Class: Wmap::DnsBruter

Inherits:

Object

• Object
• Wmap::DnsBruter

Includes:

Utils

Defined in:

lib/wmap/dns_bruter.rb

Overview

Class to discover valid hosts through either zone transfer or DNS brute-force methods

Constant Summary

Constants included from Utils::UrlMagic

Utils::UrlMagic::Max_http_timeout, Utils::UrlMagic::User_agent

Constants included from Utils::DomainRoot

Utils::DomainRoot::File_ccsld, Utils::DomainRoot::File_cctld, Utils::DomainRoot::File_gtld, Utils::DomainRoot::File_tld

Instance Attribute Summary

• #data_dir ⇒ Object

  Returns the value of attribute data_dir.

• #discovered_hosts_from_dns_bruter ⇒ Object readonly

  Returns the value of attribute discovered_hosts_from_dns_bruter.

• #fail_domain_cnt ⇒ Object readonly

  Returns the value of attribute fail_domain_cnt.

• #file_hosts ⇒ Object

  Returns the value of attribute file_hosts.

• #hosts_dict ⇒ Object

  Returns the value of attribute hosts_dict.

• #max_parallel ⇒ Object

  Returns the value of attribute max_parallel.

• #verbose ⇒ Object

  Returns the value of attribute verbose.

Instance Method Summary

• #brute_all(num = @max_parallel) ⇒ Object

  Parallel DNS brute-force all existing domains.

• #brute_force_dns(host) ⇒ Object

  Return a list of valid hosts by brute-forcing the name servers.

• #dns_brute_domains(targets, num = @max_parallel) ⇒ Object

  Parallel DNS brute-forcer operating on the trusted domains - by utilizing fork manager to spawn multiple child processes on multiple sub_domain domains from the local hosts table simultaneously.

• #dns_brute_file(file_target, num = @max_parallel) ⇒ Object

  Parallel DNS brute-forcer operating on target domain file - by utilizing fork manager to spawn multiple child processes on multiple domains simultaneously.

• #dns_brute_worker(host) ⇒ Object (also: #query, #brute)

  Main worker to perform the brute-forcing on an Internet domain.

• #dns_brute_workers(list, num = @max_parallel) ⇒ Object (also: #queries, #brutes)

  Parallel DNS brute-forcer operating on target domain list - by utilizing fork manager to spawn multiple child processes on multiple domains simultaneously.

• #get_vulnerable_ns(domain) ⇒ Object

  Test the DNS server if zone transfer is allowed.

• #hostname_mutation(host) ⇒ Object (also: #mutation)

  Return a list of hosts in the mutation form from the original, i.e.

• #initialize(params = {}) ⇒ DnsBruter constructor

  Set default instance variables.

• #print_discovered_hosts_from_bruter ⇒ Object (also: #print)

  Print summary report of found hosts from the brute force attacks.

• #zone_transfer(domain) ⇒ Object

  Perform zone transfer on a domain, return found host entries in an array.

Methods included from Utils

#cidr_2_ips, #file_2_hash, #file_2_list, #get_nameserver, #get_nameservers, #host_2_ip, #host_2_ips, #is_cidr?, #is_fqdn?, #is_ip?, #list_2_file, #reverse_dns_lookup, #sort_ips, #valid_dns_record?, #zone_transferable?

Methods included from Utils::Logger

#wlog

Methods included from Utils::UrlMagic

#create_absolute_url_from_base, #create_absolute_url_from_context, #host_2_url, #is_site?, #is_ssl?, #is_url?, #landing_location, #make_absolute, #normalize_url, #open_page, #redirect_location, #response_code, #response_headers, #url_2_host, #url_2_path, #url_2_port, #url_2_site, #urls_on_same_domain?

