Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Dns Recon. Show all posts
Showing posts with label Dns Recon. Show all posts

Friday, August 26, 2016

A DNS meta-query spider that enumerates DNS records, and subdomains - SubBrute v2.0




SubBrute is a community driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool. Some of the magic behind SubBrute is that it uses open resolvers as a kind of proxy to circumvent DNS rate-limiting ( https://www.us-cert.gov/ncas/alerts/TA13-088A ). This design also provides a layer of anonymity, as SubBrute does not send traffic directly to the target's name servers.

Whats new in v2.0?
A lot of exciting updates... except for the readme file, which still needs to be updated.

Whats new in v1.2.1?
The big news in this version is that SubBrute is now a recursive DNS-spider, and also a library, more on this later. SubBrute should be easy to use, so the interface should be intuitive (like nmap!), if you would like the interface to change, let us know. In this version we are opening up SubBrute's fast DNS resolution pipeline for any DNS record type. Additionally, SubBrute now has a feature to detect subdomains were their resolution is intentionally blocked, which sometimes happens when a subdomain is intended for for use on an internal network.
  • SubBrute is now a DNS spider that recursively crawls enumerated DNS records. This feature boosted *.google.com from 123 to 162 subdomains. (Always enabled)
  • --type enumerate an arbitrary record type (AAAA, CNAME, SOA, TXT, MX...)
  • -s can now read subdomains from result files.
  • New useage - The subdomains enumerated from previous scans can now be used as input to enumerate other DNS records. The following commands demonstrate this new functionality:
    ./subbrute.py google.com -o google.names
...162 subdomains found...

./subbrute.py -s google.names google.com --type TXT
google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
adwords.google.com,"v=spf1 redirect=google.com"
...

./subbrute.py -s google.names google.com --type CNAME
blog.google.com,www.blogger.com,blogger.l.google.com
groups.google.com,groups.l.google.com
...
  • SubBrute is now a subdomain enumeration library with a python interface: subbrute.run() Do you want to use SubBrute in your python projects? Consider the following:
    import subbrute

for d in subbrute.run("google.com"):
print d
Feedback welcome.

Whats new in v1.1?
This version merges pull requests from the community; changes from JordanMilne, KxCode and rc0r is in this release. In SubBrute 1.1 we fixed bugs, improved accuracy, and efficiency. As requested, this project is now GPLv3.
Accuracy and better wildcard detection:
  • A new filter that can pickup geolocation aware wildcards.
  • Filter misbehaving nameservers
Faster:
  • More than 2,000 high quality nameservers were added to resolvers.txt, these servers will resolve multiple queries in under 1 sec.
  • Nameservers are verified when they are needed. A seperate thread is responsible creating a feed of nameservers, and corresponding wildcard blacklist.
New output:
  • -a will list all addresses associated with a subdomain.
  • -v debug output, to help developers/hackers debug subbrute.
  • -o output results to file.

More Information
The 'names.txt' list was created using some creative Google hacks with additions from the community. SubBrute has a feature to build your own subdomain lists by matching sub-domains with regular expression and sorting by frequency of occurrence:
  • python subroute.py -f full.html > my_subs.txt
names.txt contains 31298 subdomains. subs_small.txt was stolen from fierce2 which contains 1896 subdomains. If you find more subdomains to add, open a bug report or pull request and I'll be happy to add them.
No install required for Windows, just cd into the 'windows' folder:
  • subbrute.exe google.com
Easy to install: You just need http://www.dnspython.org/ and python2.7 or python3. This tool should work under any operating system: bsd, osx, windows, linux...
(On a side note giving a makefile root always bothers me, it would be a great way to install a backdoor...)
Under Ubuntu/Debian all you need is:
  • sudo apt-get install python-dnspython
On other operating systems you may have to install dnspython manually:
http://www.dnspython.org/
Easy to use:
  • ./subbrute.py google.com
Tests multiple domains:
  • ./subbrute.py google.com gmail.com blogger.com
or a newline delimited list of domains:
  • ./subbrute.py -t list.txt
Also keep in mind that subdomains can have subdomains (example: _xmpp-server._tcp.gmail.com):
  • ./subbrute.py gmail.com > gmail.out
  • ./subbrute.py -t gmail.out
Cheers!


Share:

Tuesday, July 19, 2016

A DNS Reconnaissance Tool for Locating Non-Contiguous IP Space - Fierce



First, credit where credit is due, fierce was originally written by RSnake along with others at http://ha.ckers.org/ . This is simply a conversion to Python 3 to simplify and modernize the codebase.
The original description was very apt, so I'll include it here:
Fierce is a semi-lightweight scanner that helps locate non-contiguous IP space and hostnames against specified domains. It's really meant as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. This does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network. Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

Installing
$ pip3 install fierce
$ fierce -h
OR
$ git clone https://github.com/mschwager/fierce.git
$ cd fierce
$ pip3 install -r requirements.txt
$ python3 fierce.py -h

Using
Let's start with something basic:
$ fierce --domain google.com --subdomains accounts admin ads
Traverse IPs near discovered domains to search for contiguous blocks with the --traverse flag:
$ fierce --domain facebook.com --subdomains admin --traverse 10
Limit nearby IP traversal to certain domains with the --search flag:
$ fierce --domain facebook.com --subdomains admin --search fb.com fb.net
Attempt an HTTP connection on domains discovered with the --connect flag:
$ fierce --domain stackoverflow.com --subdomains mail --connect
Exchange speed for breadth with the --wide flag, which looks for nearby domains on all IPs of the /24 of a discovered domain:
$ fierce --domain facebook.com --wide
Zone transfers are rare these days, but they give us the keys to the DNS castle. zonetransfer.me is a very useful service for testing for and learning about zone transfers:
$ fierce --domain zonetransfer.me
To save the results to a file for later use we can simply redirect output:
$ fierce --domain zonetransfer.me > output.txt
Internal networks will often have large blocks of contiguous IP space assigned. We can scan those as well:
$ fierce --dns-servers 10.0.0.1 --range 10.0.0.0/24
Check out --help for further information:
$ fierce --help


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition