├── massns.sh └── README.md /massns.sh: -------------------------------------------------------------------------------- 1 | #$1 - domain whose auth NS is to be found out 2 | #$2 - Target domain list. subdomains of the Target 3 | 4 | #mkdir /root/massNS/ 5 | mkdir /root/massNS/$1/ 6 | touch ~/massNS/$1/$1_ns_ip.txt 7 | touch ~/massNS/$1/$1_ns.txt 8 | touch ~/massNS/$1/$1_op.txt 9 | touch ~/massNS/$1/$1_op_cname.txt 10 | touch ~/massNS/$1/$1_ns_cidr.txt 11 | 12 | getNS () { 13 | host -t ns $1 | awk '{ print $(NF) }' | sed 's/\.$//' > ~/massNS/$1/$1_ns.txt 14 | toIP $1 15 | } 16 | 17 | toIP () { 18 | 19 | while IFS= read -r line 20 | do 21 | host -t A $line | awk '{print $(NF)}' >> ~/massNS/$1/$1_ns_ip.txt 22 | done<~/massNS/$1/$1_ns.txt 23 | 24 | } 25 | 26 | toCIDR () { 27 | 28 | while IFS= read -r line 29 | do 30 | ipcalc $line | awk '{print $2}' | grep / >> ~/massNS/$1/$1_ns_cidr.txt 31 | done<~/massNS/$1/$1_ns_ip.txt 32 | 33 | # filter awsdns ipranges 34 | 35 | sed -i '/^205/d' ~/massNS/$1/$1_ns_cidr.txt 36 | 37 | } 38 | 39 | getActive () { 40 | 41 | #run masscan 42 | masscan -iL ~/massNS/$1/$1_ns_cidr.txt -p 53 --rate=1000 | awk '{print $(NF)}' > ~/massNS/$1/$1_resolvers.txt 43 | 44 | } 45 | 46 | 47 | resolve () { 48 | 49 | #interlace -pL ~/massNS/$1/$1_resolvers_used.txt -tL $2 -o ~/massNS/$1/$1_op.txt -threads 5 -c "nslookup _target_ _proxy_ >> _output_" -v 50 | massdns -r ~/massNS/$1/$1_resolvers.txt -o J -t A -q --flush $2 | jq -r '.' > ~/massNS/$1/$1_op.txt 51 | 52 | } 53 | 54 | echo "Starting..." 55 | echo "----------------------------" 56 | echo "Fetching the authoritative nameservers of $1" 57 | echo "---" 58 | getNS $1 59 | echo "The Authoritative nameservers of $1 are :" 60 | cat ~/massNS/$1/$1_ns_ip.txt 61 | echo "----------------------------" 62 | echo "Fetching CIDR of the different Nameserver providers involved" 63 | echo "----------------------------" 64 | toCIDR $1 65 | echo "The CIDR's involved are" 66 | cat ~/massNS/$1/$1_ns_cidr.txt 67 | echo "----------------------------" 68 | echo "Probing for active DNS servers in the listed CIDR / IP Range" 69 | getActive $1 70 | echo "----" 71 | echo "Active resolvers are :" 72 | echo "----------------------------" 73 | cat ~/massNS/$1/$1_resolvers.txt 74 | echo "-----------------------------" 75 | #echo "Total Number of Resolvers : `wc -l ~/massNS/$1/$1_resolvers.txt`" 76 | #echo "Randomly Picking resolvers to be used with the target list at $2" 77 | #resolvers $1 $2 78 | echo "----" 79 | echo "Resolving target list using massdns" 80 | echo "------------------------------" 81 | resolve $1 $2 82 | echo "All done! " 83 | echo "------------------------------" 84 | echo "Results : " 85 | echo "-------------------------------------" 86 | #cat ~/massNS/$1/$1_op.txt | grep -E "^(Name|Address)" > ~/massNS/$1/$1_tmp.txt 87 | #grep -v -f ~/massNS/$1/$1_resolvers_used.txt ~/massNS/$1/$1_tmp.txt > ~/massNS/$1/$1_op_success.txt 88 | #column -x ~/massNS/$1/$1_op_success.txt 89 | #make a file for canonical name entires 90 | #cat ~/massNS/$1/$1_op.txt | grep canonical > ~/massNS/$1/$1_op_cname.txt 91 | #dig could also be used only for ips 92 | #only ips 93 | cat ~/massNS/$1/$1_op.txt | jq 94 | echo "---------------------------------" 95 | 96 | #only ip 97 | cat ~/massNS/$1/$1_op.txt | jq -r 'if .resp_type =="A" then .data else empty end' > ~/massNS/$1/$1_op_ip.txt 98 | cat ~/massNS/$1/$1_op.txt | jq -r 'if .resp_type =="CNAME" then .data else empty end' > ~/massNS/$1/$1_op_cname.txt 99 | echo "The resolved IP addresses are : " 100 | echo "-----------------------------------" 101 | #cat ~/massNS/$1/$1_op_success.txt | grep -E "Address" | awk '{print $2}' > ~/massNS/$1/$1_op_success_ip.txt 102 | cat ~/massNS/$1/$1_op_ip.txt 103 | echo "-------------------------------" 104 | echo "Stats" 105 | echo "-------------------------------" 106 | echo "[*] Resolvers obtained and used : `cat ~/massNS/$1/$1_resolvers.txt | wc -l`" 107 | echo "[*] Target List had `cat $2 | wc -l` domains" 108 | echo "[*] A records obtained for `cat ~/massNS/$1/$1_op_ip.txt | wc -l` domains" 109 | echo "[*] CNAME records obtained for `cat ~/massNS/$1/$1_op_cname.txt | wc -l` domains" 110 | echo "--------------------------------" 111 | echo "Output Files :" 112 | echo "--------------------------------" 113 | echo "[*] Resolved IP Addresses : ~/massNS/$1/$1_op_ip.txt" 114 | echo "[*] Generic JSON format output : ~/massNS/$1/$1_op.txt" 115 | echo "[*] DNS Provider CIDR range that were probed : ~/massNS/$1/$1_ns_cidr.txt" 116 | echo "---------------------------------" 117 | 118 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # This repo is more of me sharing an idea with everyone. Head over to [bass](https://github.com/Abss0x7tbh/bass) for the finished tool :) 3 | 4 | 5 | # massNS 6 | A tool that turns the authoritative nameservers of DNS providers to resolvers and resolves the target domain list. As of now the tool only resolves the A record for the list of domains. 7 | 8 | # Why Authoritative Nameservers? 9 | 10 | - They are always reliable and always up! 11 | - Sometimes the public dns resolvers would sprout up junk records. Authoritative nameservers would never do that. 12 | - Every DNS server is rate-limited. They have to be. Hence we need numbers at our side. This tool tries to do just that by poking at the DNS providers infrastructure and asking for a whole lot of active authoritative DNS servers to resolve one of their clients( our target ). 13 | 14 | **This is more of a Proof Of Concept turned into a tool.** 15 | 16 | Let me know what your tests show and what issues you run into ? Is this a vialble approach ? Can something more be done ? 17 | 18 | # Basic Idea 19 | 20 | The idea behind this tool is a product of observing how an authoritative nameserver of `TARGET1` would also resolve `TARGET2` provided both belonged to the same DNS Provider. So using this we could for a `TARGET` collect a huge bunch of authoritative nameservers and use them as resolvers instead of using the public dns resolvers. 21 | 22 | **Proof** 23 | 24 | 1. Fetch `bugcrowd.com` nameservers 25 | 26 | ``` 27 | $ host -t ns bugcrowd.com 28 | bugcrowd.com name server edna.ns.cloudflare.com. 29 | bugcrowd.com name server lee.ns.cloudflare.com. 30 | ``` 31 | 2. Fetch `upserve.com` nameservers 32 | 33 | ``` 34 | $ host -t ns upserve.com 35 | upserve.com name server ulla.ns.cloudflare.com. 36 | upserve.com name server jay.ns.cloudflare.com. 37 | ``` 38 | 3. Resolve `bugcrowd.com` using upserve's nameserver `jay.ns.cloudflare.com` 39 | 40 | ``` 41 | $ nslookup bugcrowd.com jay.ns.cloudflare.com 42 | Server: jay.ns.cloudflare.com 43 | Address: 173.245.59.123#53 44 | 45 | Name: bugcrowd.com 46 | Address: 104.20.5.239 47 | Name: bugcrowd.com 48 | Address: 104.20.4.239 49 | Name: bugcrowd.com 50 | Address: 2606:4700:10::6814:5ef 51 | Name: bugcrowd.com 52 | Address: 2606:4700:10::6814:4ef 53 | ``` 54 | 4. Resolve `docs.bugcrowd.com` using upserve's nameserver `jay.ns.cloudflare.com` 55 | 56 | ``` 57 | $ nslookup docs.bugcrowd.com jay.ns.cloudflare.com 58 | Server: jay.ns.cloudflare.com 59 | Address: 173.245.59.123#53 60 | 61 | Name: docs.bugcrowd.com 62 | Address: 104.20.5.239 63 | Name: docs.bugcrowd.com 64 | Address: 104.20.4.239 65 | Name: docs.bugcrowd.com 66 | Address: 2606:4700:10::6814:5ef 67 | Name: docs.bugcrowd.com 68 | Address: 2606:4700:10::6814:4ef 69 | ``` 70 | 5. Repeating the same for `upserve.com` . Resolving `upserve.com` using bugcrowd's nameserver `edna.ns.cloudflare.com` 71 | 72 | ``` 73 | $ nslookup upserve.com edna.ns.cloudflare.com 74 | Server: edna.ns.cloudflare.com 75 | Address: 173.245.58.109#53 76 | 77 | Name: upserve.com 78 | Address: 35.221.46.9 79 | ``` 80 | 81 | # Observation 82 | 83 | As seen above how the *authoritative nameserver's aren't tied down to their specific domain names*, we could leverage the way these DNS providers are configured. We could probe into the IP range of the respective DNS Providers > grab all the active DNS servers in their range > use them as resolvers against our target list. All these servers would answer authoritatively due to their configuration as observed. 84 | 85 | # Requirements 86 | 87 | - ipcalc 88 | 89 | ``` 90 | $ sudo apt-get install ipcalc 91 | ``` 92 | - [massdns](https://github.com/blechschmidt/massdns) 93 | - [jq](https://stedolan.github.io/jq/download/) 94 | - masscan 95 | 96 | # Tool Usage 97 | 98 | ``` 99 | $ cd massNS 100 | $ chmod +x massns.sh 101 | $ ./massns.sh target.com /path/to/target/domains 102 | ``` 103 | 104 | # Output 105 | 106 | - Generic output 107 | 108 | ![domain's & ip's ](https://user-images.githubusercontent.com/32202226/65171312-78268d80-da42-11e9-818c-96e1d96a749a.png) 109 | 110 | - Only IP addresses 111 | 112 | ![only ip's](https://user-images.githubusercontent.com/32202226/65171313-78268d80-da42-11e9-8059-2bc3367ddd6b.png) 113 | 114 | - Stats at the end! 115 | 116 | ![stats](https://user-images.githubusercontent.com/32202226/65171311-778df700-da42-11e9-9310-7f323a66a311.png) 117 | 118 | # Exceptions 119 | 120 | - `awsdns` seems to not allow this. 121 | - Custom nameserver like the one's employed by twitter (twtrdns.net) ,facebook etc. They might be hosted on services like amazon which would straight up `REFUSE` 122 | 123 | # DNS Providers : 124 | 125 | DNS providers that allow this are : 126 | 127 | - `*.ns.cloudflare.com` 128 | - `*.*.dynect.com/net` 129 | - `*.ultradns.net/org/biz/com` 130 | - `dnsimple` 131 | and a lot more to be found. 132 | 133 | As of now the above DNS providers are found to be allowing this. Make sure your target employs atleast one of these. To find that out , 134 | `host -t ns target.com | grep 'ns\.cloudflare\|dynect\dnsimple\|ultradns'` 135 | 136 | 137 | # Test Case 138 | 139 | Against Paypal the tool could gather `698` authoritative nameservers turned resolvers, a combination of dns servers from both `dynect` & `ultradns` a spaypal employs them. 140 | 141 | # Thanks 142 | 143 | Kudos to [Patrik Hudak](https://twitter.com/0xpatrik) for some good suggestions and help. 144 | 145 | 146 | **P.S** : This is purely experimental. Please do share what you think of this approach. Thanks! 147 | --------------------------------------------------------------------------------