def start(self, domain, domain_type, level): super(dnszonetransfer, self).start(domain, domain_type, level) try: resolver = DnsHelper(domain) mx_list = resolver.get_mx() soa_list = resolver.get_soa() # issue#28: 放弃dns插件中txt记录的数据,这部分数据不能保证一定是关联IP # txt_list = resolver.get_txt() # spf_list = resolver.get_spf() transfer_list = resolver.zone_transfer() except: pass else: record_lists = [mx_list, soa_list, txt_list] domains = [] ips = [] for record_list in record_lists: if record_list: for record in record_list: domains.append(record[1]) if len(record) >= 3: ips.append(record[2]) if transfer_list: for record in transfer_list: if 'zone_server' in record: ips.append(record['zone_server']) if 'name' in record: dns_domain = record['name'] elif 'mname' in record: dns_domain = record['mname'] elif 'target' in record: dns_domain = record['target'] else: dns_domain = '' if dns_domain: domains.append(dns_domain) if 'adderss' in record: ips.append(record['address']) else: ips.append(record['ns_server']) ips = list(set(ips)) domains = list(set(domains)) if domains or ips: self.result = { 'root_domain': [], 'ip': ips, 'domain': domains, } super(dnszonetransfer, self).end() return self.result
def main(): # # Option Variables # returned_records = [] domain = None ns_server = None output_file = None dict = None type = None xfr = None goo = None spf_enum = None do_whois = None thread_num = 10 request_timeout = 3.0 ip_list = [] ip_range = None ip_range_pattern ='([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})-([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' results_db = None from_zt = None # # Global Vars # global pool # # Define options # try: options, remainder = getopt.getopt(sys.argv[1:], 'hd:c:n:x:D:t:xq:gwr:s', ['help', 'domain=', 'cidr=', 'name_server=', 'xml=', 'dictionary=', 'type=', 'axfr', 'google', 'do_whois', 'range=', 'do_spf', 'lifetime=', 'threads=', 'db=']) except getopt.GetoptError: print "[-] Wrong Option Provided!" usage() # # Parse options # for opt, arg in options: if opt in ('-t','--type'): type = arg elif opt in ('-d','--domain'): domain = arg elif opt in ('-c','--cidr'): ip_list.extend(expand_cidr(arg)) elif opt in ('-n','--name_server'): ns_server = arg elif opt in ('-x','--xml'): output_file = arg elif opt in ('-D','--dictionary'): #Check if the dictionary file exists if os.path.isfile(arg): dict = arg else: print "[-] File",arg,"does not exist!" exit(1) elif opt in ('-x','--axfr'): xfr = True elif opt in ('-g','--google'): goo = True elif opt in ('-w','--do_whois'): do_whois = True elif opt in ('-s','--do_spf'): spf_enum = True elif opt in ('-r','--range'): ip_range = re.findall(ip_range_pattern,arg) try: ip_list.extend(expand_range(ip_range[0][0],ip_range[0][1])) except: print "[-] Make sure that you specified <start IP>-<end IP> with no spaces." sys.exit(1) elif opt in ('--theads'): thread_num = int(arg) elif opt in ('--lifetime'): request_timeout = float(arg) elif opt in ('--db'): results_db = arg elif opt in ('-h'): usage() # Setting the number of threads to 10 pool = ThreadPool(thread_num) # Set the resolver res = DnsHelper(domain, ns_server, request_timeout) if type is not None: for r in type.split(','): try: if r == 'axfr': if domain is not None: print '[*] Testing NS Servers for Zone Transfer' returned_records.extend(res.zone_transfer()) from_zt = True else: print '[-] No Domain to target specified!' sys.exit(1) elif r == 'std': if domain is not None: print "[*] Performing General Enumeration of Domain:",domain std_enum_records = general_enum(res, domain, xfr, goo,\ spf_enum, do_whois, output_file, results_db) if (output_file is not None) or (results_db is not None): returned_records.extend(std_enum_records) else: print '[-] No Domain to target specified!' sys.exit(1) elif r == 'rvl': if len(ip_list) > 0: print '[*] Reverse Look-up of a Range' rvl_enum_records = brute_reverse(res, ip_list) if (output_file is not None) or (results_db is not None): returned_records.extend(rvl_enum_records) else: print '[-] Failed CIDR or Range is Required for type rvl' elif r == 'brt': if (dict is not None) and (domain is not None): print '[*] Performing host and subdomain brute force against', \ domain brt_enum_records = brute_domain(res, dict, domain) if (output_file is not None) or (results_db is not None): returned_records.extend(brt_enum_records) else: print '[-] No Dictionary file specified!' sys.exit(1) elif r == 'srv': if domain is not None: print '[*] Enumerating Common SRV Records against', \ domain srv_enum_records = brute_srv(res, domain) if (output_file is not None) or (results_db is not None): returned_records.extend(srv_enum_records) else: print '[-] No Domain to target specified!' sys.exit(1) elif r == 'mdns': print '[*] Enumerating most common mDNS Records on Subnet' mdns_enum_records = mdns_enum() if (output_file is not None) or (results_db is not None): returned_records.extend(mdns_enum_records) elif r == 'tld': if domain is not None: print "[*] Performing TLD Brute force Enumeration against", domain tld_enum_records = brute_tlds(res, domain) if (output_file is not None) or (results_db is not None): returned_records.extend(tld_enum_records) else: print '[-] No Domain to target specified!' sys.exit(1) elif r == 'goo': if domain is not None: print "[*] Performing Google Search Enumeration against", domain goo_enum_records = goo_result_process(res, scrape_google(domain)) if (output_file is not None) or (results_db is not None): returned_records.extend(goo_enum_records) else: print '[-] No Domain to target specified!' sys.exit(1) elif r == "snoop": if (dict is not None) and (ns_server is not None): print "[*] Performing Cache Snooping against NS Server:", ns_server cache_enum_records = in_cache(dict,ns_server) if (output_file is not None) or (results_db is not None): returned_records.extend(cache_enum_records) else: print '[-] No Domain or Name Server to target specified!' sys.exit(1) else: print "[-] This type of scan is not in the list", r usage() except dns.resolver.NXDOMAIN: print "[-] Could not resolve domain:",domain sys.exit(1) except dns.exception.Timeout: print "[-] A timeout error occurred please make sure you can reach the target DNS Servers" print "[-] directly and requests are not being filtered. Increase the timeout from 1.0 second" print "[-] to a higher number with --lifetime <time> option." sys.exit(1) # if an output xml file is specified it will write returned results. if (output_file is not None): xml_enum_doc = dns_record_from_dict(returned_records) write_to_file(xml_enum_doc,output_file) # if an output db file is specified it will write returned results. if (results_db is not None): create_db(results_db) write_db(results_db,returned_records) sys.exit(0) elif domain is not None: try: print "[*] Performing General Enumeration of Domain:",domain std_enum_records = general_enum(res, domain, xfr, goo,\ spf_enum, do_whois, output_file, results_db) if (output_file is not None): returned_records.extend(std_enum_records) # if an output xml file is specified it will write returned results. if (output_file is not None): xml_enum_doc = dns_record_from_dict(returned_records) write_to_file(xml_enum_doc,output_file) # if an output db file is specified it will write returned results. if (results_db is not None): create_db(results_db) write_db(results_db,returned_records) sys.exit(0) except dns.resolver.NXDOMAIN: print "[-] Could not resolve domain:",domain sys.exit(1) except dns.exception.Timeout: print "[-] A timeout error occurred please make sure you can reach the target DNS Servers" print "[-] directly and requests are not being filtered. Increase the timeout from 1.0 second" print "[-] to a higher number with --lifetime <time> option." sys.exit(1) else: usage()