Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/enum_dns.rb
21537 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::DNS::Enumeration

8


9
  def initialize(info = {})

10
    super(

11
      update_info(

12
        info,

13
        'Name' => 'DNS Record Scanner and Enumerator',

14
        'Description' => %q{

15
          This module can be used to gather information about a domain from a

16
          given DNS server by performing various DNS queries such as zone

17
          transfers, reverse lookups, SRV record brute forcing, and other techniques.

18
        },

19
        'Author' => [

20
          'Carlos Perez <carlos_perez[at]darkoperator.com>',

21
          'Nixawk'

22
        ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          ['CVE', '1999-0532'],

26
          ['OSVDB', '492']

27
        ],

28
        'Notes' => {

29
          'Reliability' => UNKNOWN_RELIABILITY,

30
          'Stability' => UNKNOWN_STABILITY,

31
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

32
        }

33
      )

34
    )

35


36
    register_options(

37
      [

38
        OptString.new('DOMAIN', [true, 'The target domain']),

39
        OptBool.new('ENUM_AXFR', [true, 'Initiate a zone transfer against each NS record', true]),

40
        OptBool.new('ENUM_BRT', [true, 'Brute force subdomains and hostnames via the supplied wordlist', false]),

41
        OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),

42
        OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record', true]),

43
        OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),

44
        OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),

45
        OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),

46
        OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true]),

47
        OptBool.new('ENUM_RVL', [ true, 'Reverse lookup a range of IP addresses', false]),

48
        OptBool.new('ENUM_TLD', [true, 'Perform a TLD expansion by replacing the TLD with the IANA TLD list', false]),

49
        OptBool.new('ENUM_SRV', [true, 'Enumerate the most common SRV records', true]),

50
        OptBool.new('STOP_WLDCRD', [true, 'Stops bruteforce enumeration if wildcard resolution is detected', false]),

51
        OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]),

52
        OptInt.new('THREADS', [false, 'Threads for ENUM_BRT', 1]),

53
        OptPath.new('WORDLIST', [false, 'Wordlist of subdomains', ::File.join(Msf::Config.data_directory, 'wordlists', 'namelist.txt')])

54
      ]

55
    )

56


57
    register_advanced_options(

58
      [

59
        OptInt.new('TIMEOUT', [false, 'DNS TIMEOUT', 8]),

60
        OptInt.new('RETRY', [false, 'Number of times to try to resolve a record if no response is received', 2]),

61
        OptInt.new('RETRY_INTERVAL', [false, 'Number of seconds to wait before doing a retry', 2]),

62
        OptBool.new('TCP_DNS', [false, 'Run queries over TCP', false])

63
      ]

64
    )

65
    deregister_options('DnsClientUdpTimeout', 'DnsClientRetry', 'DnsClientRetryInterval', 'DnsClientTcpDns')

66
  end

67


68
  def run

69
    datastore['DnsClientUdpTimeout'] = datastore['TIMEOUT']

70
    datastore['DnsClientRetry'] = datastore['RETRY']

71
    datastore['DnsClientRetryInterval'] = datastore['RETRY_INTERVAL']

72
    datastore['DnsClientTcpDns'] = datastore['TCP_DNS']

73


74
    begin

75
      setup_resolver

76
    rescue RuntimeError => e

77
      fail_with(Failure::BadConfig, "Resolver setup failed - exception: #{e}")

78
    end

79


80
    domain = datastore['DOMAIN']

81
    is_wildcard = dns_wildcard_enabled?(domain)

82


83
    # All exceptions should be being handled by the library

84
    # but catching here as well, just in case.

85
    begin

86
      dns_axfr(domain) if datastore['ENUM_AXFR']

87
    rescue => e

88
      print_error("AXFR failed: #{e}")

89
    end

90
    dns_get_a(domain) if datastore['ENUM_A']

91
    dns_get_cname(domain) if datastore['ENUM_CNAME']

92
    dns_get_ns(domain) if datastore['ENUM_NS']

93
    dns_get_mx(domain) if datastore['ENUM_MX']

94
    dns_get_soa(domain) if datastore['ENUM_SOA']

95
    dns_get_txt(domain) if datastore['ENUM_TXT']

96
    dns_get_tld(domain) if datastore['ENUM_TLD']

97
    dns_get_srv(domain) if datastore['ENUM_SRV']

98
    threads = datastore['THREADS']

99
    dns_reverse(datastore['IPRANGE'], threads) if datastore['ENUM_RVL']

100


101
    return unless datastore['ENUM_BRT']

102


103
    if is_wildcard

104
      dns_bruteforce(domain, datastore['WORDLIST'], threads) unless datastore['STOP_WLDCRD']

105
    else

106
      dns_bruteforce(domain, datastore['WORDLIST'], threads)

107
    end

108
  end

109


110
  def save_note(target, type, records)

111
    data = { 'target' => target, 'records' => records }

112
    report_note(host: target, sname: 'dns', type: type, data: data, update: :unique_data)

113
  end

114
end

115


116