├── README.md ├── dnsrr.sh ├── images ├── 1.png ├── 2.png └── readme.md ├── list.txt ├── wordlist.txt └── xplain ├── cache_snooping.txt ├── forward_lookup_bruteforce.txt ├── reverse_lookup_bruteforce.txt ├── thanks.txt └── zone_transfer.txt /README.md: -------------------------------------------------------------------------------- 1 | # DNSrr 2 | DNSrr is a tool written in bash, used to enumerate all the juicy stuff from DNS records, it uses different techniques like 3 | - DNS Forward Bruteforce 4 | - DNS Reverse Bruteforce 5 | - DNS Cache Snooping 6 | - DNS Zone Transfer 7 | 8 | To get you all the information that you can get, from a DNS server. 9 | 10 | ## Installation 11 | Install it using git 12 | ```bash 13 | git clone https://github.com/A3h1nt/Dnsrr 14 | ``` 15 | Get Started 16 | ```bash 17 | ./dnsrr.sh --help 18 | ``` 19 | ## Usage 20 | ```bash 21 | ------------------- USAGE ------------------ 22 | -z : Attempt Zone Transfer 23 | Syntax: ./dns.sh -z [Nameserver] [Domain Name] 24 | -fb : Forward Lookup Bruteforce 25 | Syntax: ./dns.sh [Domain Name] 26 | Syntax: ./dns.sh [Domain Name] [Wordlist] 27 | -rb : Reverse Lookup Bruteforce 28 | Syntax: ./dns.sh [Domain Name] 29 | -cs : Perform DNS Cache Snooping 30 | Syntax: ./dns.sh [Name Server] [Wordlist] 31 | -x : Explain A Particular Option 32 | Syntax: ./dns.sh -x [Option_Name] 33 | ------------------------------------------------ 34 | ``` 35 | DNSrr supports five different options, including the one that explains the other four options. So just incase you don't know what a particular option is doing, you can simply use `-x` option, to understand the technique behind it. 36 | 37 | Example: 38 | ```bash 39 | # To explain zone transfer 40 | ./dnsrr -x z 41 | ``` 42 | 43 | ## Sample Execution 44 | ### Zone Transfer 45 | ![execution](/images/1.png) 46 | 47 | ### Forward Lookup Bruteforce 48 | ![execution](/images/2.png) 49 | 50 | ## To Do 51 | - Add new techniques that can be used to enumerate data from DNS. 52 | - Report Bugs 53 | - Add any new/missing feature. 54 | 55 | ## Contact Me 56 | Ping me at [A3h1nt](https://twitter.com/A3h1nt). 57 | -------------------------------------------------------------------------------- /dnsrr.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | currentdir=$(pwd) 4 | scriptdir=$(dirname "$0") 5 | 6 | function banner() 7 | { 8 | if [ $# -eq 1 ] 9 | then 10 | echo "===========================================" 11 | echo -e "== \033[1;33mDNSrr\033[0m ==================================" 12 | echo "===========================================" 13 | echo -e "== Twitter : \033[1;36m@A3h1nt\033[0m ======================" 14 | echo "===========================================" 15 | echo -e "== Attempting : \033[1;31m$1\033[0m " 16 | echo "===========================================" 17 | else 18 | echo "===========================================" 19 | echo -e "== \033[1;33mDNSrr\033[0m ==================================" 20 | echo "===========================================" 21 | echo -e "== Twitter : \033[1;36m@A3h1nt\033[0m ======================" 22 | echo "===========================================" 23 | echo -e "== Attempting : \033[1;31m$1\033[0m " 24 | echo "===========================================" 25 | echo -e "== Wordlist : \033[1;32m$2\033[0m " 26 | echo "===========================================" 27 | fi 28 | } 29 | 30 | function zone_transfer() 31 | { 32 | dig axfr @$1 $2 | sort -t 'I' -k2 -u 33 | } 34 | 35 | function forward_lookup_bruteforce() 36 | { 37 | if [ $# -eq 1 ] 38 | then 39 | # Check if we can use host -l to dump the host list of the zone, if possible. Otherwise use the list. 40 | dump_host_list=$(host -l $1 2> /dev/null) 41 | if [[ $dump_host_list == *"failed"* ]] ; then 42 | echo "Attempting from list.txt" 43 | for i in $(cat list.txt);do host $i.