OneForAll

Image

Introduction      

OneForAll is a powerful chinese subdomain and dns enumeration tool.When considering about subdomain enumeration, amass might be your first and preferable subdomain emumeration tool in your recon arsenal. You might be wondering what makes OneForAll more soundful comparatively to the tools like amass, OneForAll is a practical supplement to provide an extra edge due to its Chinese context. OneForAll pulls from a multitude of exotic Chinese data sources that other tools typically do not query — FOFA, Baidu Cloud Observation, Gitee, and ChinaZ Alexa, to name a few in it’s collection. This improves your chances of finding unique, previously undiscovered entry points during your recon activities.

Here’s a short list of all the different data points OneForAll pulls for your target:

  • General checks: Basic enumeration of DNS records, zone transfers, cross-domain policy, HTTPS certificate, content security policy, robots.txt, sitemap xml
  • Bruteforce: “Subdomain blasting” via dictionary file and custom fuzzing, with support for batching and recursion
  • DNS: BinaryEdge, BufferOver, CEBaidu, Chinaz, Circl, DNSDB, DNSDumpster, HackerTarget, IP138, IPv4Info, Netcraft, PassiveDNS, PTRarchive, Qianxun, RapidDNS, Riddler, Robtex, SecurityTrails, SiteDossier, Threatcrowd, WzPC, XimCX
  • Certificate transparency: Censys, Certspotter, crt.sh, Entrust, Google, Spyse
  • Web archives: Wayback Machine & Common Crawl
  • Threat intelligence: Alienvault, RiskIQ, ThreatBook, ThreatKeeper, VirusTotal
  • Search engines: Ask, Baidu, Bing, DuckDuckGo, Exalead, FOFA, Gitee, GitHub, Google, Shodan, So.com, Sogou, Yahoo, Yandex, Zoomeye

OneForAll’s documentation and source code comments are unfortunately in Chinese. Not English README is available for this tool.

Demo

Lock image

Installation

Check that your Python 3 environment meets the minimum versions required:

python3 -V

pip3 -V

python3 should be at least version 3.8.0 and pip3 at least version 19.2.2.

Clone the OneForAll project repository:

git clone https://github.com/shmilylty/OneForAll.git

Install the required dependencies:

cd OneForAll

python3 -m pip install -U pip setuptools wheel

pip3 install -r requirements.txt

cd oneforall

python3 oneforall.py --help

Usecases

Make sure you are in the directory of OneForAll and provide the run argument at the end of command for execution.

python3 oneforall.py --target run

The command line flags are verbose and redundant at times, such as having to specify run each time. Here are the optional flags for advanced usage:

--valid None

--brute True

--port

--format

--dns False

--req False

--takeover True

--show True

--path

Subdomain bruteforcing:

A key feature of OneForAll is its module for brute force subdomain enumeration, enabled by the --brute True flag. This module has both conventional dictionary blasting and custom fuzz mode. It supports batch bruteforce and recursive bruteforce, and automatically judges pan-parsing and processing.

The --word True flag enables brute force. Here are examples to configure the blast radius.

--word True --process 1

--word True --wordlist subnames.txt

--word True --recursive True --depth 2

--fuzz True --place m.*.d.com --rule '[a-z]'

You can also use the regex-like patterns while perform the fuzzing with the –fuzz flag.

Checking for Subdomain Takeovers

Also nice is the built-in check for subdomain takeovers, which checks for a number of services including Heroku, Shopify, BitBucket, Azure, and more. Enable the check with the --takeover True flag.

Input Your API Keys

For the most comprehensive results, edit oneforall/api.py to add your API keys for the services below.

  • Censys
  • BinaryEdge
  • Chinaz
  • Bing
  • SecurityTrails
  • FOFA
  • Google
  • RiskIQ
  • Shodan
  • ThreatBook
  • VirusTotal
  • Zoomeye
  • Spyse
  • Circl
  • DNSDB
  • IPv4info
  • Github
  • PassiveDNS

Export to Variety of Formats

OneForAll outputs to Excel format by default. Also supported are rst, csv, tsv, json, yaml, html, dbf, latex, and ods.