vpn-tools/subscan.sh

#!/bin/bash

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
MAGENTA='\033[0;35m'
NC='\033[0m'

SUBNET="$1"

if [ -z "$SUBNET" ]; then
    echo -e "${RED}Usage: $0 <subnet>    (example: 82.22.146.0/24)${NC}"
    exit 1
fi

echo -e "${GREEN}[+] Starting scan on subnet: ${CYAN}$SUBNET${NC}"
echo

check_dependencies() {
    local missing=()
    command -v nmap >/dev/null 2>&1 || missing+=("nmap")
    command -v dig >/dev/null 2>&1 || missing+=("dig")
    command -v openssl >/dev/null 2>&1 || missing+=("openssl")

    if [ ${#missing[@]} -ne 0 ]; then
        echo -e "${RED}[-] Missing tools: ${missing[*]}${NC}"
        read -p "Install them automatically? (y/N): " -n 1 -r
        echo
        if [[ $REPLY =~ ^[Yy]$ ]]; then
            sudo apt-get update
            sudo apt-get install -y nmap dnsutils openssl
        else
            echo -e "${RED}Please install missing tools and try again.${NC}"
            exit 1
        fi
    fi
}

check_dependencies

SAFE_SUBNET=$(echo "$SUBNET" | tr '/' '-')
OUTPUT_FILE="subscan_${SAFE_SUBNET}_$(date +%Y%m%d_%H%M%S).md"

echo -e "${GREEN}[+] Scanning for open port 443...${NC}"

nmap -Pn -p443 --open -T4 --min-rate=1000 -oG - "$SUBNET" 2>/dev/null | \
grep "443/open" | awk '{print $2}' > /tmp/open_443.txt

mapfile -t IPS < /tmp/open_443.txt
TOTAL=${#IPS[@]}

if [ "$TOTAL" -eq 0 ]; then
    echo -e "${RED}[-] No hosts with port 443 open found.${NC}"
    rm -f /tmp/open_443.txt
    exit 1
fi

echo -e "${GREEN}[+] Found ${CYAN}$TOTAL${GREEN} hosts with port 443 open.${NC}"
echo -e "${GREEN}[+] Extracting TLS domains + validating with forward DNS...${NC}"

VALID=()
INVALID=()

CURRENT=0

for ip in "${IPS[@]}"; do
    CURRENT=$((CURRENT + 1))
    printf "\r${GREEN}[+] Progress: ${CYAN}%d/%d${NC}" "$CURRENT" "$TOTAL"

    tls_domains=$(echo | timeout 4 openssl s_client -connect "$ip":443 -servername dummy 2>/dev/null | \
                  openssl x509 -noout -subject -ext subjectAltName 2>/dev/null | \
                  grep -oE 'DNS:[^, ]+' | sed 's/DNS://' | tr '\n' ' ' | sed 's/ $//')

    if [ -z "$tls_domains" ]; then
        INVALID+=("$ip → No TLS domains found")
        continue
    fi

    is_valid=0
    matched_domain=""

    for domain in $tls_domains; do
        forward_ips=$(dig "$domain" +short +timeout=3 +tries=2 2>/dev/null | \
                      grep -E '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$')

        if echo "$forward_ips" | grep -q "^${ip}$"; then
            is_valid=1
            matched_domain="$domain"
            break
        fi
    done

    if [ $is_valid -eq 1 ]; then
        VALID+=("$ip → $matched_domain")
    else
        INVALID+=("$ip → $tls_domains")
    fi
done

printf "\r${GREEN}[+] Progress: ${CYAN}%d/%d${GREEN} - Done!${NC}%*s\n" "$TOTAL" "$TOTAL" 20 ""

{
    echo "---"
    echo "TLS + DNS Validation Report"
    echo "Subnet     : $SUBNET"
    echo "Total Hosts: $TOTAL"
    echo "Valid      : ${#VALID[@]}"
    echo "Invalid    : ${#INVALID[@]}"
    echo "Date       : $(date)"
    echo "---"
    echo ""
    echo "## Valid (TLS domain resolves back to IP)"
    for line in "${VALID[@]}"; do
        echo "- $line"
    done
    echo ""
    echo "## Invalid (No match or no TLS domains)"
    for line in "${INVALID[@]}"; do
        echo "- $line"
    done
} > "$OUTPUT_FILE"

echo
echo -e "${GREEN}[+] Scan completed!${NC}"
echo -e "${GREEN}[+] Results saved to: ${CYAN}$OUTPUT_FILE${NC}"
echo
echo -e "${YELLOW}Tip: Valid entries are best for SNI imitation.${NC}"

rm -f /tmp/open_443.txt