darkoperator / dnsrecon Goto Github PK
View Code? Open in Web Editor NEWDNS Enumeration Script
License: GNU General Public License v2.0
DNS Enumeration Script
License: GNU General Public License v2.0
Line 782 of dnsrecon.py will process NSEC3 records, which results in a stacktrace as shown below:
Traceback (most recent call last):
File "dnsrecon.py", line 1666, in
main()
File "dnsrecon.py", line 1638, in main
write_db(results_db, returned_records)
File "dnsrecon.py", line 784, in write_db
'values( "%(type)s", "%(target)s", "%(address)s" )' % n
KeyError: 'target'
Suggestion for a fix (line 782):
elif re.match(r'NS$', n['type']):
The current head fails to run due to an inconsistent use of tabs and spaces within the brute_tlds
function on line 306
in dnsrecon.py
This can easily be fixed by opening the file in vim and running :retab
. I suggest running CI tests in the future, it's free for opensource projects and stops stuff from breaking so easily :)
There is currently no way to throttle the speed of queries generated by dnsrecon in cases where more stealth is preferred.
Good morning,
I think it would be useful to have a flag to specify the port of the dns server.
Thanks,
Alessio
I have performed dnsrecon
on evernote.com but resulted in finding 0 SRV documents. So i tried to reverse lookup.Then it gave 504 records.
but none of those links are working.
what to could be the possible reason for those links not working.
Please add a flag to exit the scrip if a wildcard is detected.
Currently, the program notifies the user and asks if they want to quit.
Hi.
Thanks for a great project. The Zone transfer (AXFR) doesn't seem to work on Version: 0.8.13.
Version 0.8.13
$ dnsrecon.py -a -d DOMAIN
Get the error:
[*] Resolving SOA Record
[-] Could not obtain the domains SOA Record.
Doing the same thing on the same domain with Version 0.8.11
$ dnsrecon.py -a -d DOMAIN
Version: 0.8.11
[*] Resolving SOA Record
[+] SOA ...
Best regards Ysagi
Came across a bug I though I should report.
Version: 0.8.6
$ ./dnsrecon.py -d REDACTED -t std,rvl,brt,srv,axfr,goo,snoop,tld,zonewalk
[*] Performing General Enumeration of Domain:
[!] Wildcard resolution is enabled on this domain
[!] It is resolving to REDACTED
[!] All queries will resolve to this address!!
[-] DNSSEC is not configured for REDACTED
[-] Could not Resolve SOA Record for REDACTED
[-] Could not Resolve NS Records for REDACTED
[-] Could not Resolve MX Records for REDACTED
[*] A REDACTED REDACTED
[*] Enumerating SRV Records
[-] No SRV Records Found for REDACTED
[*] 0 Records Found
Traceback (most recent call last):
File "./dnsrecon.py", line 1611, in <module>
main()
File "./dnsrecon.py", line 1483, in main
if len(ip_list) > 0:
UnboundLocalError: local variable 'ip_list' referenced before assignment
The problem relates to specific syntax of DIG command that have to be used, standard commands or windows nslookup will also fail.
Could you add the following check to your tool please;
'dig axfr domain.com @ns1.domain.com'
Many thanks,
Alexander
From the command:
./dnsrecon.py -t std,brt,axfr -d xxx.com -D dns2.txt -c ~/clients/xxx_dns
[-]
[*] Saving records to CSV file: /home/robin/clients/xxx_dns
Traceback (most recent call last):
File "./dnsrecon.py", line 1630, in
main()
File "./dnsrecon.py", line 1587, in main
write_to_file(make_csv(returned_records), csv_file)
File "./dnsrecon.py", line 732, in make_csv
csv_data += n['type'] + "," + n['name'] + ",,,,'" + n['strings'] + "'\n"
KeyError: 'name'
With 7b7c7b3, dnsrecon does not produce complete JSON file output except:
[
{
"arguments": "dnsrecon/dnsrecon.py -r X.X.X.X/16 -t rvl --json output.json -n 8.8.8.8",
"date": "2015-02-26 15:07:32.811102",
"type": "ScanInfo"
}
]
Hi,
i'm trying to use this tool on my arch OS.
i've this error :
Traceback (most recent call last):
File "./dnsrecon.py", line 1664, in <module>
main()
File "./dnsrecon.py", line 1622, in main
spf_enum, do_whois, zonewalk)
File "./dnsrecon.py", line 1067, in general_enum
goo_rcd = goo_result_process(res, scrape_google(domain))
File "./dnsrecon.py", line 531, in scrape_google
sock = urllib.urlopen(url)
AttributeError: module 'urllib' has no attribute 'urlopen'
what i've to install?
thanks
Hi,
I would like to update the package in Kali / Debian (https://bugs.kali.org/view.php?id=5365)
But you released a new version 0.8.2 a few days ago and the previous version was 0.8.14:
0.8.2 is lower than 0.8.14.
Could you release a new version higher than 0.8.14, for example 0.8.20?
Thanks!
We currently incorporate your tool into ArchAssault (https://archassault.org/) and we aim to have licenses associated with all our included packages.
Could you add a license to the repo and include it in the tagged release? It would be appreciated.
Hi,
I think it would be useful to have a flag that would run all the different 'types' of checks. Would save having to input them all.
Thanks,
Ryan
root@Hosting:~/src/dnsrecon# ./dnsrecon.py ya.ru
Traceback (most recent call last):
File "./dnsrecon.py", line 54, in <module>
import dns.message
ImportError: No module named dns.message
root@Hosting:~/src/dnsrecon# pip install --upgrade dns
Collecting dns
Could not find a version that satisfies the requirement dns (from versions: )
No matching distribution found for dns
root@Hosting:~/src/dnsrecon#
Hello. Do you have a finished image or icon for this program?
Hi,
Just been using dnsrecon and some of the domains are throwing this error!
Exception in thread Thread-4 (most likely raised during interpreter shutdown):
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 808, in __bootstrap_inner
File "dnsrecon.py", line 102, in run
File "/usr/lib/python2.7/Queue.py", line 168, in get
File "/usr/lib/python2.7/threading.py", line 333, in wait
<type 'exceptions.TypeError'>: 'NoneType' object is not callable
Is there anything I can do to handle this?
Carl
The 0.8.12 version seems has been released officially.
However, there is neither tag no archive to download.
Please create it
Traceback (most recent call last):
File "/usr/bin/dnsrecon", line 71, in
from lib.gooenum import *
ImportError: No module named gooenum
Writing TXT records to a sqlite database will cause the following failure:
Traceback (most recent call last):
File "dnsrecon.py", line 1666, in
main()
File "dnsrecon.py", line 1638, in main
write_db(results_db, returned_records)
File "dnsrecon.py", line 796, in write_db
'values( "%(type)s", "%(name)s" ,"%(strings)s" )' % n
KeyError: 'name'
The TXT record don't have a 'name' key, I'm not sure if that should be correct.
A fix could be (line 795-796):
query = 'insert into data( type, text) ' +
'values( "%(type)s", "%(strings)s" )' % n
I keep getting an error when I put in the following line, with a real domain, and for the life of me, can't figure out what is going wrong. It seems to output everything to the screen, but after the reverse lookup is done I get the error after. Any help would be greatly appreciated
dnsrecon.py -d -n 8.8.8.8 -t std -a -s -g -w --xml output.xml
Traceback (most recent call last):
File "dnsrecon.py", line 1627, in
main()
File "dnsrecon.py", line 1572, in main
xml_enum_doc = dns_record_from_dict(returned_records, scan_info, domain)
File "dnsrecon.py", line 660, in dns_record_from_dict
for k, v in r.items():
AttributeError: 'list' object has no attribute 'items'
Looks like I messed up zonetransfer.me trying to get DNSSEC working but in the process broke dnsrecon...