$1;done | grep -v not | awk '{print $1 " : " $NF}' 44 | else 45 | host -l $1 46 | fi 47 | else 48 | for ip in $(cat $2);do host $ip.$1;done | grep -v not | awk '{print $1 " : " $NF}' 49 | fi 50 | } 51 | 52 | function reverse_lookup_bruteforce() 53 | { 54 | ip=$(host $1 | awk '{print $NF}' | head -1 | cut -d '.' -f-3) 55 | if [[ $ip == *"NXDOMAIN"* ]] 56 | then 57 | echo "Invalid Domain Name!!!" 58 | cd $currentdir && exit 59 | fi 60 | for i in $(seq 1 255);do host $ip.$i;done | grep -v not | awk '{print $1 " : " $NF}' | sed 's/.in-addr.arpa/ /g' 61 | } 62 | 63 | function cache_snooping() 64 | { 65 | for i in $(cat $2) 66 | do 67 | echo $i : `dig @$1 $i +norecurse | grep ANSWER | head -1 | awk -F , '{print $2}'` | grep -v 0 68 | done 69 | } 70 | 71 | function xplain() 72 | { 73 | case $1 in 74 | z|-z) 75 | less xplain/zone_transfer.txt 76 | ;; 77 | fb|-fb) 78 | less xplain/forward_lookup_bruteforce.txt 79 | ;; 80 | rb|-rb) 81 | less xplain/reverse_lookup_bruteforce.txt 82 | ;; 83 | cs|-cs) 84 | less xplain/cache_snooping.txt 85 | ;; 86 | *) 87 | less xplain/thanks.txt 88 | ;; 89 | esac 90 | } 91 | 92 | cd $scriptdir 93 | 94 | if [ $# -lt 1 ] 95 | then 96 | echo "Use --help to see options" 97 | cd $currentdir && exit 98 | fi 99 | 100 | if [ $1 == --help ] 101 | then 102 | echo "------------------- USAGE ------------------" 103 | echo "-z : Attempt Zone Transfer" 104 | echo " Syntax: ./dns.sh -z [Nameserver] [Domain Name]" 105 | echo "-fb : Forward Lookup Bruteforce" 106 | echo " Syntax: ./dns.sh [Domain Name]" 107 | echo " Syntax: ./dns.sh [Domain Name] [Wordlist]" 108 | echo "-rb : Reverse Lookup Bruteforce" 109 | echo " Syntax: ./dns.sh [Domain Name]" 110 | echo "-cs : Perform DNS Cache Snooping" 111 | echo " Syntax: ./dns.sh [Name Server] [Wordlist]" 112 | echo "-x : Explain A Particular Option" 113 | echo " Syntax: ./dns.sh -x [Option_Flag]" 114 | echo "------------------------------------------------" 115 | cd $currentdir && exit 116 | fi 117 | 118 | 119 | # Case statements 120 | case $1 in 121 | 122 | # Zone Transfer 123 | -z) 124 | if [ $# -ne 3 ] 125 | then 126 | echo "Syntax Error !" 127 | cd $currentdir && exit 128 | fi 129 | # Calling the function 130 | banner "Zone Transfer" 131 | zone_transfer $2 $3 132 | ;; 133 | 134 | # Forward Lookup Bruteforce 135 | -fb) 136 | if [ $# -lt 2 ] 137 | then 138 | echo "Syntax Error !" 139 | elif [ $# -eq 2 ] 140 | then 141 | # Calling the function 142 | banner "Forward Lookup Bruteforce" "list.txt" 143 | forward_lookup_bruteforce $2 144 | elif [ $# -eq 3 ] 145 | then 146 | # Calling the function 147 | banner "Forward Lookup Bruteforce" $3 148 | forward_lookup_bruteforce $2 $3 149 | else 150 | echo "Use f***1g --help" 151 | fi 152 | ;; 153 | 154 | # Reverse Lookup Bruteforce 155 | -rb) 156 | if [ $# -ne 2 ] 157 | then 158 | echo "Syntax Error !" 