Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  def initialize(info = {})
9
    super(
10
      update_info(
11
        info,
12
        'Name' => 'Multi Gather DNS Reverse Lookup Scan',
13
        'Description' => %q{
14
          Performs DNS reverse lookup using the OS included DNS query command.
15
        },
16
        'License' => MSF_LICENSE,
17
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
18
        'Platform' => %w[bsd linux osx solaris win],
19
        'SessionTypes' => [ 'meterpreter', 'shell' ]
20
      )
21
    )
22
    register_options(
23
      [
24

25
        OptAddressRange.new('RHOSTS', [true, 'IP Range to perform reverse lookup against.'])
26

27
      ]
28
    )
29
  end
30

31
  # Run Method for when run command is issued
32
  def run
33
    iprange = datastore['RHOSTS']
34
    print_status("Performing DNS Reverse Lookup for IP range #{iprange}")
35
    iplst = []
36

37
    a = []
38
    ipadd = Rex::Socket::RangeWalker.new(iprange)
39
    numip = ipadd.num_ips
40
    while (iplst.length < numip)
41
      ipa = ipadd.next_ip
42
      if !ipa
43
        break
44
      end
45

46
      iplst << ipa
47
    end
48

49
    case session.platform
50
    when 'windows'
51
      cmd = 'nslookup'
52
    when 'solaris'
53
      cmd = '/usr/sbin/host'
54
    else
55
      cmd = '/usr/bin/host'
56
    end
57

58
    while !iplst.nil? && !iplst.empty?
59
      1.upto session.max_threads do
60
        a << framework.threads.spawn("Module(#{refname})", false, iplst.shift) do |ip_add|
61
          next if ip_add.nil?
62

63
          r = cmd_exec(cmd, " #{ip_add}")
64
          case session.platform
65
          when 'windows'
66
            if r =~ /(Name)/
67
              r.scan(/Name:\s*\S*\s/) do |n|
68
                hostname = n.split(':    ')
69
                print_good "\t #{ip_add} is #{hostname[1].chomp("\n")}"
70
                report_host({
71
                  host: ip_add,
72
                  name: hostname[1].strip
73
                })
74
              end
75
            else
76
              vprint_status("#{ip_add} does not have a Reverse Lookup Record")
77
            end
78
          else
79
            if r !~ /not found/i
80
              hostname = r.scan(/domain name pointer (\S*)\./).join
81
              print_good "\t #{ip_add} is #{hostname}"
82
              report_host({
83
                host: ip_add,
84
                name: hostname.strip
85
              })
86
            else
87
              vprint_status("#{ip_add} does not have a Reverse Lookup Record")
88
            end
89
          end
90
        end
91
        a.map(&:join)
92
      end
93
    end
94
  end
95
end
96

97