Methods included from Utils::DomainRoot

#get_domain_root, #get_domain_root_by_ccsld, #get_domain_root_by_cctld, #get_domain_root_by_tlds, #get_sub_domain, #is_domain_root?, #print_ccsld, #print_cctld, #print_gtld

Constructor Details

#initialize(params = {}) ⇒ DnsBruter

Set default instance variables

# File 'lib/wmap/dns_bruter.rb', line 20

def initialize (params = {})
	# Change to your brute-force dictionary file here if necessary
	@data_dir=params.fetch(:data_dir, File.dirname(__FILE__)+'/../../data/')
	Dir.mkdir(@data_dir) unless Dir.exist?(@data_dir)
	@file_hosts = @data_dir + 'hosts'
	@verbose=params.fetch(:verbose, false)
	@discovered_hosts_from_dns_bruter=Hash.new
	@hosts_dict=params.fetch(:hosts_dict, File.dirname(__FILE__)+'/../../dicts/hostnames-dict.txt')
	@max_parallel=params.fetch(:max_parallel, 30)
	@fail_domain_cnt=Hash.new
end

Instance Attribute Details

#data_dir ⇒ Object

Returns the value of attribute data_dir.

# File 'lib/wmap/dns_bruter.rb', line 16

def data_dir
  @data_dir
end

#discovered_hosts_from_dns_bruter ⇒ Object (readonly)

Returns the value of attribute discovered_hosts_from_dns_bruter.

# File 'lib/wmap/dns_bruter.rb', line 17

def discovered_hosts_from_dns_bruter
  @discovered_hosts_from_dns_bruter
end

#fail_domain_cnt ⇒ Object (readonly)

Returns the value of attribute fail_domain_cnt.

# File 'lib/wmap/dns_bruter.rb', line 17

def fail_domain_cnt
  @fail_domain_cnt
end

#file_hosts ⇒ Object

Returns the value of attribute file_hosts.

# File 'lib/wmap/dns_bruter.rb', line 16

def file_hosts
  @file_hosts
end

#hosts_dict ⇒ Object

Returns the value of attribute hosts_dict.

# File 'lib/wmap/dns_bruter.rb', line 16

def hosts_dict
  @hosts_dict
end

#max_parallel ⇒ Object

Returns the value of attribute max_parallel.

# File 'lib/wmap/dns_bruter.rb', line 16

def max_parallel
  @max_parallel
end

#verbose ⇒ Object

Returns the value of attribute verbose.

# File 'lib/wmap/dns_bruter.rb', line 16

def verbose
  @verbose
end

Instance Method Details

#brute_all(num = @max_parallel) ⇒ Object

Parallel DNS brute-force all existing domains

# File 'lib/wmap/dns_bruter.rb', line 245

def brute_all(num=@max_parallel)
	puts "Start the parallel brute-forcing all domains with maximum child processes: #{num}"
	begin
		hosts=Array.new
		my_dis=Wmap::HostTracker.instance
		my_dis.data_dir=@data_dir
		known_domains=my_dis.dump_root_domains
		hosts=dns_brute_domains(num, known_domains)
		my_dis.adds(hosts)
		my_dis.save!
		my_dis=nil
		hosts
	rescue Exception => ee
		puts "Exception on method #{__method__}: #{ee}" if @verbose
	end
end