159 | cd $currentdir && exit 160 | fi 161 | # Calling the function 162 | banner "Reverse Lookup Bruteforce" 163 | reverse_lookup_bruteforce $2 164 | ;; 165 | 166 | # DNS Cache Snooping 167 | -cs) 168 | if [ $# -ne 3 ] 169 | then 170 | echo "Syntax Error !" 171 | cd $currentdir && exit 172 | fi 173 | # Calling the function 174 | banner "DNS Cache Snooping" $3 175 | cache_snooping $2 $3 176 | ;; 177 | 178 | # Explain Options 179 | -x) 180 | if [ $# -ne 2 ] 181 | then 182 | echo "What to explain !!!" 183 | cd $currentdir && exit 184 | fi 185 | # Calling the function 186 | xplain $2 187 | ;; 188 | 189 | # If i don't understand something 190 | *) 191 | echo "Invalid option or argument !!" 192 | ;; 193 | esac 194 | 195 | cd $currentdir -------------------------------------------------------------------------------- /images/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/A3h1nt/Dnsrr/7ec05bd3ed393a8d490b91b6e52134f2e4ccdd62/images/1.png -------------------------------------------------------------------------------- /images/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/A3h1nt/Dnsrr/7ec05bd3ed393a8d490b91b6e52134f2e4ccdd62/images/2.png -------------------------------------------------------------------------------- /images/readme.md: -------------------------------------------------------------------------------- 1 | Images for readme.md 2 | -------------------------------------------------------------------------------- /list.txt: -------------------------------------------------------------------------------- 1 | 1 2 | 121.201 3 | 123 4 | 163 5 | 178.72 6 | 190.208 7 | 2 8 | 2017 9 | 212.192 10 | 3 11 | 31 12 | 31.135 13 | 4 14 | 5 15 | 58 16 | 6 17 | 7 18 | 8 19 | 82.113 20 | 9 21 | 94.228 22 | a 23 | abs 24 | access 25 | account 26 | ad 27 | adfs 28 | admin 29 | ads 30 | ag 31 | agr 32 | al 33 | alpha 34 | alt 35 | alt1 36 | alt2 37 | alt4 38 | am0 39 | a.mx 40 | analytics 41 | a.ns 42 | api 43 | app 44 | apps 45 | ar 46 | archive 47 | ask 48 | asmpx 49 | assets 50 | atl161 51 | atl21 52 | atl31 53 | ats 54 | auth 55 | auto 56 | autodiscover 57 | av 58 | aws 59 | b 60 | b2b 61 | backup 62 | barracuda 63 | bbs 64 | ben 65 | beta 66 | big 67 | billing 68 | biz 69 | bj 70 | blog 71 | blogs 72 | bm 73 | b.ns 74 | book 75 | box 76 | br 77 | bro 78 | bsq 79 | business 80 | buv 81 | bxa 82 | bxs 83 | c 84 | ca 85 | cal 86 | cam 87 | careers 88 | cas 89 | cc 90 | cdn 91 | cdn1 92 | cdn2 93 | cgl 94 | chat 95 | chem 96 | cheman 97 | china 98 | ci 99 | citrix 100 | client 101 | clients 102 | cloud 103 | club 104 | cms 105 | cn 106 | co 107 | code 108 | community 109 | confluence 110 | connect 111 | content 112 | core 113 | corp 114 | correo 115 | cp 116 | cpanel 117 | cq 118 | crm 119 | cs 120 | css 121 | ctb 122 | customer 123 | d 124 | da 125 | dashboard 126 | data 127 | dav 128 | db 129 | db1 130 | de 131 | demo 132 | dev 133 | dl 134 | dls 135 | dmb 136 | dme 137 | dns 138 | dns1 139 | dns2 140 | dns3 141 | dns4 142 | doc 143 | docs 144 | dop 145 | download 146 | dp 147 | ds 148 | e 149 | ech 150 | edu 151 | email 152 | en 153 | energy 154 | ent 155 | erp 156 | es 157 | eu 158 | events 159 | exchange 160 | exchange122 161 | extranet 162 | file 163 | files 164 | filter 165 | firewall 166 | forum 167 | forums 168 | fr 169 | fs 170 | ftp 171 | fw 172 | fw1a 173 | fw2a 174 | fz 175 | g 176 | gallery 177 | game 178 | games 179 | gate 180 | gateway 181 | git 182 | gitlab 183 | gms 184 | go 185 | gold 186 | google 187 | gov 188 | gw 