gecloud.ch/security-scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added dnsdigger, dnswalk and some scripts

Browse source
This commit is contained in:
Peter Baumann 2013-06-04 15:02:45 +02:00
parent 3448a3ef60
commit 3b2769a3c9
19 changed files with 3095 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
dns/dnsdigger/dns-server.dat Normal file
View file

@ -0,0 +1 @@
217.5.115.7

325
dns/dnsdigger/dnsdigger.pl Normal file
View file

@ -0,0 +1,325 @@
#!/usr/local/bin/perl
# (c) 2003 Michael Thumann
# Distribute freely
# DNS Module from Michael Fuhr, Thankx Michael ;-).
use Net::DNS;
sub get_axfr{
print "\nInitiating Zone Transfer ...\n";
$res->usevc(1);
@zone = $res->axfr($domain);
if (@zone) {
foreach $rr (@zone) {
$rr->print;
}
print "\n----------------------------------------------------------------------\n\n";
return 1;
}
else {
print ';;Zone transfer failed: ', $res->errorstring, "\n";
print "\n----------------------------------------------------------------------\n\n";
return 0;
}
}
sub find_rootserver{
$res->usevc(0);
if (open(ROOT,"root-servers.dat")){
while (<ROOT>){
chomp($_);
$res->nameservers($_);
print "Asking Root Server $_\n";
$packet=$res->send($domain, 'NS');
if ($packet){
@additional_tld = $packet->additional;
if (@additional_tld) {
foreach $rr (@additional_tld) {
$tld=$rr->rdatastr;
if (find_ns()){close(ROOT); return 1;}
else {print "No Records found!\n";}
}
}
}
}
close(ROOT);
return 0;
die "Can't connect to the Root-Servers! \n";
}
else {die "Can't open root-servers.dat!\n";}
close(ROOT);
}
sub resolve_name{
# Enter the IP of your favorite DNS Server in the next line
#$res->nameservers('217.5.115.7');
if (open(DNS,"dns-server.dat")){
while (<DNS>){
chomp($_);
$res->nameservers($_);
}
}
close(DNS);
print "Resolving $name\n";
$packet_resolve=$res->send($name,'ANY');
if ($packet_resolve){
@nameserv = $packet_resolve->answer;
if (@nameserv) {
foreach $rr (@nameserv) {
$ns=$rr->rdatastr;}
}
}
}
sub find_ns{
$ok=0;
$res->usevc(0);
$res->recurse(1);
$res->nameservers($tld);
print "Asking TLD Server $tld\n";
$packet=$res->send($domain, 'NS');
if ($packet){
@additional_ns = $packet->additional;
@answer_ns = $packet->answer;
if (@additional_ns) {
foreach $rr (@additional_ns) {
$ns=$rr->rdatastr;
if (get_dns()){$ok= 1;}
}
if ($ok){return 1;}
}
else {
if (@answer_ns) {
foreach $rr (@answer_ns) {
$name=$rr->rdatastr;
resolve_name();
if (get_dns()){$ok= 1;}
}
if ($ok){return 1;}
}
else {return 0;}
}
}
return 0;
}
sub get_dns(){
$res->nameservers($ns);
$res->usevc(0);
print "Asking Name Server $ns\n";
if ($version){get_ver();}
$packet=$res->send($domain, 'NS');
if ($packet){
if ( get_axfr()){
print " Zone Transfer succesful!\n";
}
else {
get_any();
get_activedir();
if ($dig){dig_dns();}
print "All possible information for $domain gathered!\n";
}
return 1;
}
else {return 0;}
}
sub get_ver{
$res->usevc(0);
print "\nChecking for DNS Server Version ...\n";
$packet=$res->query('version.bind', 'TXT','CH');
if ($res->errorstring eq "NOTIMP"){print "Microsoft DNS Server detected!\n";}
if ($res->errorstring eq "FORMERR"){print "TinyDNS Server detected!\n";}
if ($res->errorstring eq "NOERROR")
{
print "BIND DNS Server detected!\n";
if ($packet) {
@dnsversion = $packet->answer;
if (@dnsversion) {
foreach $rr (@dnsversion) {
$ver=$rr->rdatastr;
print "BIND Version: $ver \n";}
}
}
}
}
sub get_any{
print "\nGetting ANY DNS Record ...\n";
$res->usevc(0);
$packet=$res->query($domain, 'ANY');
if ($packet) {
$packet->print;
print "\n----------------------------------------------------------------------\n\n";
}
@dnstypes=(
"A",
"AAAA",
"AFSDB",
"CERT",
"CNAME",
"DNAME",
"EID",
"HINFO",
"ISDN",
"LOC",
"MB",
"MG",
"MINFO",
"MR",
"MX",
"NAPTR",
"NIMLOC",
"NS",
"NSAP",
"NULL",
"OPT",
"PTR",
"PX",
"RP",
"RT",
"SOA",
"TKEY",
"TSIG",
"TXT",
"WKS",
"X25"
);
foreach $i (@dnstypes) {
print "\nTrying $i Record Type ...\n";