#brute_force_dns(host) ⇒ Object

Return a list of valid hosts by brute-forcing the name servers

# File 'lib/wmap/dns_bruter.rb', line 159

def brute_force_dns (host)
	puts "Start dictionary attacks on the DNS server for: #{host}" if @verbose
	begin
		host=host.strip
		valid_hosts = Array.new
		my_host_tracker = Wmap::HostTracker.instance
		my_host_tracker.data_dir=@data_dir
		# build the host dictionary for the brute force method
		dict = Array.new
		if File.exists?(@hosts_dict)
			dict = file_2_list(@hosts_dict)
		elsif File.exists?(@file_hosts)
			dict = my_host_tracker.top_hostname(200)
			my_host_tracker.list_2_file(dict,@hosts_dict)
		else
			abort "Error: Non-existing common hosts dictionary file - #{@host_dict} or hosts file #{@file_hosts}. Please check your file path and name setting again."
		end
		domain=String.new
		unless is_root_domain?(host) or my_host_tracker.sub_domain_known?(host)
			my_hosts=hostname_mutation(host).map {|x| x.split('.')[0]}
			dict+=my_hosts unless my_hosts.empty?
		end
		if is_domain?(host) or my_host_tracker.sub_domain_known?(host)
			domain=host
		elsif
			array_h=host.split('.')
			array_h.shift
			domain=array_h.join('.')
			puts "Domain for #{host}: #{domain}" if @verbose
		end
		dict+=[host.split(".")[0],""]
		puts "Choose Brute-force Dictionary: #{dict}" if @verbose
		cnt=0
		dict.each do |x|
			# 10/09/2013 add logic to skip brute-forcing the domain in case of experiencing more than 2 Dnsruby::ServFail conditions
			if @fail_domain_cnt.key?(domain)
				if @fail_domain_cnt[domain]>2
					puts "Error! Multiple ServFail conditions detected in method #{__method__}. Now skip remaining works on: #{sub_domain}" if @verbose
					return valid_hosts
				end
			end
			cnt=cnt+1
			if x.nil?
				next
			elsif x.empty?
				host=domain
			else
				host=[x,".",domain].join.downcase
			end
			valid_hosts.push(host) if valid_dns_record?(host)
			# Logic to detecting the bluff if the DNS server return hostname we threw to it
			if cnt==10 && valid_hosts.size>=10
				valid_hosts=[host]
				puts "Brute force method fail, as the DNS server response to every host-name threw at it!"
				break
			end
		end
		puts "Found DNS records on domain #{host}: #{valid_hosts}" if @verbose
		@discovered_hosts_from_dns_bruter[host] = valid_hosts
		my_host_tracker = nil
		return valid_hosts.uniq
	rescue Exception => ee
		puts "Exception on method #{__method__}: #{ee}" if @verbose
	end
end

#dns_brute_domains(targets, num = @max_parallel) ⇒ Object

Parallel DNS brute-forcer operating on the trusted domains - by utilizing fork manager to spawn multiple child processes on multiple sub_domain domains from the local hosts table simultaneously

# File 'lib/wmap/dns_bruter.rb', line 226

def dns_brute_domains(targets,num=@max_parallel)
	puts "Start the parallel brute-forcing with multiple child processes: #{num}"
	begin
		hosts=Array.new
		# Sliced to chunks of 1,000 domains for each process time, to avoid potential overflow of large array ?
		puts "Brute-forcing the following domain: #{targets}" if @verbose
		targets.each_slice(1000).to_a.map do |slice|
			hosts_new=dns_brute_workers(slice,num)
			hosts << hosts_new
		end
		puts "Parallel bruting result: #{hosts.flatten}" if @verbose
		return hosts.flatten
	rescue Exception => ee
		puts "Exception on method #{__method__}: #{ee}" if @verbose
		return hosts.flatten
	end
end

#dns_brute_file(file_target, num = @max_parallel) ⇒ Object

Parallel DNS brute-forcer operating on target domain file - by utilizing fork manager to spawn multiple child processes on multiple domains simultaneously

# File 'lib/wmap/dns_bruter.rb', line 87

def dns_brute_file(file_target,num=@max_parallel)
	puts "Start the parallel brute-forcing with multiple child processes on target file #{file_target}: #{num}"
	begin
		hosts=Array.new
		targets=file_2_list(file_target)
		hosts=dns_brute_workers(targets,num)
		return hosts
	rescue Exception => ee
		puts "Exception on method #{__method__}: #{ee}" if @verbose
		return hosts
	end
end

