OneForAll is a powerful chinese subdomain and dns enumeration tool.When considering about subdomain enumeration, amass might be your first and preferable subdomain emumeration tool in your recon arsenal. You might be wondering what makes OneForAll more soundful comparatively to the tools like amass, OneForAll is a practical supplement to provide an extra edge due to its Chinese context. OneForAll pulls from a multitude of exotic Chinese data sources that other tools typically do not query — FOFA, Baidu Cloud Observation, Gitee, and ChinaZ Alexa, to name a few in it’s collection. This improves your chances of finding unique, previously undiscovered entry points during your recon activities.
Here’s a short list of all the different data points OneForAll pulls for your target:
- General checks: Basic enumeration of DNS records, zone transfers, cross-domain policy, HTTPS certificate, content security policy, robots.txt, sitemap xml
- Bruteforce: “Subdomain blasting” via dictionary file and custom fuzzing, with support for batching and recursion
- DNS: BinaryEdge, BufferOver, CEBaidu, Chinaz, Circl, DNSDB, DNSDumpster, HackerTarget, IP138, IPv4Info, Netcraft, PassiveDNS, PTRarchive, Qianxun, RapidDNS, Riddler, Robtex, SecurityTrails, SiteDossier, Threatcrowd, WzPC, XimCX
- Certificate transparency: Censys, Certspotter, crt.sh, Entrust, Google, Spyse
- Web archives: Wayback Machine & Common Crawl
- Threat intelligence: Alienvault, RiskIQ, ThreatBook, ThreatKeeper, VirusTotal
- Search engines: Ask, Baidu, Bing, DuckDuckGo, Exalead, FOFA, Gitee, GitHub, Google, Shodan, So.com, Sogou, Yahoo, Yandex, Zoomeye
OneForAll’s documentation and source code comments are unfortunately in Chinese. Not English README is available for this tool.
Check that your Python 3 environment meets the minimum versions required:
python3 should be at least version 3.8.0 and pip3 at least version 19.2.2.
Clone the OneForAll project repository:
Install the required dependencies:
python3 -m pip install -U pip setuptools wheel
pip3 install -r requirements.txt
python3 oneforall.py --help
Make sure you are in the directory of OneForAll and provide the run argument at the end of command for execution.
python3 oneforall.py --target run
The command line flags are verbose and redundant at times, such as having to specify run each time. Here are the optional flags for advanced usage:
A key feature of OneForAll is its module for brute force subdomain enumeration, enabled by the --brute True flag. This module has both conventional dictionary blasting and custom fuzz mode. It supports batch bruteforce and recursive bruteforce, and automatically judges pan-parsing and processing.
The --word True flag enables brute force. Here are examples to configure the blast radius.
--word True --process 1
--word True --wordlist subnames.txt
--word True --recursive True --depth 2
--fuzz True --place m.*.d.com --rule '[a-z]'
You can also use the regex-like patterns while perform the fuzzing with the –fuzz flag.
Checking for Subdomain Takeovers
Also nice is the built-in check for subdomain takeovers, which checks for a number of services including Heroku, Shopify, BitBucket, Azure, and more. Enable the check with the --takeover True flag.
Input Your API Keys
For the most comprehensive results, edit oneforall/api.py to add your API keys for the services below.
Export to Variety of Formats
OneForAll outputs to Excel format by default. Also supported are rst, csv, tsv, json, yaml, html, dbf, latex, and ods.