Security Essentials

OneForAll

November 27, 2020

Introduction

OneForAll is a powerful chinese subdomain and dns enumeration tool.When considering about subdomain enumeration, amass might be your first and preferable subdomain emumeration tool in your recon arsenal. You might be wondering what makes OneForAll more soundful comparatively to the tools like amass, OneForAll is a practical supplement to provide an extra edge due to its Chinese context. OneForAll pulls from a multitude of exotic Chinese data sources that other tools typically do not query — FOFA, Baidu Cloud Observation, Gitee, and ChinaZ Alexa, to name a few in it’s collection. This improves your chances of finding unique, previously undiscovered entry points during your recon activities.

Here’s a short list of all the different data points OneForAll pulls for your target:

General checks: Basic enumeration of DNS records, zone transfers, cross-domain policy, HTTPS certificate, content security policy, robots.txt, sitemap xml
Bruteforce: “Subdomain blasting” via dictionary file and custom fuzzing, with support for batching and recursion
DNS: BinaryEdge, BufferOver, CEBaidu, Chinaz, Circl, DNSDB, DNSDumpster, HackerTarget, IP138, IPv4Info, Netcraft, PassiveDNS, PTRarchive, Qianxun, RapidDNS, Riddler, Robtex, SecurityTrails, SiteDossier, Threatcrowd, WzPC, XimCX
Certificate transparency: Censys, Certspotter, crt.sh, Entrust, Google, Spyse
Web archives: Wayback Machine & Common Crawl
Threat intelligence: Alienvault, RiskIQ, ThreatBook, ThreatKeeper, VirusTotal
Search engines: Ask, Baidu, Bing, DuckDuckGo, Exalead, FOFA, Gitee, GitHub, Google, Shodan, So.com, Sogou, Yahoo, Yandex, Zoomeye

OneForAll’s documentation and source code comments are unfortunately in Chinese. Not English README is available for this tool.

Demo

Installation

Check that your Python 3 environment meets the minimum versions required:

python3 -V

pip3 -V

python3 should be at least version 3.8.0 and pip3 at least version 19.2.2.

Clone the OneForAll project repository:

git clone https://github.com/shmilylty/OneForAll.git

Install the required dependencies:

cd OneForAll

python3 -m pip install -U pip setuptools wheel

pip3 install -r requirements.txt

cd oneforall

python3 oneforall.py --help

Usecases

Make sure you are in the directory of OneForAll and provide the run argument at the end of command for execution.

python3 oneforall.py --target run

The command line flags are verbose and redundant at times, such as having to specify run each time. Here are the optional flags for advanced usage:

--valid None

--brute True

--port

--format

--dns False

--req False

--takeover True

--show True

--path

Subdomain bruteforcing:

A key feature of OneForAll is its module for brute force subdomain enumeration, enabled by the --brute True flag. This module has both conventional dictionary blasting and custom fuzz mode. It supports batch bruteforce and recursive bruteforce, and automatically judges pan-parsing and processing.

The --word True flag enables brute force. Here are examples to configure the blast radius.

--word True --process 1

--word True --wordlist subnames.txt

--word True --recursive True --depth 2

--fuzz True --place m.*.d.com --rule '[a-z]'

You can also use the regex-like patterns while perform the fuzzing with the –fuzz flag.

Checking for Subdomain Takeovers

Also nice is the built-in check for subdomain takeovers, which checks for a number of services including Heroku, Shopify, BitBucket, Azure, and more. Enable the check with the --takeover True flag.