189 | gz 190 | help 191 | helpdesk 192 | hf 193 | hk 194 | home 195 | host 196 | host1 197 | host2 198 | host3 199 | hosting 200 | hr 201 | hrb 202 | hub 203 | hxt 204 | i 205 | id 206 | idp 207 | im 208 | image 209 | images 210 | imap 211 | img 212 | in 213 | inbound 214 | info 215 | intranet 216 | ios 217 | ip4 218 | ip7 219 | iphone 220 | irc 221 | it 222 | jenkins 223 | jira 224 | jms 225 | job 226 | jobs 227 | join 228 | jp 229 | js 230 | jta 231 | kr 232 | lab 233 | law 234 | legacy 235 | library 236 | lists 237 | live 238 | ljm 239 | lms 240 | localhost 241 | login 242 | lxx 243 | lyb 244 | lyncdiscover 245 | lys 246 | m 247 | ma 248 | mail 249 | mail01 250 | mail02 251 | mail1 252 | mail2 253 | mail2web 254 | mail3 255 | mail4 256 | mail5 257 | mail-av 258 | mailbackup 259 | mailer 260 | mailgate 261 | mailhost 262 | mailin 263 | mailin1 264 | mailin2 265 | mailinbackup1 266 | mail-merge 267 | mailproxy 268 | mailproxy2 269 | mailserver 270 | main 271 | manage 272 | map 273 | marketing 274 | master 275 | mb 276 | mc 277 | mdi 278 | mdm 279 | me 280 | media 281 | meet 282 | member 283 | members 284 | metals 285 | mobile 286 | monitor 287 | monitoring 288 | moodle 289 | ms 290 | msgin 291 | mta 292 | mta1 293 | mta2 294 | music 295 | mx 296 | mx0 297 | mx01 298 | mx02 299 | mx-1 300 | mx1 301 | mx10 302 | mx-2 303 | mx2 304 | mx20 305 | mx3 306 | mx4 307 | mx5 308 | mx6 309 | mx7 310 | mx8 311 | mx.www 312 | my 313 | my.q 314 | na 315 | nas 316 | nat 317 | nba 318 | net 319 | new 320 | news 321 | newsletter 322 | nextcloud 323 | nl 324 | noc 325 | npk 326 | ns 327 | ns0 328 | ns01 329 | ns02 330 | ns1 331 | ns10 332 | ns11 333 | ns12 334 | ns2 335 | ns3 336 | ns4 337 | ns5 338 | ns6 339 | ns7 340 | ns8 341 | nsa 342 | o1.email 343 | oa 344 | oc 345 | office 346 | old 347 | online 348 | open 349 | optin 350 | order 351 | osp 352 | out 353 | outlook 354 | owa 355 | owncloud 356 | p 357 | pa 358 | panel 359 | partner 360 | partners 361 | pay 362 | pb 363 | pbx 364 | pdo 365 | pe 366 | pet 367 | photo 368 | photos 369 | pic 370 | piwik 371 | pl 372 | play 373 | po 374 | poczta 375 | pol 376 | pop 377 | pop3 378 | portal 379 | post 380 | posta 381 | pp 382 | pro 383 | prod 384 | projects 385 | proxy 386 | ps 387 | pt 388 | public 389 | puppet 390 | qa 391 | qipai 392 | r 393 | rc 394 | rdp 395 | rds 396 | redbusprimarydns 397 | redbussecondarydns 398 | redmine 399 | reg 400 | relay 401 | remote 402 | reply 403 | reports 404 | res 405 | responder 406 | rmx 407 | router 408 | rp 409 | ru 410 | rundeck 411 | rys 412 | s 413 | s1 414 | s2 415 | s3 416 | sandbox 417 | sbr 418 | sc 419 | sd 420 | search 421 | sec 422 | secure 423 | securemail 424 | seo 425 | server 426 | server01 427 | server1 428 | server2 429 | server3 430 | service 431 | services 432 | sftp 433 | sg 434 | sh 435 | share 436 | sharepoint 437 | shop 438 | sip 439 | site 440 | sjz 441 | smpx 442 | sms 443 | smtp 444 | smtp1 445 | smtp2 446 | smtp3 447 | sn 448 | sns 449 | social 450 | sp 451 | spam 452 | sql 453 | srv 454 | srv01 455 | srv1 456 | srv2 457 | ssl 458 | sslvpn 459 | sso 460 | stage 461 | staging 462 | start 463 | static 464 | stats 465 | status 466 | steel 467 | stg 468 | stock 469 | storage 470 | store 471 | sts 472 | style 473 | support 474 | survey 475 | sv 476 | svn 477 | sys 478 | t 479 | tdi 480 | tech 481 | test 482 | tex 483 | tickets 484 | tj 485 | tma 486 | tools 487 | top 488 | tr 489 | training 490 | travel 491 | ts 492 | tsl 493 | tv 494 | tw 495 | uat 496 | ui.hub 497 | uk 498 | upload 499 | us 500 | user 501 | v 502 | www 503 | -------------------------------------------------------------------------------- /xplain/cache_snooping.txt: -------------------------------------------------------------------------------- 1 | # DNS Cache Snooping 2 | 3 | Before we understand what DNS cache snooping is, we need to understand these two types of DNS queries. 4 | 5 | ## Recursive : If the DNS server doesn't have a record for a particular domain, then it queries other DNS servers 6 | in the hierarchy and returns the record. 7 | 8 | `````````````````````````````````````````````````````````````````````````` 9 | v1g1lant3@backbox:~$ dig @8.8.8.8 apple.com +norecurse 10 | 11 | ; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 apple.com +norecurse 12 | ; (1 server found) 13 | ;; global options: +cmd 14 | ;; Got answer: 15 | ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22106 16 | ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 17 | 18 | ;; OPT PSEUDOSECTION: 19 | ; EDNS: version: 0, flags:; udp: 512 20 | ;; QUESTION SECTION: 21 | ;apple.com. IN A 22 | 23 | ;; ANSWER SECTION: 24 | apple.com. 299 IN A 17.253.144.10 25 | 26 | ;; Query time: 28 msec 27 | ;; SERVER: 8.8.8.8#53(8.8.8.8) 28 | ;; WHEN: Wed Apr 07 09:51:46 IST 2021 29 | ;; MSG SIZE rcvd: 54 30 | ```````````````````````````````````````````````````````````````````````````` 31 | 32 | ## Non-Recursive : If the DNS server doesn't have a record for a particular domain, it doesn't make any query to other DNS servers. 33 | 34 | ```````````````````````````````````````````````````````````````````````````` 35 | v1g1lant3@backbox:~$ dig @8.8.8.8 a3h1nt.wordpress.com +norecurse 36 | 37 | ; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 a3h1nt.wordpress.com +norecurse 38 | ; (1 server found) 39 | ;; global options: +cmd 40 | ;; Got answer: 41 | ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57789 42 | ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 43 | 44 | ;; OPT PSEUDOSECTION: 45 | ; EDNS: version: 0, flags:; udp: 512 46 | ;; QUESTION SECTION: 47 | ;a3h1nt.wordpress.com. IN A 48 | 49 | ;; Query time: 44 msec 50 | ;; SERVER: 8.8.8.8#53(8.8.8.8) 51 | ;; WHEN: Wed Apr 07 09:52:00 IST 2021 52 | ;; MSG SIZE rcvd: 49 53 | `````````````````````````````````````````````````````````````````````````````` 54 | 55 | ## In the first example ANSWER parameter is 1, that means the domain name is cached, in the second one it's 0, means it's not cached. 56 | 57 | Because of these two type of queries an attack vector arises, called DNS Cache Snooping, using which the attacker can investigate, what all domains are visited by the hosts using that particluar DNS server. Another way, to identify whether the domain name was cached or not, is to analyze the TTL, the TTL for cached record will relatively be low, as compared to the non-cached one. 58 | -------------------------------------------------------------------------------- /xplain/forward_lookup_bruteforce.txt: -------------------------------------------------------------------------------- 1 | ## Forward Lookup Bruteforce | DNS Host Bruteforce 2 | DNS Host bruteforce is a technique, that brute-forces common names of hosts via DNS queries and based upon the response, 3 | it tells whether the host exist or not. 4 | 5 | ## Working [ Target : microsoft.com ] 6 | 1. The program opens a wordlist of common hostname. 