[DNSRecon v0.8.6] DNS Enumeration Script

Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Example of a run where it is able to pull the Bind Version:
infidel02:dnsrecon carlos$ ./dnsrecon.py -d zonetransfer.me -x zt.xml
[*] Performing General Enumeration of Domain: zonetransfer.me
[-] DNSSEC is not configured for zonetransfer.me
[*]SOA ns16.zoneedit.com
[*]NS ns12.zoneedit.com
[*]Bind Version for 8.4.X
[*]NS ns16.zoneedit.com
[*]Bind Version for 8.4.X
[*]MX ASPMX2.GOOGLEMAIL.COM 2607:f8b0:400c:c03::1a
[*]MX ASPMX3.GOOGLEMAIL.COM 2a00:1450:400c:c03::1b
[*]MX ASPMX4.GOOGLEMAIL.COM 2a00:1450:4013:c01::1b
[*]MX ASPMX5.GOOGLEMAIL.COM 2a00:1450:4001:c02::1a
[*]MX ASPMX.L.GOOGLE.COM 2607:f8b0:4002:c01::1a
[*]MX ALT1.ASPMX.L.GOOGLE.COM 2607:f8b0:400c:c01::1b
[*]MX ALT2.ASPMX.L.GOOGLE.COM 2a00:1450:400c:c03::1a
[*]A zonetransfer.me
[*]TXT zonetransfer.me Remember to call or email Pippa on +44 123 4567890 or [email protected] when making DNS changes
[*]TXT zonetransfer.me google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Enumerating SRV Records
[*]SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 5060 0
[*] 1 Records Found
[*] Saving records to XML file: zt.xml

The information on version and recursion are also saved in the XML as you can see:

infidel02:dnsrecon carlos$ cat zt.xml

<?xml version="1.0" ?> <records> <record address="" mname="ns16.zoneedit.com" type="SOA"/> <record Recursive="False" Version="8.4.X" address="" target="ns12.zoneedit.com" type="NS"/> <record Recursive="False" Version="8.4.X" address="" target="ns16.zoneedit.com" type="NS"/> <record address="" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c03::1a" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:400c:c03::1b" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4013:c01::1b" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4001:c02::1a" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="2607:f8b0:4002:c01::1a" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c01::1b" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2a00:1450:400c:c03::1a" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="" name="zonetransfer.me" type="A"/> <record name="zonetransfer.me" strings="Remember to call or email Pippa on +44 123 4567890 or [email protected] when making DNS changes" type="TXT"/> <record name="zonetransfer.me" strings="google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" type="TXT"/> <record address="" name="_sip._tcp.zonetransfer.me" port="5060" target="www.zonetransfer.me" type="SRV"/> <scaninfo arguments="./dnsrecon.py -d zonetransfer.me -x zt.xml" time="2013-05-29 11:36:06.550073"/> <domain domain_name="zonetransfer.me"/> </records>

Here is an example where recursion is enabled, you will see that the message is shown differently since this information is crucial during an engagement:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d acmelab.com -n
[*] Performing General Enumeration of Domain: acmelab.com
[*] DNSSEC is configured for acmelab.com
[*] DNSKEYs:
[*] NSEC KSk RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC ZSK RSASHA256 ...
[*] NSEC KSk RSASHA256 ...
[*]SOA labns1.acmelab.com
[*]NS labns1.acmelab.com
[-]Recursion enabled on NS Server
[*]MX mail1.acmelab.com
[*]A acmelab.com
[*]TXT acmelab.com v=spf1
[*]TXT _domainkey.acmelab.com o=~; [email protected]
[*] Enumerating SRV Records
[*]SRV _finger._tcp.acmelab.com web1.acmelab.com 79 0
[*]SRV _http._tcp.acmelab.com web2.acmelab.com 80 0
[*]SRV _http._tcp.acmelab.com web1.acmelab.com 80 0
[*]SRV _sip._tls.acmelab.com chat.acmelab.com 443 0
[*]SRV _sipinternaltls._tcp.acmelab.com chat.acmelab.com 5061 0
[*]SRV _https._tcp.acmelab.com web1.acmelab.com 443 0
[*]SRV _https._tcp.acmelab.com web2.acmelab.com 443 0
[*] 7 Records Found

[DNSRecon v0.8.6] DNS Enumeration Script [DNSRecon v0.8.6] DNS Enumeration Script Reviewed by Zion3R on 9:47 PM Rating: 5