q2h1cg / dnsbrute Goto Github PK

View Code? Open in Web Editor NEW

411.0 13.0 104.0 4.27 MB

a fast domain brute tool

Home Page: http://sh3ll.me/archives/201704041222.txt

Go 100.00%

pentest dns domain brute

dnsbrute's People

Contributors

Stargazers

Watchers

Forkers

marryfaye av1080p ssdtfarm h1d3r my3157 songofhack g4tg007 ricterz zminjiao matiasinsaurralde blueroutecn xieqiwen1993 aroundight ivmachiavelli louielchen robot-jinxu maybemyself webvul chencool cybort pekita1 vf3ng zebork grt1st joinsec r3p3r subzeroking dogfood1 5up3rc pharazone attacker34 mgcfish thingtono menzow raul1718 ykankaya slowmistio phpplay rchicoli losiry h3ll0w0lrd loveh4ck jerusalemsbell em7pycc amua fire1906 1m15m3 snrtherock cvfdej dean2021 hellogoodbill-co zedundun x0james galaxylove anguikang agoodfriend changesi furyyueyi haibara3839 imulmul interesting-go qing-q lin962648 landaboot makefunny 5l1v3r1 laashub-soa secfb blackstarkk cybernewbies zjg1949 omiter fhgzs mxm-subdomain silence566 findcool 0x0000141 yuxiaoer123 qw3rtydotme hama1986 cnaei mettaqjh conorxx1 talking-tomz djsousuo b1lack phuong39 fedsec ajunlonglive beike2020

dnsbrute's Issues

权威 DNS 相关问题

枚举 shifen.com 时注意到一个问题：

➜  ~ dig ns shifen.com 

; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns shifen.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64331
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;shifen.com.			IN	NS

;; ANSWER SECTION:
shifen.com.		86400	IN	NS	ns3.baidu.com.
shifen.com.		86400	IN	NS	ns2.baidu.com.
shifen.com.		86400	IN	NS	ns4.baidu.com.
shifen.com.		86400	IN	NS	ns1.baidu.com.

;; Query time: 39 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Apr 23 04:41:34 CST 2017
;; MSG SIZE  rcvd: 117

➜  ~ dig @ns1.baidu.com xi.n.shifen.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns1.baidu.com xi.n.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39548
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xi.n.shifen.com.		IN	A

;; AUTHORITY SECTION:
n.shifen.com.		86400	IN	NS	ns3.n.shifen.com.
n.shifen.com.		86400	IN	NS	ns4.n.shifen.com.
n.shifen.com.		86400	IN	NS	ns5.n.shifen.com.
n.shifen.com.		86400	IN	NS	ns2.n.shifen.com.
n.shifen.com.		86400	IN	NS	ns1.n.shifen.com.

;; ADDITIONAL SECTION:
ns1.n.shifen.com.	600	IN	A	61.135.165.226
ns2.n.shifen.com.	600	IN	A	180.149.133.243
ns3.n.shifen.com.	1200	IN	A	61.135.162.218
ns4.n.shifen.com.	1200	IN	A	115.239.210.178
ns5.n.shifen.com.	1200	IN	A	119.75.222.14

;; Query time: 15 msec
;; SERVER: 202.108.22.220#53(202.108.22.220)
;; WHEN: Sun Apr 23 04:41:42 CST 2017
;; MSG SIZE  rcvd: 214

可以看到虽然 ns1.baidu.com 是 shifen.com 的权威 DNS，但其并不是 n.shifen.com 的权威 DNS。
而因为程序是通过权威 DNS 来进行查询的（枚举前获取根域名的权威 DNS），但权威 DNS 并不会递归查询，这导致在 ns1.baidu.com 上查询 xi.n.shifen.com 结果为空：

➜  ~ dig @ns1.baidu.com xi.n.shifen.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns1.baidu.com xi.n.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1341
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xi.n.shifen.com.		IN	A

;; AUTHORITY SECTION:
n.shifen.com.		86400	IN	NS	ns1.n.shifen.com.
n.shifen.com.		86400	IN	NS	ns4.n.shifen.com.
n.shifen.com.		86400	IN	NS	ns5.n.shifen.com.
n.shifen.com.		86400	IN	NS	ns2.n.shifen.com.
n.shifen.com.		86400	IN	NS	ns3.n.shifen.com.

;; ADDITIONAL SECTION:
ns1.n.shifen.com.	600	IN	A	61.135.165.226
ns2.n.shifen.com.	600	IN	A	180.149.133.243
ns3.n.shifen.com.	1200	IN	A	61.135.162.218
ns4.n.shifen.com.	1200	IN	A	115.239.210.178
ns5.n.shifen.com.	1200	IN	A	119.75.222.14

;; Query time: 5 msec
;; SERVER: 202.108.22.220#53(202.108.22.220)
;; WHEN: Sun Apr 23 04:49:16 CST 2017
;; MSG SIZE  rcvd: 214

这个问题最好的解决办法是自己去实现递归查询的过程，但这将严重拖慢整体速度（成倍增长）且工作量略大（可能需要调整程序架构），拖慢整体速度这个点我是接受不了的。

考虑到引入权威 DNS 的原因是为了获取 DNS 记录真正的 TTL，用于泛解析域名黑名单指纹，而实际中真实存在的 DNS 记录指向泛解析记录的情况很少（此种情况采取判断 TTL）。所以最后还是考虑采用折中的解决办法：舍弃权威 DNS，恢复原始的公共 DNS 的方式。

[REQUEST] Allow more than 1 dns resolver

I love the speed of this tool but I seem to get suprisingly inaccurate results. Could this be caused by rate limiting of the used resolver?

For subbrute (https://github.com/TheRook/subbrute) I use a list of DNS resolvers which works great. Would such a solution also be possible in dnsbrute?
Not familiar enough in go to implement this myself sadly..

The name dnsbrute doesn't describe the tool functionality, what is it suppose to do?

The name dnsbrute doesn't describe the tool functionality, what is it suppose to do?
DNS brute force attack?

为什么每次我执行都只能得到一个结果

建议试试sdo.com

在没有NO NS Record情况下终止。

例如 xxxx.com 的ns记录为空时，则直接退出程序。这种情况太常见了，推荐在这时添加几大主dns服务器。
即修改pandns.go中

func SetAuthoritativeDNSServers() error {
if analyzeAuthoritativeDNSServersLimit == 0 {
authoritativeDNSServers = append(authoritativeDNSServers, "8.8.8.8:53")
authoritativeDNSServers = append(authoritativeDNSServers, "119.29.29.29:53")
authoritativeDNSServers = append(authoritativeDNSServers, "223.5.5.5:53")
authoritativeDNSServers = append(authoritativeDNSServers, "223.6.6.6:53")
authoritativeDNSServers = append(authoritativeDNSServers, "114.114.114.114:53")
fmt.Sprintf("%s: NO NS Record", rootDomain)
return nil
}
.
.
.

再优化的话就是对有ns的服务器和常用ns服务器进行延迟检测，选择最优的ns服务器进行爆破

        outchan:= make(chan string, 100)
	go mixInAPIDict(*domain, *dict, outchan)

	dns.Configure(*domain, *server, *rate, *retry)

	// 输入
	go func() {
		for sub := range outchan {
			dns.Queries <- sub
		}
	}()

其实我学go才一个月。。