$packet=$res->query($domain, $i);
if ($packet) {
$packet->print;
print "\n----------------------------------------------------------------------\n\n";
}
}
}
sub get_activedir{
print "\nLooking for Active Directory SRV Records ...\n";
$res->usevc(0);
@srvtype=(
"_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.",
"_kerberos._tcp.Default-First-Site-Name._sites.",
"_kerberos._tcp.dc._msdcs.",
"_kerberos._tcp.",
"_kerberos._udp.",
"_kpasswd._tcp.",
"_kpasswd._udp.",
"_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.",
"_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.",
"_ldap._tcp.Default-First-Site-Name._sites.",
"_ldap._tcp.dc._msdcs.",
"_ldap._tcp.gc._msdcs.",
"_ldap._tcp.pdc._msdcs.",
"_ldap._tcp.",
"_gc._tcp.Default-First-Site-Name._sites.",
"_gc._tcp."
);
foreach $i (@srvtype) {
$service = $i.$domain;
print "\nTrying $service ...\n";
$packet=$res->query($service, 'SRV');
if ($packet) {
$packet->print;
print "\n----------------------------------------------------------------------\n\n";
}
}
}
sub dig_dns{
print "\nStarting the DNS Digger ...\n";
@hybridlst1=("0","1","2","3","4","5","6","7","8","9");
@hybridlst2=("0","1","2","3","4","5","6","7","8","9");
$res->usevc(0);
if (open(NAMES,"names.txt")){
while (<NAMES>){
chomp($_);
$host = $_.".".$domain;
$packet=$res->query($host, 'ANY');
if ($packet){
$packet->print;
print "\n----------------------------------------------------------------------\n\n";
}
if ($hybrid){
foreach $h1 (@hybridlst1) {
foreach $h2 (@hybridlst2) {
$hybrid_host=$_.$h1.$h2.".".$domain;
$packet=$res->query($hybrid_host, 'ANY');
if ($packet){
$packet->print;
print "\n----------------------------------------------------------------------\n\n";
}
}
}
}
if ($silent){sleep 1};
}
}
else {print "Can't open names.txt!\n";}
close(NAMES);
}
sub usage(){
print "\nUsage: perl dnsdigger.pl <domain name> [OPTIONS]\n";
print "-----------------------------------------------------------\n";
print "OPTIONS:\n";
print "silent : Activates a time loop of 1 second in the DNS Digger function\n";
print "debug : Starts a debug output\n";
print "nodig : Disable the Digger\n";
print "port53 : Use Port 53 as Source Port\n";
print "host : Use a specific DNS Server and must be followed by the IP Address\n";
print "hybrid : Appends 01 to 99 to the names while digging\n";
print "version: Try to get the DNS Server Version\n";
print "\nEXAMPLES:\n";
print "perl dnsdigger.pl example.com\n";
print "perl dnsdigger.pl example.com silent\n";
print "perl dnsdigger.pl example.com debug\n";
print "perl dnsdigger.pl example.com host 10.1.1.1\n";
exit;
}
# Main Programm
if (@ARGV==0){usage();}
$dig=1;
$root=1;
$version=0;
print "\n";
print "DNSDigger 0.3beta (c) 2003 by Michael Thumann (mthumann\@ernw.de)\n";
print "----------------------------------------------------------------------\n\n";
$res = Net::DNS::Resolver->new;
$res->tcp_timeout(5);
$res->udp_timeout(5);
$res->retry(2);
$res->retrans(3);
if (@ARGV==1){
$domain=$ARGV[0];
if (find_rootserver()){print "Done.\n";}
else{print "Error: Can't connect to the DNS Server!\n";}
}
if (@ARGV>=2){
$domain=$ARGV[0];
for ($o=1;$o<=@ARGV;$o++){
$option=$ARGV[$o];
if ($option eq "silent") {$silent=1;print "Time Loop enabled!\n"}
if ($option eq "debug") {$res->debug(1);print "Debug enabled!\n";}
if ($option eq "port53") {$res->srcport(53);print "Switching to Source Port 53!\n";}
if ($option eq "nodig") {$dig=0;print "Digger disabled!\n";}
if ($option eq "version") {$version=1;print "Query DNS Server Version enabled!\n";}
if ($option eq "hybrid") {$hybrid=1;print "Hybrid Mode for Digger enabled!\n";}
if ($option eq "host") {
$root=0;
print "Use specific DNS Server!\n";
$ns=$ARGV[$o+1];
}
}
if ($root){
if (find_rootserver()){print "Done.\n";}
else{print "Error: Can't connect to the DNS Server!\n";}
}
else{
if (get_dns()){print "Done.\n";}
else{print "Error: Can't connect to the DNS Server!\n";}
}
}
# end

