Tools - DNSRecon
Alasta 27 Mars 2016 tools bash tools Linux Open Source Security shell dns collecte kali
Description : Nous allons utiliser DNSRecon pour de la collecte d'informations DNS.
Rappel :
Attention dans cet article l’outils est utilisé pour la recherche et l’apprentissage. Ce type d’outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).
Environnement de test :
Pour cela nous allons utiliser une VM tournant sur la distribution Kali. DNSRecon est installé de base sur Kali.
Utilisation :
La commande et ses options
root@kali:~# dnsrecon
Version: 0.8.8
Usage: dnsrecon.py <options>
Options:
-h, --help Show this help message and exit
-d, --domain <domain> Domain to Target for enumeration.
-r, --range <range> IP Range for reverse look-up brute force in formats (first-last)
or in (range/bitmask).
-n, --name_server <name> Domain server to use, if none is given the SOA of the
target will be used
-D, --dictionary <file> Dictionary file of sub-domain and hostnames to use for
brute force.
-f Filter out of Brute Force Domain lookup records that resolve to
the wildcard defined IP Address when saving records.
-t, --type <types> Specify the type of enumeration to perform:
std To Enumerate general record types, enumerates.
SOA, NS, A, AAAA, MX and SRV if AXRF on the
NS Servers fail.
rvl To Reverse Look Up a given CIDR IP range.
brt To Brute force Domains and Hosts using a given
dictionary.
srv To Enumerate common SRV Records for a given
domain.
axfr Test all NS Servers in a domain for misconfigured
zone transfers.
goo Perform Google search for sub-domains and hosts.
snoop To Perform a Cache Snooping against all NS
servers for a given domain, testing all with
file containing the domains, file given with -D
option.
tld Will remove the TLD of given domain and test against
all TLD's registered in IANA
zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.
-a Perform AXFR with the standard enumeration.
-s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
targeted domain with the standard enumeration.
-g Perform Google enumeration with the standard enumeration.
-w Do deep whois record analysis and reverse look-up of IP
ranges found thru whois when doing standard query.
-z Performs a DNSSEC Zone Walk with the standard enumeration.
--threads <number> Number of threads to use in Range Reverse Look-up, Forward
Look-up Brute force and SRV Record Enumeration
--lifetime <number> Time to wait for a server to response to a query.
--db <file> SQLite 3 file to save found records.
--xml <file> XML File to save found records.
--iw Continua bruteforcing a domain even if a wildcard record resolution is
discovered.
-c, --csv <file> Comma separated value file.
-j, --json <file> JSON file.
-v Show attempts in the bruteforce modes.La commande par l’exemple
root@kali:~# dnsrecon -t std -d example.com
[*] Performing General Enumeration of Domain:
[*] DNSSEC is configured for example.com
[*] DNSKEYs:
[*] NSEC ZSK RSASHA256 03010001963ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7d459751c6683d972979f67a718d7fa1
[*] NSEC KSk RSASHA256 03010001b38503197e2e4b7450c82566 2cca102d40c54bbcce58fae4a61ab51e 7005632b875f136332bf8a0e98d6de58 4d608eebc6f29e8ae9
[*] SOA sns.dns.icann.org 199.4.28.26
[*] NS b.iana-servers.net 199.43.133.53
[*] Bind Version for 199.43.133.53 9.9.7-P2
[*] NS b.iana-servers.net 2001:500:8d::53
[*] Bind Version for 2001:500:8d::53 9.9.7-P2
[*] NS a.iana-servers.net 199.43.132.53
[*] Bind Version for 199.43.132.53 host
[*] NS a.iana-servers.net 2001:500:8c::53
[*] Bind Version for 2001:500:8c::53 host
[-] Could not Resolve MX Records for example.com
[*] A example.com 93.184.216.34
[*] AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
[*] TXT example.com $Id: example.com 4415 2015-08-24 20:12:23Z davids $
[*] TXT example.com v=spf1 -all
[*] Enumerating SRV Records
[-] No SRV Records Found for example.com
[*] 0 Records FoundOn demande à DNSRecon de rechercher les enregistrements de type standard (SOA, A, NS, AAA, MX, SRV) pour le domaine example.com.
