#!/bin/bash

# Author: Alasdair Keyes - https://akeyes.co.uk
# Released under GPL v3
#
# For help on usage run..
# find_subdomain.sh -h  



    ## Define the subdomains we want to search for - Add new ones to the end
    ## of this array

KNOWN_SUBDOMAINS=(
    admin api apps blog cdn dev docs example feeds files forum forums ftp ftps
    groups go images img imap kb lists live m mail mail1 mail2 mail3 media
    mobile news pic pics pop resources search secure secure sftp smtp ssl
    static status support test videos vpn webmail wiki www www1 www2 www3
)



    ## Standard help output

function helpme {
    echo "USAGE $0: domain.com [OPTIONS]"
    echo
    echo "Searches for IP addresses of subdomains of a specified domain"
    echo "If AXFR transfers are enabled, use those instead"
    echo
    echo "Options"
    echo "--help, -h                    Show this help text"
    echo "--a-records-only, -a          Only show dig output that has A or \
 AAAA records, this stops CNAMEs appearing"
    echo "--ip-only, -i                 Output just the IP when found, default\
 is the standard DNS information"
    echo "-6                            Only show IPv6 results (default is\
 both IPv4 and IPv6)"
    echo "-4                            Only show IPv4 results (default is\
 both IPv4 and IPv6)"
    echo "--stealth, -s                 Sleep for a second between DNS calls"
    echo
}



    ## Check dig is installed

dig &>/dev/null
if [ $? -ne 0 ]; then
    echo "This uses dig, which doesn't seem to be installed"
    echo ""
    helpme
    exit 1;
fi



    ## Check we have at least one argument, considered to be the domain

DOMAIN=$1

if [ ! "$DOMAIN" ]; then
    echo "No Domain passed";
    echo ""
    helpme
    exit 1
fi




    ## Parse CLI arguments

for ARG in $@; do
    if [ "$ARG" == "-a" ] || [ "$ARG" == "--a-records-only" ]; then
        A_RECORDS_ONLY=1
    elif [ "$ARG" == "-h" ] || [ "$ARG" == "--help" ]; then
        helpme;
        exit 0;
    elif [ "$ARG" == "-i" ] || [ "$ARG" == "--ip-only" ]; then
        IP_ONLY=1
    elif [ "$ARG" == "-6" ]; then
        SHOW_SIX=1
    elif [ "$ARG" == "-4" ]; then
        SHOW_FOUR=1
    elif [ "$ARG" == "-s" ] || [ "$ARG" == "--stealth" ]; then
        STEALTH=1
    fi
done;


for SUBDOMAIN in ${KNOWN_SUBDOMAINS[@]}; do

        # Sleep if in stealth

    if [ "$STEALTH" ]; then
        sleep 1;
    fi


        # Compile the Types of DNS records we wish to search for

    TYPES=()
    if [ $SHOW_SIX ] && [ ! $SHOW_FOUR ]; then
        TYPES=( AAAA );
    elif [ $SHOW_FOUR ] && [ ! $SHOW_SIX ]; then
        TYPES=( A );
    else 
        TYPES=( A AAAA );
    fi


        # Run the checks
    for TYPE in ${TYPES[@]}; do

            # Make DNS call
        R=`dig -t $TYPE +nocmd +noall +answer $SUBDOMAIN.$DOMAIN`

        if [ "$R" ]; then

                ## Filter out CNAME responses
            if [ "$A_RECORDS_ONLY" ]; then
                R=`echo "$R" | grep -v CNAME`
            fi

                ## Filter just the IPs if specified
            if [ "$IP_ONLY" ]; then
                R=`echo "$R" | awk '{ print $5 }'`
            fi

                # Hit them with it
            if [ "$R" ]; then
                echo "$R"
            fi
        fi
    done;
done;