:・゚✧:・゚✧:☆*:✧:・゚✧::☆*:・゚✧::☆*::・゚:☆*:゚✧:・゚:☆*::・゚:☆*::・゚✧
(ノ◕ヮ◕)ノ*:・゚✧:::::𝓛𝓸𝓼𝓽 & 𝓕𝓸𝓾𝓷𝓭:::::。.:☆*:・'(*⌒―⌒*)))
:・゚✧:・゚✧:☆*:✧:・゚✧::☆*:・゚✧::☆*::・゚:☆*:゚✧:・゚:☆*::・゚:☆*::・゚✧
The tool helps you find broken, wrong and expired assets on any application.
usage: LostAndFound.py - [-h] - [-u URL | -a APK | -d DIR | -i IPA | -b BIN | -t TXT | -p PROXY]
options:
-h, --help show this help message and exit
-u URL, --url URL URL to check
-a APK, --apk APK APK to check
-d DIR, --dir DIR Directory of Source Code to check
-i IPA, --ipa IPA IPA to check
-b BIN, --bin BIN Binary to check
-t TXT, --txt TXT Text file to check
-p PROXY, --proxy PROXY
DNS Proxy with format: [upstream_dns],[port],[duration_seconds]
First input the desired application to check, the tool will then extract every URL it finds and pass it to the respective checkers. The checker will look if the URL has a broken asset, a expired domain, etc.
$ python3 LostAndFound.py -u http://aratu.boitatech.com.br/
:・゚✧:・゚✧:☆*:✧:・゚✧::☆*:・゚✧::☆*::・゚:☆*:゚✧:・゚:☆*::・゚:☆*::・゚✧
(ノ◕ヮ◕)ノ*:・゚✧ 𝓛𝓸𝓼𝓽 & 𝓕𝓸𝓾𝓷𝓭 。.:☆*:・'(*⌒―⌒*)))
:・゚✧:・゚✧:☆*:✧:・゚✧::☆*:・゚✧::☆*::・゚:☆*:゚✧:・゚:☆*::・゚:☆*::・゚✧
URL: http://aratu.boitatech.com.br/
- ['https://aratu.boitatech.com.br', 'https://aratu.boitatech.com.br/images-event/meta-image.png', 'https://aratu.boitatech.com.br', 'https://aratu.boitatech.com.br/images-event/meta-image.png', 'https://platform-api.sharethis.com/js/sharethis.js#property=6254e99180366d0019fc1adf&product=sticky-share-buttons', 'https://forms.gle/oLHmm4V6HzZxr2Pr6', 'https://discord.gg/7xrXqR8x5T', 'https://ctf-api.boitatech.com.br/login', 'https://www.hakaioffensivesecurity.com/', 'https://crowsec.com.br/', 'https://hackingclub.com/', 'https://www.bughunt.com.br/', 'https://www.convisoappsec.com/', 'https://idwall.co/', 'https://www.faculdadevincit.edu.br/cursos', 'https://discord.gg/7xrXqR8x5T', 'https://twitter.com/boitatech', 'https://instagram.com/boitatech', 'https://github.com/boitatech', 'https://www.googletagmanager.com/gtag/js?id=G-SJF22ZP7FR']
100%|█████████████████████████████████████████████████████████████████████████████████| 14/14 - [00:01<00:00, 13.61it/s]
They check (duh) if this asset is broken.
- npm
- github
- TikTok
- Youtube
- domain
- bitbucket
- gitlab
- rubygems
- pypi
- packagist/composer
- S3
- buckets
Given an input, they extract (duh again) all the URLS they find and pass them to the respective checkers.
- apk
- ipa
- website
- binary
- Burp Plugin
- source code
The tool also can be used inside Burp Suite. Load burp_plugin/LostAndFound_burp_plugin.py using Jython. The plugin is fully passive and will only check the passing requests.
The DNS proxy feature allows you to monitor DNS requests made by an application or system to detect requests to unregistered domains. This can help identify potential security issues like domain takeover opportunities or misconfigured applications.
python3 LostAndFound.py -p 8.8.8.8,5353,3600
This command starts a DNS proxy server that:
- Uses 8.8.8.8 as the upstream DNS server
- Listens on port 5353
- Runs for 3600 seconds (1 hour)
- The DNS proxy intercepts all DNS queries directed to it
- For each query, it checks if the domain is registered
- It forwards all queries to the upstream DNS server and returns responses
- At the end of the run, it generates a report of all unregistered domains encountered
On Linux/macOS:
sudo networksetup -setdnsservers Wi-Fi 127.0.0.1
On Windows:
netsh interface ip set dns "Wi-Fi" static 127.0.0.1
Remember to change your DNS settings back after testing.
You can also run the DNS proxy directly:
python3 dns_proxy.py --dns 8.8.8.8 --port 5353 --time 3600