319
dns/dnsdigger/names.txt Normal file
View file

@ -0,0 +1,319 @@
ILMI
academico
acceso
access
acid
admin
admins
administracion
administrador
afiliados
agenda
agent
aix
alerts
antivirus
app
apps
appserver
archie
as400
auto
ayuda
backup
banking
bbs
bbdd
bea
beta
bolsa
buscador
ca
canal
catalog
certify
cgi
channel
channels
chat
chats
cisco
clientes
club
cluster
clusters
code
commerce
community
compaq
compras
consola
console
consumer
contact
contracts
corporate
correo
correoweb
cortafuegos
cso
data
datos
db
db2
default
demo
desarrollo
descargas
design
dev
develop
developer
device
dial
digital
dilbert
directory
disc
discovery
disk
disney
dns
dns1
dns2
dns3
dns-2
docs
documentos
documentacion
domain
domains
dominio
domino
dominoweb
download
earth
ecommerce
e-commerce
edi
education
ejemplo
email
empresa
empresas
enable
engine
engineer
enterprise
estadisticas
events
example
exchange
extern
external
extranet
fax
field
firewall
formacion
foro
foros
forum
forums
foto
fotos
fsp
ftp
ftp2
fw
fw1
fw-1
galeria
galerias
galleries
games
gateway
gopher
guest
gw
hello
help
helpdesk
helponline
hp
ibm
ibmdb
ids
images
imap
imap4
img
info
intern
internal
intranet
invalid
ipsec
ipsec-gw
irc
ircserver
jobs
juegos
ldap
link
linux
lista
lists
listserver
localhost
log
login
lotus
mail
mailhost
management
manager
map
maps
mapas
marketing
media
members
messenger
mngt
mobile
monitor
mrtg
multimedia
music
names
netdata
netstats
network
news
nms
nntp
nombres
noticias
ns
ns1
ns2
ntp
online
openview
outlook
oracle
page
pages
paginas
partner
partners
pda
personal
ph
pictures
pix
pop
pop3
portal
postales
prensa
press
private
proxy
prueba
pruebas
project
projects
public
ra
radio
raptor
ras
read
register
registro
remote
reports
resumenes
root
router
rwhois
sac
schedules
scotty
search
secret
secure
security
seri
serv
serv2
server
service
services
servicio
servidor
shop
shopping
site
sms
smtp
smtphost
snmp
snmpd
snort
solaris
solutions
soporte
source
sql
ssl
stats
store
streaming
sun
support
switch
sysback
system
tech
terminal
test
tienda
time
tivoli
transfers
training
uddi
update
video
vpn
wais
wap
web
webdocs
weblib
weblogic
webmail
webserver
webservices
websphere
whois
wireless
work
world
write
w1
w2
w3
ws
ws1
ws2
ws3
www
www1
www2
www3

41
dns/dnsdigger/readme.txt Normal file
View file

@ -0,0 +1,41 @@
DNSDigger is a programm to gather as much as possible informations from DNS Servers. Two different methods are use:
1. DNS Server Query
Query every DNS Server that is responsible for the domain, primary and each secondary. Sometimes only one DNS Server is misconfigured, but that could be enough to get the whole zone file or a provider DNS is used. Some providers allow zone transfers from their DNS Servers.
2. DNS Digging
The idea is to use the same technique as with password attacks based on dictionaries to find hostnames hidden in the DNS zone.There's a names.txt which contains the dictionary. The option HYBRID will append the nummbers 01 to 99 to each entry in the names.txt to uncover additional hostnames.
3. DNS Server Version
DNSDigger uses a chaos class query to find out which DNS Server is running. Microsoft DNS Server and TinyDNS answer with a very special error message and BIND responds with it's version, if not configured to fake the information.
4. Active Directory
DNSdigger queries the common SRV records for windows 2000 domain controllers to identify them.
The tools might be useful for all pen-testers that have to gather DNS informations during a pen-test.
The program is in beta state, so there might be bugs. If you find some please report them to mthumann@ernw.de
You need the NET::DNS Module from Michael Fuhr to run the program. You can download it from the original website
http://www.net-dns.org
or from activestate for ActivePerl
http://ppm.activestate.com/PPMPackages/zips/6xx-builds-only/Net-DNS-0.34.zip
For resolving dns names enter the ip address of your favorite dns server in the file dns-server.dat
Known bugs:
None so far ;-))
License:
Copyright (c) 2003 Michael Thumann.
You can use and distribute the program for free as long as the code is not modified.
Disclaimer:
The program is provided "AS IS" without warranty
of any kind. In no event shall the author be liable for any damages
whatsoever including direct, indirect, incidental, consequential,
loss of business profits or special damages due to the misuse of this
program.

13
dns/dnsdigger/root-servers.dat Normal file
View file

@ -0,0 +1,13 @@
198.41.0.4
128.9.0.107
192.33.4.12
128.8.10.90
192.203.230.10
192.5.5.241
192.112.36.4
128.63.2.53
192.36.148.17
192.58.128.30
193.0.14.129
198.32.64.12
202.12.27.33