q={domain}" try: r = requests.get(url, timeout=30) if "API count exceeded" not in r.text: print(r.text) return r.text except Exception as e: print(f" [!] Error: {e}") return None def full_recon(domain): """Run full reconnaissance on domain""" print("="*70) print(f" SUBDOMAIN & INFRASTRUCTURE RECON: {domain}") print("="*70) all_subdomains = set() # HackerTarget ht_results = hackertarget_subdomains(domain) for r in ht_results: all_subdomains.add(r['subdomain']) # crt.sh crt_results = crtsh_subdomains(domain) all_subdomains.update(crt_results) # URLScan urlscan_search(domain) # DNS dns_lookup(domain) # Summary print("\n" + "="*70) print(f" SUMMARY: {len(all_subdomains)} unique subdomains found") print("="*70) for sub in sorted(all_subdomains): print(f" {sub}") return list(all_subdomains) # Target domains TARGETS = [ "khamenei.ir", "moqawama.org.lb", "almanar.com.lb", "alahednews.com.lb", ] if __name__ == "__main__": if len(sys.argv) > 1: full_recon(sys.argv[1]) else: print("\n[*] Running recon on all targets...\n") for target in TARGETS: full_recon(target) print("\n")