./dnsrecon.py -t zonewalk -d zonetransfer.me -n 81.4.108.41
[*] Performing NSEC Zone Walk for zonetransfer.me
[*] Getting SOA record for zonetransfer.me
Traceback (most recent call last):
File "./dnsrecon.py", line 1681, in <module>
main()
File "./dnsrecon.py", line 1595, in main
ds_zone_walk(res, domain)
File "./dnsrecon.py", line 1225, in ds_zone_walk
soa_rcd = res.get_soa()[0][2]
File "./recon/dnsrecon/lib/dnshelper.py", line 200, in get_soa
ipv4_answers = self._res.query(name, 'A')
File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 824, in query
raise NoNameservers
dns.resolver.NoNameservers
Hi,
For some domains an exception is raised when dnsrecon try to get SOA record:
[*] Performing General Enumeration of Domain: *******
[*] Checking for Zone Transfer for ******* name servers
[*] Resolving SOA Record
[-] Could not obtain the domains SOA Record.
[-] DNSSEC is not configured for *******
Traceback (most recent call last):
File "/opt/dnsrecon/dnsrecon.py", line 1707, in <module>
main()
File "/opt/dnsrecon/dnsrecon.py", line 1665, in main
std_enum_records = general_enum(res, domain, xfr, goo, bing, spf_enum, do_whois, do_crt, zonewalk)
File "/opt/dnsrecon/dnsrecon.py", line 951, in general_enum
found_soa_records = res.get_soa()
File "/opt/dnsrecon/lib/dnshelper.py", line 217, in get_soa
name = rdata[0].mname.to_text()
AttributeError: 'CNAME' object has no attribute 'mname'
After some investigations, it seems that rdata[0]
is a dns.rdtypes.ANY.CNAME.CNAME
type and don't have mname
attribute.
I added a simple workaround, to resolve the problem:
--- a/lib/dnshelper.py
+++ b/lib/dnshelper.py
@@ -214,6 +214,8 @@ class DnsHelper:
answers = response.authority
for rdata in answers:
# A zone only has one SOA record so we select the first.
+ if not isinstance(rdata[0], dns.rdtypes.ANY.SOA.SOA):
+ return []
name = rdata[0].mname.to_text()
ipv4_answers = self._res.query(name, 'A', tcp=tcp)
for ardata in ipv4_answers:
Can you confirm the solution validity ?
$ dig AXFR blabla.fr @dns.blabla.fr | grep webuse
lamort.blabla.fr. 21600 IN CNAME webuser.blabla.fr.
webuser.blabla.fr. 21600 IN A 1.2.3.4
Doing same operation with dnsrecon
and JSON output:
[
{
"arguments": "dnsrecon/dnsrecon.py -t axfr -d blabla.fr -n dns.blabla.fr --json samples/dnsrecon-axfr-blabla.fr.json",
"date": "2015-03-03 11:52:43.031781",
"type": "ScanInfo"
},
...
{
"address": "1.2.3.4",
"name": "webuser.blabla.fr",
"type": "A",
"zone_server": "X.X.X.X"
},
...
{
"address": "1.2.3.4",
"name": "lamort.blabla.fr",
"target": "webuse",
"type": "CNAME",
"zone_server": "X.X.X.X"
},
...
]
'webuser' becomes 'webuse' with 'dnsrecon'.
Would like to see dnsrecon in pypi, would make a lot of difference using to tool / embedding it in other projects and so on.
My ideal scenario would be:
pip install dnsrecon
and have everyting set up.
See:
https://packaging.python.org/tutorials/packaging-projects/
Most resolvers don't pass along IP address information, so you should be able to scale up brute force attacks by spreading queries across multiple resolvers.
