/// <summary> /// Devuelve todos los DNS que funcionen para un determinado dominio /// </summary> /// <param name="r"></param> /// <param name="domain"></param> /// <param name="NSServer"></param> /// <returns></returns> public static List <string> GetNSServer(Resolver r, string domain, string NSServer) { List <IPEndPoint> lastNSServers = new List <IPEndPoint>(r.DnsServers); try { r.DnsServer = NSServer; Response response = r.Query(domain, QType.NS); if (response.RecordsNS.Length > 0) { List <string> lst = new List <string>(); //No es autoritativa, volver a preguntar if (!response.header.AA) { if (response.RecordsNS.Length > 0) { foreach (RecordNS rNS in response.RecordsNS) { if (NSServer != rNS.NSDNAME) { foreach (string ns in GetNSServer(r, domain, rNS.NSDNAME)) { if (!lst.Contains(ns, StringComparer.OrdinalIgnoreCase)) { lst.Add(ns); } } } else { lst.Add(NSServer); } } } } else { foreach (RecordNS rNS in response.RecordsNS) { lst.Add(RemoveLastPoint(rNS.NSDNAME)); } } //Resuleve los dominios de los DNS List <string> ips = new List <string>(); foreach (string ns in lst) { foreach (IPAddress ip in DNSUtil.GetHostAddresses(ns)) { if (!ips.Contains(ip.ToString())) { if (TestDNS(ip.ToString())) { ips.Add(ip.ToString()); } } } } return(ips); } //Hay servidores autoritativos para esta petición else if (response.Authorities.Count > 0) { try { //Se devuelve el servidor DNS autoritativo if (((RR)response.Authorities[0]).RECORD is RecordSOA) { string dns = RemoveLastPoint(((RecordSOA)((RR)response.Authorities[0]).RECORD).MNAME); if (TestDNS(dns)) { List <string> lst = new List <string>(); lst.Add(dns); return(lst); } } if (((RR)response.Authorities[0]).RECORD is RecordNS) { string dns = RemoveLastPoint(((RecordNS)((RR)response.Authorities[0]).RECORD).NSDNAME); if (TestDNS(dns)) { List <string> lst = new List <string>(); lst.Add(dns); return(lst); } } } catch { } } } catch { } finally { r.DnsServers = lastNSServers.ToArray(); } return(new List <string>()); }
/// <summary> /// Search subdomains using wordlists /// </summary> private void SearchCommonNames() { var message = $"Searching subdomains of {strDomain} using common DNS names"; Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, message, Log.LogType.debug)); Program.ChangeStatus(message); var names = new List <string>(); try { names.AddRange(File.ReadAllLines(CommonNamesFileName)); } catch { Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, $"Error opening file: {CommonNamesFileName}", Log.LogType.error)); return; } List <string> nsServerList = new List <string>(); foreach (var item in Resolve.DnsServers) { nsServerList.AddRange(DNSUtil.GetNSServer(Resolve, strDomain, item.Address.ToString())); } foreach (var nsServer in nsServerList) { if (DNSUtil.IsDNSAnyCast(Resolve, nsServer, strDomain)) { Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, $"DNS server is Anycast, not used: {nsServer}", Log.LogType.debug)); } else { var op = Partitioner.Create(names); var po = new ParallelOptions(); if (Program.cfgCurrent.ParallelDnsQueries != 0) { po.MaxDegreeOfParallelism = Program.cfgCurrent.ParallelDnsQueries; } try { Parallel.ForEach(op, po, delegate(string name) { CancelIfSkipRequested(); var subdomain = $"{name}.{strDomain}"; Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, string.Format("[{0}] Trying resolve subdomain: {1} with NameServer {0}", nsServer, subdomain), Log.LogType.debug)); foreach (var ip in DNSUtil.GetHostAddresses(Resolve, subdomain, nsServer)) { Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, $"[{nsServer}] Found subdomain {subdomain}", Log.LogType.medium)); CancelIfSkipRequested(); try { Program.data.AddResolution(subdomain, ip.ToString(), $"Common Names [{subdomain}]", MaxRecursion, Program.cfgCurrent, true); } catch (Exception) { } } }); } catch (AggregateException) { } catch (OperationCanceledException) { } if (!bSearchWithAllDNS) { break; } } } }
