hostess.py is a script that will automate the subdomain discovery for a semi-blind external assessment. Then, it will take what it discovers and check to see if the discovered subdomains are within the client-provided scope. Great! Start hacking, as the results are clearly laid out for you.
If the subdomains are not located in the client-defined scope, the entries will be placed in a CSV file that you can forward to your client. Ask them for approval to include entries from additional-subdomains.csv to the assessment scope.
Ensure that you have a fullscope.txt and domains.txt file present in the same directory:
fullscope.txt: the full list of IP addresses, CIDR ranges, and hostnames provided by the client.domains.txt: all of the relevant client-controlled domain names you would like to enumerate.
π hostess β€ cat domains.txt
nathanburchfield.com
burm.at
burmat.co
π hostess β€ cat fullscope.txt
www.burm.at
burmat.local
www.burmat.co
8.8.8.8
nathanburchfield.com
1.1.1.2-16
Execute the script:
π hostess β€ python3 hostess.py
[>] Welcome to v1.0 of Hostess Pie. This is subdomain enumeration tool named after the portable and superior type of pies.
[>] Executing amass..
[>] Executing assetfinder...
[>] Executing getallurls...
[>] The 'subdomains.txt' file has been compiled
[>] Resolving the discovered results within 'subdomains.txt'...
[>] IP address resolution completed
[>] Generating inscope- or additional-subdomains.csv..
[>] The inscope- and additional-subdomains CSV files have been created!
inscope-subdomains.csv: hosts ready to be hacked.additional-subdomains.csv: other discovered assets you should send to your client for review/approval to add as in-scope for hacking.
- The script will "clean" the
fullscope.txtfile and create a new list namedhostess-scope.txtfor use by the script by:- Converting CIDR and IP address ranges to individual IP addresses;
- Converting provided hostnames (contained within
fullscope.txt) to IP addresses to add to the new list; and - Append the in-scope domains/subdomains from
fullscope.txtto the new list.
- Execute amass, getallurls, assetfinder, and others. Parse the results. Append the results to
subdomains.txt. - Resolve the IP addresses for all entries in
subdomains.txtdiscovered to generatesubdomains.csv. - Compare all entries of
subdomains.csvto the scope provided by the client:
- Determine if the resolved IP address within
subdomains.csvexists inhostess-scope.txt. - Determine if the resolved hostname exists in
hostess-scope.txt.
- Split these results into two different files:
inscope-subdomains.csv, andadditional-subdomains.csv.- 'inscope-subdomains.csv' includes all IP addresses and subdomains that are considered inscope, based on
fullscope.txtfile. - 'additional-subdomains.csv' should send to your client for review/approval to add as in-scope for hacking.
- 'inscope-subdomains.csv' includes all IP addresses and subdomains that are considered inscope, based on