CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/gather/enum_dns.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Auxiliary

8
  include Msf::Exploit::Remote::DNS::Enumeration

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'DNS Record Scanner and Enumerator',

13
      'Description'    => %q(

14
        This module can be used to gather information about a domain from a

15
        given DNS server by performing various DNS queries such as zone

16
        transfers, reverse lookups, SRV record brute forcing, and other techniques.

17
    ),

18
      'Author'         => [

19
        'Carlos Perez <carlos_perez[at]darkoperator.com>',

20
        'Nixawk'

21
      ],

22
      'License'        => MSF_LICENSE,

23
      'References'     => [

24
        ['CVE', '1999-0532'],

25
        ['OSVDB', '492']

26
      ]))

27


28
    register_options(

29
      [

30
        OptString.new('DOMAIN', [true, 'The target domain']),

31
        OptBool.new('ENUM_AXFR', [true, 'Initiate a zone transfer against each NS record', true]),

32
        OptBool.new('ENUM_BRT', [true, 'Brute force subdomains and hostnames via the supplied wordlist', false]),

33
        OptBool.new('ENUM_A', [true, 'Enumerate DNS A record', true]),

34
        OptBool.new('ENUM_CNAME', [true, 'Enumerate DNS CNAME record', true]),

35
        OptBool.new('ENUM_MX', [true, 'Enumerate DNS MX record', true]),

36
        OptBool.new('ENUM_NS', [true, 'Enumerate DNS NS record', true]),

37
        OptBool.new('ENUM_SOA', [true, 'Enumerate DNS SOA record', true]),

38
        OptBool.new('ENUM_TXT', [true, 'Enumerate DNS TXT record', true]),

39
        OptBool.new('ENUM_RVL', [ true, 'Reverse lookup a range of IP addresses', false]),

40
        OptBool.new('ENUM_TLD', [true, 'Perform a TLD expansion by replacing the TLD with the IANA TLD list', false]),

41
        OptBool.new('ENUM_SRV', [true, 'Enumerate the most common SRV records', true]),

42
        OptBool.new('STOP_WLDCRD', [true, 'Stops bruteforce enumeration if wildcard resolution is detected', false]),

43
        OptAddressRange.new('IPRANGE', [false, "The target address range or CIDR identifier"]),

44
        OptInt.new('THREADS', [false, 'Threads for ENUM_BRT', 1]),

45
        OptPath.new('WORDLIST', [false, 'Wordlist of subdomains', ::File.join(Msf::Config.data_directory, 'wordlists', 'namelist.txt')])

46
      ])

47


48
    register_advanced_options(

49
      [

50
        OptInt.new('TIMEOUT', [false, 'DNS TIMEOUT', 8]),

51
        OptInt.new('RETRY', [false, 'Number of times to try to resolve a record if no response is received', 2]),

52
        OptInt.new('RETRY_INTERVAL', [false, 'Number of seconds to wait before doing a retry', 2]),

53
        OptBool.new('TCP_DNS', [false, 'Run queries over TCP', false])

54
      ])

55
    deregister_options('DnsClientUdpTimeout', 'DnsClientRetry', 'DnsClientRetryInterval', 'DnsClientTcpDns')

56
  end

57


58
  def run

59
    datastore['DnsClientUdpTimeout'] = datastore['TIMEOUT']

60
    datastore['DnsClientRetry'] = datastore['RETRY']

61
    datastore['DnsClientRetryInterval'] = datastore['RETRY_INTERVAL']

62
    datastore['DnsClientTcpDns'] = datastore['TCP_DNS']

63


64
    begin

65
      setup_resolver

66
    rescue RuntimeError => e

67
      fail_with(Failure::BadConfig, "Resolver setup failed - exception: #{e}")

68
    end

69


70
    domain = datastore['DOMAIN']

71
    is_wildcard = dns_wildcard_enabled?(domain)

72


73
    # All exceptions should be being handled by the library

74
    # but catching here as well, just in case.

75
    begin

76
      dns_axfr(domain) if datastore['ENUM_AXFR']

77
    rescue => e

78
      print_error("AXFR failed: #{e}")

79
    end

80
    dns_get_a(domain) if datastore['ENUM_A']

81
    dns_get_cname(domain) if datastore['ENUM_CNAME']

82
    dns_get_ns(domain) if datastore['ENUM_NS']

83
    dns_get_mx(domain) if datastore['ENUM_MX']

84
    dns_get_soa(domain) if datastore['ENUM_SOA']

85
    dns_get_txt(domain) if datastore['ENUM_TXT']

86
    dns_get_tld(domain) if datastore['ENUM_TLD']

87
    dns_get_srv(domain) if datastore['ENUM_SRV']

88
    threads = datastore['THREADS']

89
    dns_reverse(datastore['IPRANGE'], threads) if datastore['ENUM_RVL']

90


91
    return unless datastore['ENUM_BRT']

92
    if is_wildcard

93
      dns_bruteforce(domain, datastore['WORDLIST'], threads) unless datastore['STOP_WLDCRD']

94
    else

95
      dns_bruteforce(domain, datastore['WORDLIST'], threads)

96
    end

97
  end

98


99
  def save_note(target, type, records)

100
    data = { 'target' => target, 'records' => records }

101
    report_note(host: target, sname: 'dns', type: type, data: data, update: :unique_data)

102
  end

103
end

104


105