Par brute force
Le brute force fonctionne avec un fichier contenant les hostnames.
root@kali:~# echo "www" > enreg.txt
root@kali:~# dnsrecon -d example.com -t brt -D enreg.txt
[*] Performing host and subdomain brute force against example.com
[*] A www.example.com 93.184.216.34
[*] AAAA www.example.com 2606:2800:220:1:248:1893:25c8:1946
[*] 2 Records FoundSortie de commande dans une base SQL3
root@kali:~# dnsrecon -d example.com -t brt -D enreg.txt --db sql3
[*] Performing host and subdomain brute force against example.com
[*] A www.example.com 93.184.216.34
[*] AAAA www.example.com 2606:2800:220:1:248:1893:25c8:1946
[*] 2 Records Found
[*] Saving records to SQLite3 file: sql3
root@kali:~# sqlite3 sql3
SQLite version 3.7.16.2 2013-04-12 11:52:43
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
data
sqlite> SELECT * FROM data;
1|A|www.example.com|93.184.216.34||||
2|AAAA|www.example.com|2606:2800:220:1:248:1893:25c8:1946||||
sqlite>Test les transferts de zone
root@kali:~# dnsrecon -d example.com -a
[*] Performing General Enumeration of Domain: example.com
[*] Checking for Zone Transfer for example.com name servers
[*] Resolving SOA Record
[*] SOA sns.dns.icann.org 199.4.28.26
[*] Resolving NS Records
[*] NS Servers found:
[*] NS a.iana-servers.net 199.43.132.53
[*] NS a.iana-servers.net 2001:500:8c::53
[*] NS b.iana-servers.net 199.43.133.53
[*] NS b.iana-servers.net 2001:500:8d::53
[*] Removing any duplicate NS server IP Addresses...
[*]
[*] Trying NS server 199.4.28.26
[*] 199.4.28.26 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-]
[*]
[*] Trying NS server 199.43.133.53
[*] 199.43.133.53 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-]
[*]
[*] Trying NS server 199.43.132.53
[*] 199.43.132.53 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-]
[*]
[*] Trying NS server 2001:500:8d::53
[-] Zone Transfer Failed for 2001:500:8d::53!
[-] Port 53 TCP is being filtered
[*]
[*] Trying NS server 2001:500:8c::53
[-] Zone Transfer Failed for 2001:500:8c::53!
[-] Port 53 TCP is being filtered
[*] Checking for Zone Transfer for example.com name servers
[*] Resolving SOA Record
[*] SOA sns.dns.icann.org 199.4.28.26
[*] Resolving NS Records
[*] NS Servers found:
[*] NS a.iana-servers.net 199.43.132.53
[*] NS a.iana-servers.net 2001:500:8c::53
[*] NS b.iana-servers.net 199.43.133.53
[*] NS b.iana-servers.net 2001:500:8d::53
[*] Removing any duplicate NS server IP Addresses...
[*]
[*] Trying NS server 199.4.28.26
[*] 199.4.28.26 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-]
[*]
[*] Trying NS server 199.43.133.53
[*] 199.43.133.53 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-]
[*]
[*] Trying NS server 199.43.132.53
[*] 199.43.132.53 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-]
[*]
[*] Trying NS server 2001:500:8d::53
[-] Zone Transfer Failed for 2001:500:8d::53!
[-] Port 53 TCP is being filtered
[*]
[*] Trying NS server 2001:500:8c::53
[-] Zone Transfer Failed for 2001:500:8c::53!