You could include a list of popular servers by default (Verizon, Google, OpenDNS, etc). Public-DNS.tk maintains a list of open DNS resolvers that includes IP addresses and uptime statistics. You could download it on demand and filter them based on uptime, there are ~50K IP addresses with a 100% uptime rating. I would recommend you shuffle and throttle to 5 queries per second.
version: 0.8.11 (Python 2.7.14)
cmdline: dnsrecon -t std,srv,goo,zonewalk,brt -D /usr/share/dnsrecon/namelist.txt -g -z --threads 1 --lifetime 10 -d redacted.com > dnsrecon-redacted.com.txt
Traceback (most recent call last):
File "./dnsrecon.py", line 1670, in
main()
File "./dnsrecon.py", line 1507, in main
std_enum_records = general_enum(res, domain, xfr, goo, bing, spf_enum, do_whois, zonewalk)
File "./dnsrecon.py", line 1046, in general_enum
goo_rcd = goo_result_process(res, scrape_google(domain))
NameError: global name 'goo_result_process' is not defined
The following error message in ds_zone_walk
indicates that a request to a server timed out and that the user can configure this time:
Lines 1303 to 1307 in 3984747
This value is actually not user configurable. It is hard set to 3 seconds when the res
object is recreated.
Lines 1234 to 1238 in 3984747
This is a straightforward fix and I can PR it if you'd let me know your preference for handling it:
--lifetime
--lifetime-walk
You'll get this error if you logged in under user account without permissions to write into dictionary file. So if you are regular user and use nameslist.txt from regular package installation e.g. on kali linux
dnsrecon -d example.com -t brt -D /usr/share/dnsrecon/namelist.txt --iw -f > /tmp/dnsrecon1
you'll get permission error because in the code file is open for read and write f = open(dict, 'r+').
I'd love to be able to install dnsrecon via pypi instead of cloning the repo and installing dependencies manually.
The project would need a setup.py file, uploading to pypi is straight-forward.
Was wondering if you might want to use one of the subdomain lists I created from the Alexa Top 1 Million sites AXFR results - http://www.ethicalhack3r.co.uk/zone-transfers-on-the-alexa-top-1-million-part-2/
Was the mDNS support dropped? In previous descriptions of the tool, it was advertised it could enumerate mDNS records (e.g. https://tools.kali.org/information-gathering/dnsrecon)
The file lib/mdnsenum.py isn't loaded by anywhere
Colleague got this doing a basic scan with output to CSV, didn't send me full command line. I ran similar scan with brute force and zone transfer and it worked OK. I think he re-ran the command without .csv on filename and it worked but this could have been coincidence or he could have changed something else.
Traceback (most recent call last):
File "./dnsrecon.py", line 1676, in <module>
main()
File "./dnsrecon.py", line 1653, in main
write_to_file(make_csv(returned_records), csv_file)
File "./dnsrecon.py", line 753, in make_csv
csv_data += n['type'] + "," + n['name'] + ",," + n['target'] + ",\n"
KeyError: 'target'
I hadn't used the tool before and was trying a few options. I incorrectly used an IP address with the domain flag option. It errored far into the code away from the input parsing, due to line 1415 of dnsrecon.py not validating the input format.
elif opt in ('-d', '--domain'):
domain = arg
I think it would be good to refactor this section to use argparse.
Hi,
Is it possible to pass a list of domain names to DNSRecon? I couldn't see anything in the docs regarding this.
Regards,
Carl
While writing PTR records to the sqlite database, the following failure will occur.
At line 776, variable 'n' is used to iterate through the array 'data'. In the following lines, 'n' is assumed to be of the type 'list'.
When using reverse lookups to resolve PTR records, this breaks as shown below:
File "dnsrecon.py", line 1666, in
main()
File "dnsrecon.py", line 1638, in main
write_db(results_db, returned_records)
File "dnsrecon.py", line 778, in write_db
if re.match(r'PTR|^[A]$|AAAA', n['type']):
TypeError: list indices must be integers, not str
This error occurs, because the PTR records aren't stored as separate items in the list 'data'. Instead all the PTR records together are an array (or a list by itself ... not sure... ).
I don't have a suggested fix, but it should be somewhere in the output of the reverse lookups.
I just made a typo when entering the types
-t brt,axfr
but I'd also specified -c to save to file. The brute force ran but then nothing was saved as it tried to do the axft and failed. It should save at the end of each phase rather than at the end and it should also check the types before doing anything else to detect typos.
I just did a typo and did
-t std,axft
The standard scan ran then it gave this error:
[-] This type of scan is not in the list axft
It would be better if you checked all the types requested at the start and failed early.
In bruteforce mode founded records are not wrote to the output file because brt_enum_records
are not added to returned_records
.
Issue: https://github.com/darkoperator/dnsrecon/blob/master/dnsrecon.py#L1535
Sample command:
python dnsrecon.py --domain <domain> --type brt --threads 1 --iw --json out.json
I attached a proposed patch:
dnsrecon.txt
GIT SHA:
c96739859cc25177df0a9a3a3b7bdcfe62d87394
- c967398
On 3.4.5-pentoo (Gentoo with Pentoo overlay), using python 3.2, I'm getting the following error using current dnsrecon (0.8.0) from git.
Error:
Traceback (most recent call last):
File "dnsrecon.py", line 55, in
import dns.message
ImportError: No module named dns.message
Available Python interpreters:
[1] python2.7
[2] python3.2 *
dnsrecon does not throw errors with python 2.7.
I've tried the -f switch to filter out brute forced records that resolve to the wildcard IP address, but it doesn't seem to work for either saving as csv or xml.
I don't think the following code behaves as expected.
Lines 307 to 321 in d5636e7
I think that lines 313 to 316 should be indented (the value of t
never changes) and perhaps have the order of cc
and t
in the string construction reversed. As it is, it will currently loop over domain name + country code + the last value in stld
which is currently .travel
.
Example output:
[*] Trying sammich.fr.travel
[*] Trying sammich.ga.travel
[*] Trying sammich.gb.travel
[*] Trying sammich.gd.travel
[*] Trying sammich.ge.travel
[*] Trying sammich.gf.travel
[*] Trying sammich.gg.travel
[*] Trying sammich.gh.travel
[*] Trying sammich.gi.travel
[*] Trying sammich.gl.travel
[*] Trying sammich.gm.travel
[*] Trying sammich.gn.travel
[*] Trying sammich.gp.travel
It will never loop over any other stld
values due to the current indention.
I'd be happy to submit a PR if you wish. Just let me know the desired loop pattern.
Records are translated to key value pairs before passing them to the prettify function, when writing data to XML.
The prettify function tries to encode these pairs into unicode. This could fail if the string contains bytes > 128 dec.
The problem starts around line 657, but will only be noticed at around line 643 (ElementTree.tostring)
My lousy fix is the following, but I'm sure real programmers would come up with something more decent:
@@ -657,7 +657,14 @@ def dns_record_from_dict(record_dict_list, scan_info, domain):
if type(r) is not str:
try:
for k, v in r.items():
- elem.attrib[k] = v
+ try:
+ k = unicode(str(k))
+ v = unicode(str(v))
+ elem.attrib[k] = v
+ except:
+ print ("Could not convert key or value to unicode: '%s = %s'" % (repr(k), repr(v)))
+ print ("In element: %s" % repr(elem.attrib))
+ continue
xml_doc.append(elem)
except AttributeError:
continue
Hello @darkoperator ! I hope your are doing well sir.
It should be good if it is possible to have the shodan-python(1) intragrated with an "online" or "offline" (such as passive or active validation).
Expanding the SPF and/or whois networks through Shodan's query "net:xyz.xyz.xyz.xyz/24(or whatever net it found)", looking for new names. Giving the option to validate if the name found still responds or not depending on what user have set on options.
Something like:
--shodan "api-key" or "file-with-api-key" --shodan-passive --shodan-active
I love this tool and use it for so long, thank you for all your effort to maintain it. Cheers!
