IMCAFS

 Home

release and open source of fuzzy domain name blasting tool

Posted by deaguero at 2020-02-27
all

*Original author: chora, this article belongs to freebuf original award program, reprint is prohibited without permission

Preface

Personally, information collection is the most important part of penetration testing, which will directly affect the results of penetration testing. Today I want to share with you a small part of information collection, domain name explosion.

The importance of domain name explosion

Domain name explosion can find some domain names that can't be searched in public information;

Some domain names may be directly bound to intranet addresses, which is conducive to the extension of some vulnerabilities, such as SSRF vulnerabilities

Many small websites are in the background of a certain directory of the main domain name, under the three-level domain name, while many large websites are in the background of the two-level, three-level and below domain names, or even under the directory of these domain names.

Blasting principle

The principle of blasting is actually realized by enumerating a records of domain names

How to explode

First, visit a random nonexistent domain name chorashishuaige.xx.com, and record its pan resolved IP address.

Then enumerate the a records of domain names by dictionary or custom rules, and compare them with the a records of chorashishuaige.xx.com at the beginning. The difference is the existing domain name, that is, the domain name in use.

How to defend

There is no real defense plan, only to increase the difficulty of domain name explosion. Pan resolution and DNS polling can be used, that is, to access a random non-existent domain name chorashishuaige.xx.com, you will get a group of IPS, and to access another non-existent domain name, you will get another group of IPS,

This will bring false alarm to domain name blasting tool. Of course, domain name blasting tool can enumerate random domain names several times, save the IP groups in the collection, and then compare them. If the enumerated domain name a record is not in the collection, it is the existing domain name, that is, the domain name in use.

characteristic

Some manufacturers like to use xx xx.xx.com and others like to use xxx-o2o.xx.com. If you want to improve the blasting efficiency at this time, you can use {fuzzy} instead of XXX, that is {fuzzy} xxx.xx.com or {fuzzy} - o2o.xx.com to carry out blasting at a designated location

For example, there is a 6-level domain name test.m.esf.db.house.xx.com. If circular traversal is not supported, you need to first blast xx.com, then blast house.xx.com, and then blast db.house.xx.com, and so on to test.m.esf.db.house.xx.com. Each step needs to be manually blasted. The efficiency is too low. If circular blasting is supported at this time, just fill xx.com, and it will automatically traverse to the specified Level, or until there is no domain name.

A large number of DNS requests will cause network jam, especially in the case of a few days of hang up cycle blasting, which may affect the network of colleagues. At this time, you can pause and wait for subsequent blasting.

Usage method

You can import your own dictionary for blasting, or you can define your own rules for blasting.

The hierarchy option means how many layers to traverse. For example, starting from xx.com, traversing to test.m.esf.db.house.xx.com is 5 layers. Of course, no one is required to calculate, which is too cumbersome

You can directly write the number of layers greater than 5, such as 10. If no new domain name appears after traversing to the fifth layer, it will stop automatically.

The dictionary or rule is used for blasting the secondary domain name, and the dictionary 2 or rule 2 is used for blasting the tertiary domain name and below.

The start function is to use a dictionary or rule to explode the secondary domain name, and then use dictionary 2 or rule 2 to traverse until no new domain name or specified level is found.

The traversal function first imports or adds the domain name to be traversed (domain names with {fuzzy} are supported). Use dictionary 2 or rule 2 to traverse until no new domain name or specified level is found.

The following is the total number of Tencent domain names collected through three-day round robin blasting and other information collection methods

Download address

Tool download password: is5f

GitHub source download

Ms509 team blog

*Original author: chora, this article belongs to freebuf original award program, reprint is prohibited without permission

© 2023