[-] Port 53 TCP is being filtered
[*] DNSSEC is configured for example.com
[*] DNSKEYs:
[*] NSEC KSk RSASHA256 03010001b38503197e2e4b7450c82566 2cca102d40c54bbcce58fae4a61ab51e 7005632b875f136332bf8a0e98d6de58 4d608eebc6f29e8ae936ef5fa8d1402d 7edb565f7f8326c0d2fd04845f9d8179 a851f457ee4b0c1a006fb5f6b6fd8f5a de495734baa44eccc84383c43150a3b6 bca5d7d05ef7f3e415e0bd2138e03114 2c421981dfd7b23189da97e7f76d4c4a 9387eaedcb8453475b469b9ee07fcdea 33ee71758ec22300913261821aa0cbea 3d15f229fad47f7a629aa3de3fc29557 0dc3dfe41d7c8fbc73d92bd34f18aea8 2cc232db319e29191dca21d63e20f98d 41f3320c22fac433ea591a187f62e7f8 47008181a6028bd86988c595bd2e1607 3c74fe55
[*] NSEC ZSK RSASHA256 03010001963ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7d459751c6683d972979f67a718d7fa1 c76fbf349cae43d265c9558dd5792c3c 0fbd213af4b99fb7face8491e2e80f06 2b374506aba404fb2be5c01d2a5518b1 0a615f734b363b3128263d01919e20fc fdc9cf7f1badd7
[*] SOA sns.dns.icann.org 199.4.28.26
[*] NS b.iana-servers.net 199.43.133.53
[*] Bind Version for 199.43.133.53 9.9.7-P2
[*] NS b.iana-servers.net 2001:500:8d::53
[*] Bind Version for 2001:500:8d::53 9.9.7-P2
[*] NS a.iana-servers.net 199.43.132.53
[*] Bind Version for 199.43.132.53 host
[*] NS a.iana-servers.net 2001:500:8c::53
[*] Bind Version for 2001:500:8c::53 host
[-] Could not Resolve MX Records for example.com
[*] A example.com 93.184.216.34
[*] AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
[*] TXT example.com v=spf1 -all
[*] TXT example.com $Id: example.com 4415 2015-08-24 20:12:23Z davids $
[*] Enumerating SRV Records
[-] No SRV Records Found for example.com
[*] 0 Records FoundNote:
Cela ne ressort pas dans mes sorties d’écran, mais les débuts de lignes entre crochets ont un code couleurs :
: c’est un texte standard de l’outils.
[\*]: Check OK.
[-]: Check KO.
Reverse lookup
Fait des requêtes de type PTR sur un range d’adresses IP.
root@kali:~# dnsrecon -r 212.27.32.5-212.27.32.10
[*] Reverse Look-up of a Range
[*] Performing Reverse Lookup from 212.27.32.5 to 212.27.32.10
[*] PTR pchd1-g14.proxad.net 212.27.32.7
[*] PTR dnscache-1.proxad.net 212.27.32.5
[*] PTR cdr7-g15.proxad.net 212.27.32.8
[*] PTR dnscache-1.proxad.net 212.27.32.6
[*] 4 Records FoundZonewalk
Essaie de faire une énumération des enregistrements du domaine si celui-ci est mal configuré.
root@kali:~# dnsrecon -d example.com -t zonewalk
[*] Performing NSEC Zone Walk for example.com
[*] Getting SOA record for example.com
[*] Name Server 199.4.28.26 will be used
[*] A example.com 93.184.216.34
[*] AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
[*] 2 records foundCheck les TLD
root@kali:~# dnsrecon -d example.com -t tld
[*] Performing TLD Brute force Enumeration against example.com
[*] The operation could take up to: 00:01:06
[*] A example.biz.af 103.56.100.33
[*] A example.am 50.87.153.245
[*] A example.com.ar 200.58.122.126
[*] A example.as 199.73.55.35
[*] A example.co.at 78.142.141.40
[*] A example.biz.at 78.46.90.98
[*] A example.com.au 98.124.245.24
[*] A example.net.au 192.185.159.145
[*] A example.co.ba 176.9.45.78
--SNiP--C’est ni plus ni moins qu’une recherche de disponibilité de domaine.