0x00 About teemo

Domain name collection and enumeration tool

Teemo is a scout. The collection of domain names is like the reconnaissance of penetration and vulnerability mining. So it's named Teemo!

The tool has three main modules:

Using search engines:

• Http://www.ask.com/ (no request restrictions, agent required)

Http://www.ask.com/ (no request restrictions, agent required)

• Https://www.baidu.com/ (no request limit, no agent required)

Https://www.baidu.com/ (no request limit, no agent required)

• http://cn.bing.com/

http://cn.bing.com/

• Https://api.coherent.microsoft.com (the binding API has not been completed)

Https://api.coherent.microsoft.com (the binding API has not been completed)

• Http://www.dogfile.com/ (no proxy required)

Http://www.dogfile.com/ (no proxy required)

• Https://duckduckgo.com (not completed, page control)

Https://duckduckgo.com (not completed, page control)

• http://www.exalead.com/search/web/

http://www.exalead.com/search/web/

• Http://www.fofa.so/ (purchase required)

Http://www.fofa.so/ (purchase required)

• https://www.so.com/

https://www.so.com/

• Https://www.google.com (may be blocked and need to be proxy)

Https://www.google.com (may be blocked and need to be proxy)

• https://search.yahoo.com/

https://search.yahoo.com/

• Https://yandex.com/ (may be blocked)

Https://yandex.com/ (may be blocked)

• Http://www.exalad.com/ (may be blocked)

Http://www.exalad.com/ (may be blocked)

• Http://www.googleapis.com/ (API key required, Google CSE required)

Http://www.googleapis.com/ (API key required, Google CSE required)

• https://www.zoomeye.org/

https://www.zoomeye.org/

• https://shodan.io/

https://shodan.io/

Using third party sites:

• Alexa

Alexa

• Chaxunla

Chaxunla

• CrtSearch

CrtSearch

• DNSdumpster

DNSdumpster

• Googlect

Googlect

• Ilink

Ilink

• Netcraft

Netcraft

• PassiveDNS

PassiveDNS

• Pgpsearch

Pgpsearch

• Sitedossier

Sitedossier

• ThreatCrowd

ThreatCrowd

• Threatminer

Threatminer

• Virustotal

Virustotal

Using enumeration

• subDomainsBrute https://github.com/lijiejie/subDomainsBrute

subDomainsBrute https://github.com/lijiejie/subDomainsBrute

API Application guidelines (not necessary)

Some of the interfaces need API key. If there is a corresponding account, you can configure it in config.py, without affecting the use of the program.

Google CSE (custom search engine):

• Create a custom search engine (CSE) https://cse.google.com/cse/all

Create a custom search engine (CSE) https://cse.google.com/cse/all

• Application API key: https://developers.google.com/custom-search/json-api/v1/overview

Application API key: https://developers.google.com/custom-search/json-api/v1/overview

Bing API:

• https://azure.microsoft.com/zh-cn/try/cognitive-services/my-apis/

https://azure.microsoft.com/zh-cn/try/cognitive-services/my-apis/

• https://api.cognitive.microsoft.com/bing/v5.0/search

https://api.cognitive.microsoft.com/bing/v5.0/search

• https://docs.microsoft.com/en-us/azure/cognitive-services/bing-web-search/quick-start

https://docs.microsoft.com/en-us/azure/cognitive-services/bing-web-search/quick-start

Fofa:

• Need to buy members

Need to buy members

Shodan:

• "Show API key" in the upper right corner of the login page

"Show API key" in the upper right corner of the login page

Basic use

Running environment: Python 2.7*

• To view help:

To view help:

python teemo.py -h

python teemo.py -h

• Enumerate the specified domain names (search engine and third-party site modules will be used):

Enumerate the specified domain names (search engine and third-party site modules will be used):

python teemo.py -d example.com

python teemo.py -d example.com

• Use the proxy address (the setting in config.py is used by default):

Use the proxy address (the setting in config.py is used by default):

python teemo.py -d example.com -x "http://127.0.0.1:9999"

python teemo.py -d example.com -x "http://127.0.0.1:9999"

• Enable enumeration mode:

Enable enumeration mode:

python teemo.py -b -d example.com

python teemo.py -b -d example.com

• Save the results to the specified file (by default, it will be saved to a file named after the domain name according to the settings in config.py):

Save the results to the specified file (by default, it will be saved to a file named after the domain name according to the settings in config.py):

python teemo.py -d example.com -o result.txt

python teemo.py -d example.com -o result.txt

Reference resources

Refer to the following excellent tools for modification:

• https://github.com/ring04h/wydomain

https://github.com/ring04h/wydomain

• https://github.com/aboul3la/Sublist3r

https://github.com/aboul3la/Sublist3r

• https://github.com/laramies/theHarvester

https://github.com/laramies/theHarvester

Thanks for their sharing.

Change Log

2017-08-17 : Update "domainsite" part, use logging to output; fix some bug.2017-09-08 : Remove port scan function,leave it to nmap, add IP and Network analysis.

To Do

• Optimize DNS query part and abstract it into a function

Optimize DNS query part and abstract it into a function

• Fuzzy matching, such as all domain names containing "QQ", such as qqimg.com

Fuzzy matching, such as all domain names containing "QQ", such as qqimg.com

Disclaimer

The author exposes the tool code. For the purpose of technology sharing, please do not use it for illegal purposes. Any use of the tool and code, or modified tool and code, caused by any problem, has nothing to do with the author, hereby declare!!!