Hello!
I'm trying to check my own domain lineratedev.net and do not have any success:
./dnsrecon.py -d lineratedev.net
[*] Performing General Enumeration of Domain: lineratedev.net
[*] DNSSEC is configured for lineratedev.net
Traceback (most recent call last):
File "./dnsrecon.py", line 1682, in <module>
main()
File "./dnsrecon.py", line 1640, in main
spf_enum, do_whois, zonewalk)
File "./dnsrecon.py", line 957, in general_enum
dns_sec_check(domain, res)
File "./dnsrecon.py", line 862, in dns_sec_check
nsectype = get_nsec_type(domain, res)
File "./dnsrecon.py", line 847, in get_nsec_type
answer = get_a_answer(target, res._res.nameservers[0], res._res.timeout)
File "./dnsrecon.py", line 1204, in get_a_answer
answer = dns.query.udp(query, ns, timeout)
File "/usr/local/lib/python2.7/dist-packages/dns/query.py", line 254, in udp
one_rr_per_rrset=one_rr_per_rrset)
File "/usr/local/lib/python2.7/dist-packages/dns/message.py", line 808, in from_wire
reader.read()
File "/usr/local/lib/python2.7/dist-packages/dns/message.py", line 751, in read
raise TrailingJunk
dns.message.TrailingJunk: The DNS packet passed to from_wire() has extra junk at the end of it.
Do you have some ideas how I could resolve this issue?
Thank you!
Running with these parameters:
-t std,axfr,brt -D ~/dns2.txt -d abc.org.uk --csv abc-dns-enum.csv
I get as far as
[*] Expanding IP ranges found in DNS and TXT records for Reverse Look-up
and the it locks up. I've checked with tcpdump and no more traffic is sent out and I've left it for 5 minutes and nothing happened. It is a very small and basic domain, two TXT records, one pointing at outlook.com and one just text.
dnsrecon save the results in a csv file.
CSV Contents:
Type,Name,Address,Target,Port,String
A,www.example.com,123.123.123.23
A,ftp.example.com,123.123.123.21
A,app.example.com,123.123.123.20
"Address" Columns are imported successfully , but "Name" columns are missing.
For example:
address mac name os_name os_flavor os_sp purpose info comments
123.123.123.20
123.123.123.21
123.123.123.23
When I provide the nameserver as a domain name rather than as an IP address, DnsHelper throws a fit. Here is an example stack trace with a few things redacted:
» python ./dnsrecon.py -d xxx.com -n yyy.zzz.xxx.com. -t std
[*] Performing General Enumeration of Domain:
Traceback (most recent call last):
File "./dnsrecon.py", line 1493, in
main()
File "./dnsrecon.py", line 1362, in main
spf_enum, do_whois, zonewalk)
File "./dnsrecon.py", line 845, in general_enum
dns_sec_check(domain,res)
File "./dnsrecon.py", line 787, in dns_sec_check
answer = res._res.query(domain, 'DNSKEY')
File "/Library/Python/2.7/site-packages/dns/resolver.py", line 785, in query
source_port=source_port)
File "/Library/Python/2.7/site-packages/dns/query.py", line 219, in udp
if _addresses_equal(af, from_address, destination) or
File "/Library/Python/2.7/site-packages/dns/query.py", line 150, in _addresses_equal
n2 = dns.inet.inet_pton(af, a2[0])
File "/Library/Python/2.7/site-packages/dns/inet.py", line 50, in inet_pton
return dns.ipv4.inet_aton(text)
File "/Library/Python/2.7/site-packages/dns/ipv4.py", line 43, in inet_aton
raise dns.exception.SyntaxError
dns.exception.SyntaxError
Hi,
Do you also have a version I could include in a project to use DNSRecon as a library/module? I would like to write a python script that uses DNSRecon but where I can add some additional info from Whois and Google.
Thanks!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.