信息收集之子域名挖掘

域名可以分为顶级域名、一级域名、二级域名等。子域名（subdomain）是顶级域名（一级域名或父域名）的下一级。例如，mail.example.com和calendar.example.com是example.com的两个子域，而example.com则是顶级域.com的子域。在测试过程中，测试目标主站时如果未发现任何相关漏洞，此时通常会考虑挖掘目标系统的子域名。

import requests
from bs4 import BeautifulSoup
from urllib.parse import urlparse


def bing_search(site, pages):
    Subdomain = []
    headers = {'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0',
               'Accept': '*/*',
               'Accept-Language': 'en-US,en;q=0.5',
               'Accept-Encoding': 'gzip,deflate',
               'referer': "http://cn.bing.com/search?q=email+site%3abaidu.com&qs=n&sp=-1&pq=emailsite%3abaidu.com&first=2&FORM=PERE1"
               }
    for i in range(1,int(pages)+1):
        url = "https://cn.bing.com/search?q=site%3a"+site+"&go=Search&qs=ds&first="+ str((int(i)-1)*10) +"&FORM=PERE"
        conn = requests.session()
        conn.get('http://cn.bing.com', headers=headers)
        html = conn.get(url, stream=True, headers=headers, timeout=8)
        soup = BeautifulSoup(html.content, 'html.parser')
        job_bt = soup.findAll('h2')
        for i in job_bt:
            link = i.a.get('href')
            domain = str(urlparse(link).scheme + "://" + urlparse(link).netloc)
            if domain in Subdomain:
                pass
            else:
                Subdomain.append(domain)
                print(domain)
if __name__ == '__main__':
    site='baidu.com' 
    page = 15
    # if len(sys.argv) == 3:
    #     site = sys.argv[1]
    #     page = sys.argv[2]
    # else:
    #     print ("usage: %s baidu.com 10" % sys.argv[0])
    #     sys.exit(-1)
    Subdomain = bing_search(site, page)