/// <summary> /// Search subdomains using wordlists /// </summary> private void SearchCommonNames() { string initialMessage = $"Searching subdomains of {strDomain} using common DNS names."; string progressMessageFormat = initialMessage + " ({0} of {1}) queries"; Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, initialMessage, Log.LogType.debug)); Program.ChangeStatus(initialMessage); List <string> names = new List <string>(); try { names.AddRange(File.ReadAllLines(CommonNamesFileName)); } catch { Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, $"Error opening file: {CommonNamesFileName}", Log.LogType.error)); return; } if (names.Count > 0) { List <string> nsServerList = new List <string>(); foreach (IPEndPoint item in Resolve.DnsServers) { nsServerList.AddRange(DNSUtil.GetNSServer(Resolve, strDomain, item.Address.ToString())); } int totalPossibilities = nsServerList.Count * names.Count; int queriedCount = 0; foreach (string nsServer in nsServerList) { if (DNSUtil.IsDNSAnyCast(Resolve, nsServer, strDomain)) { Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, $"DNS server is Anycast, not used: {nsServer}", Log.LogType.debug)); } else { var op = Partitioner.Create(names); var po = new ParallelOptions(); if (Program.cfgCurrent.ParallelDnsQueries != 0) { po.MaxDegreeOfParallelism = Program.cfgCurrent.ParallelDnsQueries; } try { Parallel.ForEach(op, po, delegate(string name) { CancelIfSkipRequested(); var subdomain = $"{name}.{strDomain}"; Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, string.Format("[{0}] Trying resolve subdomain: {1} with NameServer {0}", nsServer, subdomain), Log.LogType.debug)); foreach (var ip in DNSUtil.GetHostAddresses(Resolve, subdomain, nsServer)) { Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, $"[{nsServer}] Found subdomain {subdomain}", Log.LogType.medium)); CancelIfSkipRequested(); try { Program.data.AddResolution(subdomain, ip.ToString(), $"Common Names [{subdomain}]", MaxRecursion, Program.cfgCurrent, true); } catch (Exception) { } } Interlocked.Increment(ref queriedCount); Invoke(new MethodInvoker(delegate { Program.FormMainInstance.toolStripProgressBarDownload.Value = queriedCount * 100 / totalPossibilities; Program.FormMainInstance.toolStripStatusLabelLeft.Text = String.Format(progressMessageFormat, queriedCount, totalPossibilities); Program.FormMainInstance.ReportProgress(queriedCount, totalPossibilities); })); }); } catch (AggregateException) { } catch (OperationCanceledException) { } if (!bSearchWithAllDNS) { break; } } } Invoke(new MethodInvoker(delegate { Program.FormMainInstance.toolStripProgressBarDownload.Value = 0; Program.FormMainInstance.toolStripStatusLabelLeft.Text = String.Empty; Program.FormMainInstance.ReportProgress(0, 0); })); Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, $"DNS dictionary search finished with {queriedCount} queries!", Log.LogType.medium)); } else { Program.LogThis(new Log(Log.ModuleType.DNSCommonNames, "The domain names file is empty.", Log.LogType.error)); } }
/// <summary> /// Add domain if this not exist in the list. /// </summary> /// <param name="domain"></param> /// <param name="source"></param> /// <param name="maxRecursion"></param> /// <param name="cfgCurrent"></param> public void AddDomain(string domain, string source, int maxRecursion, Configuration cfgCurrent) { domain = domain.Trim(); if (domains.Items.Any(S => S.Domain.ToLower() == domain.ToLower())) { return; } var dItem = new DomainsItem(domain, source); domains.Items.Add(dItem); #if PLUGINS Thread tPluginOnDomain = new Thread(new ParameterizedThreadStart(Program.data.plugins.OnNewDomain)); tPluginOnDomain.IsBackground = true; object[] oDomain = new object[] { new object[] { domain } }; tPluginOnDomain.Start(oDomain); #endif var domainParts = domain.Split('.'); var currentdomain = domainParts[domainParts.Length - 1]; for (var i = 2; i < domainParts.Length; i++) { currentdomain = domainParts[domainParts.Length - i] + "." + currentdomain; AddDomain(currentdomain, string.Format("{0} > Inferred by {2} [{1}]", GetDomainSource(domain), currentdomain, domain), maxRecursion - 1, cfgCurrent); } if (maxRecursion <= 0) { OnChangeEvent(null); return; } //OnLog(null, new EventsThreads.ThreadStringEventArgs(string.Format("Resolving domain: {0}", domain))); var listIpsOfDomain = DNSUtil.GetHostAddresses(domain); if (listIpsOfDomain.Count == 0) { var computer = new ComputersItem(); computer.type = ComputersItem.Tipo.Server; computer.name = domain; computer.NotOS = true; computer.os = OperatingSystem.OS.Unknown; if (!computers.Items.Any(S => S.name == domain)) { computers.Items.Add(computer); } } foreach (var IP in listIpsOfDomain) { if (Program.data.IsMainDomainOrAlternative(domain)) { var limit = Program.data.GetLimitFromIp(IP.ToString()); if (limit == null) { Program.data.AddLimit(new Limits(IP.ToString())); } else { var lastOct = int.Parse(IP.ToString().Split(new char[] { '.' })[3]); if (lastOct < limit.Lower) { limit.Lower = lastOct; } else if (lastOct > limit.Higher) { limit.Higher = lastOct; } } } AddResolution(domain, IP.ToString(), string.Format("{0} > DNS resolution [{1}]", GetDomainSource(domain), IP.ToString()), maxRecursion - 1, Program.cfgCurrent, false); } // Fingerprinting HTTP if (cfgCurrent.PassiveFingerPrintingHttp && cfgCurrent.FingerPrintingAllHttp) { if (NewDomainByHTTPServer != null) { NewDomainByHTTPServer(dItem, null); } } else if ((cfgCurrent.PassiveFingerPrintingHttp) && (source.ToLower() == "documents search" || source.ToLower().Contains("websearch") || source.ToLower().Contains("bing ip search") || source.ToLower().Contains("technologyrecognition") || source.ToLower().Contains("fingerprinting") || source.ToLower().Contains("certificate fingerprinting"))) { if (NewDomainByHTTPServer != null) { NewDomainByHTTPServer(dItem, null); } } // Fingerprinting SMTP if (cfgCurrent.PasiveFingerPrintingSmtp && cfgCurrent.FingerPrintingAllSmtp) { if (NewDomainByMXServer != null) { NewDomainByMXServer(dItem, null); } } else if ((cfgCurrent.PasiveFingerPrintingSmtp) && (source.ToLower().Contains("mx server"))) { if (NewDomainByMXServer != null) { NewDomainByMXServer(dItem, null); } } // Fingerprinting FTP if (cfgCurrent.FingerPrintingAllFtp) { if (NewDomainByFTPServer != null) { NewDomainByFTPServer(dItem, null); } } OnChangeEvent(null); }
/// <summary> /// Devuelve todos los DNS que funcionen para un determinado dominio /// </summary> /// <param name="r"></param> /// <param name="domain"></param> /// <param name="NSServer"></param> /// <param name="previosNSrecords"></param> /// <returns></returns> public static ICollection <string> GetNSServer(Resolver r, string domain, string NSServer, ICollection <string> previosNSrecords = null) { try { Resolver currentResolver = r.Clone(); HashSet <string> ips = new HashSet <string>(StringComparer.OrdinalIgnoreCase); if (previosNSrecords == null) { previosNSrecords = new HashSet <string>(StringComparer.OrdinalIgnoreCase); } previosNSrecords.Add(NSServer); currentResolver.DnsServer = NSServer; Response response = currentResolver.Query(domain, QType.NS); if (response.RecordsNS.Length > 0) { HashSet <string> nameservers = new HashSet <string>(); //No es autoritativa, volver a preguntar if (!response.header.AA) { nameservers.UnionWith(response.RecordsNS.Where(p => !previosNSrecords.Contains(p.NSDNAME)).Select(p => p.NSDNAME)); foreach (string rNS in nameservers) { ips.UnionWith(GetNSServer(currentResolver, domain, rNS, previosNSrecords)); } } else { foreach (RecordNS rNS in response.RecordsNS) { nameservers.Add(RemoveLastPoint(rNS.NSDNAME)); } } //Resuelve los dominios de los DNS foreach (string ns in nameservers) { foreach (IPAddress ip in DNSUtil.GetHostAddresses(ns)) { if (!ips.Contains(ip.ToString())) { if (TestDNS(ip.ToString())) { ips.Add(ip.ToString()); } } } } return(ips); } //Hay servidores autoritativos para esta petición else if (response.Authorities.Count > 0) { try { //Se devuelve el servidor DNS autoritativo if (response.Authorities[0].RECORD is RecordSOA recordSOA) { string dns = RemoveLastPoint(recordSOA.MNAME); if (TestDNS(dns)) { return(new List <string>() { dns }); } } if (response.Authorities[0].RECORD is RecordNS recordNS) { string dns = RemoveLastPoint(recordNS.NSDNAME); if (TestDNS(dns)) { return(new List <string>() { dns }); } } } catch { } } } catch { } return(new List <string>()); }