q2h1cg / dnsbrute Goto Github PK
View Code? Open in Web Editor NEWa fast domain brute tool
Home Page: http://sh3ll.me/archives/201704041222.txt
a fast domain brute tool
Home Page: http://sh3ll.me/archives/201704041222.txt
枚举 shifen.com 时注意到一个问题:
➜ ~ dig ns shifen.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> ns shifen.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64331
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;shifen.com. IN NS
;; ANSWER SECTION:
shifen.com. 86400 IN NS ns3.baidu.com.
shifen.com. 86400 IN NS ns2.baidu.com.
shifen.com. 86400 IN NS ns4.baidu.com.
shifen.com. 86400 IN NS ns1.baidu.com.
;; Query time: 39 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Apr 23 04:41:34 CST 2017
;; MSG SIZE rcvd: 117
➜ ~ dig @ns1.baidu.com xi.n.shifen.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns1.baidu.com xi.n.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39548
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xi.n.shifen.com. IN A
;; AUTHORITY SECTION:
n.shifen.com. 86400 IN NS ns3.n.shifen.com.
n.shifen.com. 86400 IN NS ns4.n.shifen.com.
n.shifen.com. 86400 IN NS ns5.n.shifen.com.
n.shifen.com. 86400 IN NS ns2.n.shifen.com.
n.shifen.com. 86400 IN NS ns1.n.shifen.com.
;; ADDITIONAL SECTION:
ns1.n.shifen.com. 600 IN A 61.135.165.226
ns2.n.shifen.com. 600 IN A 180.149.133.243
ns3.n.shifen.com. 1200 IN A 61.135.162.218
ns4.n.shifen.com. 1200 IN A 115.239.210.178
ns5.n.shifen.com. 1200 IN A 119.75.222.14
;; Query time: 15 msec
;; SERVER: 202.108.22.220#53(202.108.22.220)
;; WHEN: Sun Apr 23 04:41:42 CST 2017
;; MSG SIZE rcvd: 214
可以看到虽然 ns1.baidu.com 是 shifen.com 的权威 DNS,但其并不是 n.shifen.com 的权威 DNS。
而因为程序是通过权威 DNS 来进行查询的(枚举前获取根域名的权威 DNS),但权威 DNS 并不会递归查询,这导致在 ns1.baidu.com 上查询 xi.n.shifen.com 结果为空:
➜ ~ dig @ns1.baidu.com xi.n.shifen.com
; <<>> DiG 9.10.3-P4-Ubuntu <<>> @ns1.baidu.com xi.n.shifen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1341
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;xi.n.shifen.com. IN A
;; AUTHORITY SECTION:
n.shifen.com. 86400 IN NS ns1.n.shifen.com.
n.shifen.com. 86400 IN NS ns4.n.shifen.com.
n.shifen.com. 86400 IN NS ns5.n.shifen.com.
n.shifen.com. 86400 IN NS ns2.n.shifen.com.
n.shifen.com. 86400 IN NS ns3.n.shifen.com.
;; ADDITIONAL SECTION:
ns1.n.shifen.com. 600 IN A 61.135.165.226
ns2.n.shifen.com. 600 IN A 180.149.133.243
ns3.n.shifen.com. 1200 IN A 61.135.162.218
ns4.n.shifen.com. 1200 IN A 115.239.210.178
ns5.n.shifen.com. 1200 IN A 119.75.222.14
;; Query time: 5 msec
;; SERVER: 202.108.22.220#53(202.108.22.220)
;; WHEN: Sun Apr 23 04:49:16 CST 2017
;; MSG SIZE rcvd: 214
这个问题最好的解决办法是自己去实现递归查询的过程,但这将严重拖慢整体速度(成倍增长)且工作量略大(可能需要调整程序架构),拖慢整体速度这个点我是接受不了的。
考虑到引入权威 DNS 的原因是为了获取 DNS 记录真正的 TTL,用于泛解析域名黑名单指纹,而实际中真实存在的 DNS 记录指向泛解析记录的情况很少(此种情况采取判断 TTL)。所以最后还是考虑采用折中的解决办法:舍弃权威 DNS,恢复原始的公共 DNS 的方式。
I love the speed of this tool but I seem to get suprisingly inaccurate results. Could this be caused by rate limiting of the used resolver?
For subbrute (https://github.com/TheRook/subbrute) I use a list of DNS resolvers which works great. Would such a solution also be possible in dnsbrute?
Not familiar enough in go to implement this myself sadly..
The name dnsbrute doesn't describe the tool functionality, what is it suppose to do?
DNS brute force attack?
例如 xxxx.com 的ns记录为空时,则直接退出程序。这种情况太常见了,推荐在这时添加几大主dns服务器。
即修改pandns.go中
func SetAuthoritativeDNSServers() error {
if analyzeAuthoritativeDNSServersLimit == 0 {
authoritativeDNSServers = append(authoritativeDNSServers, "8.8.8.8:53")
authoritativeDNSServers = append(authoritativeDNSServers, "119.29.29.29:53")
authoritativeDNSServers = append(authoritativeDNSServers, "223.5.5.5:53")
authoritativeDNSServers = append(authoritativeDNSServers, "223.6.6.6:53")
authoritativeDNSServers = append(authoritativeDNSServers, "114.114.114.114:53")
fmt.Sprintf("%s: NO NS Record", rootDomain)
return nil
}
.
.
.
再优化的话就是对 有ns的服务器和常用ns服务器 进行 延迟检测,选择最优的ns服务器进行爆破
After building main.go, I run ./main, it fails and prints 'dns: failed to unpack truncated message'. How to solve it?
先要崇拜下作者。这个工具真牛逼。。
感觉是可以的。
outchan:= make(chan string, 100)
go mixInAPIDict(*domain, *dict, outchan)
dns.Configure(*domain, *server, *rate, *retry)
// 输入
go func() {
for sub := range outchan {
dns.Queries <- sub
}
}()
其实我学go才一个月。。
如果domain在hackertarget搜索到结果,后续的爆破没结果的话,hackertarget的结果貌似不会保存到excel中。
为什么爆破结束后 close client 的时候会一直卡死,遇到到多次,调试后也不解。
建议取消重试次数,或定为100。
鉴于准确性的问题,高并发下重试3完全不够用,调整至10勉强可以。但查询开销很小,在可以情况下调整为必出结果是否会比较好?
➜ dnsbrute git:(master) dnsbrute
zsh: command not found: dnsbrute
please ls -l dnsbrute
cat dnsbrute
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.