7 | 2. Each hostname entry in the file is concatenated with the domain, for example auth.microsoft.com, 8 | database.microsoft.com, ftp.microsoft.com, etc. 9 | 3. Each one of these generated domain names will be requested to the DNS server. 10 | 4. DNS server will respond to client saying “auth at microsoft.com is a non-existent host”,which basically means host doesn't exist. 11 | If the DNS server responds to client saying “ftp at microsoft.com point to IP adrress A.B.C.D”, that means the hosts exist, based upon 12 | these responses, we can enumerate other subdomains/hosts. 13 | 14 | -------------------------------------------------------------------------------- /xplain/reverse_lookup_bruteforce.txt: -------------------------------------------------------------------------------- 1 | ## What are PTR records ? 2 | PTR records are certain type of DNS records that resolve IP addresses to their corresponding hostname. 3 | 4 | ## Reverse DNS Lookup Bruteforce 5 | Reverse DNS lookup bruteforce is only possible, if the DNS server has PTR records, here the attacker bruteforces the IP address to enumerate 6 | different hostnames, that might not show up in forward lookup bruteforce. 7 | -------------------------------------------------------------------------------- /xplain/thanks.txt: -------------------------------------------------------------------------------- 1 | _ ______ ______ _________ _______ _______ _______ _______ 2 | ( \ / ___ \ / ___ \\__ __/ |\ /|( ___ )|\ /| ( ___ )( ____ )( ____ \ 3 | | ( \/ \ \\/ \ \ ) ( ( \ / )| ( ) || ) ( | | ( ) || ( )|| ( \/ 4 | | | ___) / ___) / | | \ (_) / | | | || | | | | (___) || (____)|| (__ 5 | | | (___ ( (___ ( | | \ / | | | || | | | | ___ || __)| __) 6 | | | ) \ ) \ | | ) ( | | | || | | | | ( ) || (\ ( | ( 7 | | (____/\/\___/ //\___/ / | | | | | (___) || (___) | | ) ( || ) \ \__| (____/\ 8 | (_______/\______/ \______/ )_( \_/ (_______)(_______) |/ \||/ \__/(_______/ 9 | 10 | Thanks for using this tool :) 11 | -------------------------------------------------------------------------------- /xplain/zone_transfer.txt: -------------------------------------------------------------------------------- 1 | ## What is DNS Zone Transfer ? 2 | DNS Zone Transfer is the process of a DNS server sharing the zone file with another DNS server. ( Also known as DNS query AXFR ) 3 | 4 | *DNS ZONE TRANSFER USES TCP TO TRANSFER THE ZONE FILE* 5 | 6 | This works in form a client-server mechanism, the secondary server ( the server who wants the record ), 7 | sends a request to the primary DNS server and the server responds with the DNS zone file. 8 | 9 | The Zone transfer usually happens, when you add a new server as secondary DNS server, 10 | the new server would need the zone files to function properly, which are provided by the primary DNS server through zone transfer. 11 | 12 | ## Where does the vulnerability arise ? 13 | The DNS zone transfer does not provide any authentication mechanism as to who can query the zone file. 14 | So literally anyone can ask for the zone file from the server, which contains all the hosts for that particular domain and other information. 15 | 16 | --------------------------------------------------------------------------------