#dns_brute_worker(host) ⇒ Object Also known as: query, brute

Main worker to perform the brute-forcing on an Internet domain

# File 'lib/wmap/dns_bruter.rb', line 33

def dns_brute_worker(host)
	puts "Start DNS brute forcer on: #{host}"
	results=Hash.new
	domain=get_domain_root(host)
	begin
		host=host.strip.downcase
		raise "Invalid internet host format: #{host}" unless is_fqdn?(host)
		domain=get_domain_root(host)
		# If we can do the zone transfer, then the brute-force process can be skipped.
		if zone_transferable?(domain)
			hosts=zone_transfer(domain)
		else
			hosts=brute_force_dns(host)
		end
		results[domain]=hosts
		puts "Finish discovery on #{host}: #{results}"
		return results
	rescue Exception=>ee
		puts "Exception on method #{__method__}: #{ee}" if @verbose
		return results
	end
end

#dns_brute_workers(list, num = @max_parallel) ⇒ Object Also known as: queries, brutes

Parallel DNS brute-forcer operating on target domain list - by utilizing fork manager to spawn multiple child processes on multiple domains simultaneously

# File 'lib/wmap/dns_bruter.rb', line 59

def dns_brute_workers(list,num=@max_parallel)
	puts "Start the parallel engine one the domain list: #{list} \nMaximum brute-forcing session: #{num} "
	begin
		targets=list.uniq.keep_if { |x| is_fqdn?(x) }
		results=Hash.new
		Parallel.map(targets, :in_processes => num) { |target|
			dns_brute_worker(target)
		}.each do |process|
			if process.nil?
				next
			elsif process.empty?
				#do nothing in case of thrown an empty array
			else
				#domain=get_domain_root(process.first).downcase
				results.merge!(process)
			end
		end
		puts "Parallel DNS brute-force results: #{results}" if @verbose
		@discovered_hosts_from_dns_bruter.merge!(results)
		return results
	rescue Exception => ee
		puts "Exception on method #{__method__}: #{ee}" if @verbose
	end
end

#get_vulnerable_ns(domain) ⇒ Object

Test the DNS server if zone transfer is allowed. If allowed, save the found hosts into the class variable.

# File 'lib/wmap/dns_bruter.rb', line 138

def get_vulnerable_ns(domain)
	puts "Identify the vulnerable DNS servers if zone transfer is allowed."
	domain=domain.strip.downcase
	vuln=Array.new
	begin
		nameservers = get_nameservers(domain)
		nameservers.each do |nssrv|
			zt = Dnsruby::ZoneTransfer.new
			zt.server=nssrv unless nssrv.empty?
			records = zt.transfer(domain)
			unless records==nil
				vuln.push(nssrv)
			end
		end
		return vuln
	rescue Exception=>ee
		puts "Exception on method #{__method__}: #{ee}" if @verbose
	end
end

#hostname_mutation(host) ⇒ Object Also known as: mutation

Return a list of hosts in the mutation form from the original, i.e. “ww1.example.com” => [“ww1,example.com”,“ww2.example.com”,…]

# File 'lib/wmap/dns_bruter.rb', line 263

def hostname_mutation(host)
	puts "Start host mutation emulation on: #{host}" if @verbose
	begin
		hosts=Array.new
		host=host.strip.downcase
		raise "Invalid host format: #{host}" unless is_fqdn?(host)
		unless is_domain_root?(host)
			hostname=host.split('.')[0]
			hosts.push(host)
			case hostname
			when /\d+/
				#first form of mutation, i.e. "ww1" => ["ww1","ww2",...]
				hostname.scan(/\d+/).map do |x|
					y=x.to_i
					5.times do |i|
							z=y+i+1
							w=(y-i-1).abs
							mut1=host.sub_domain(x,z.to_s)
							mut2=host.sub_domain(x,w.to_s)
							hosts.push(mut1,mut2)
					end
				end
			else
				puts "No mutation found for: #{host}" if @verbose
			end
		end
		puts "Host mutation found: #{hosts.uniq}" if @verbose
		return hosts.uniq
	rescue Exception => ee
		puts "Exception on method #{__method__}: #{ee}" if @verbose
		return hosts	# fail-safe
	end
end

#print_discovered_hosts_from_bruter ⇒ Object Also known as: print

Print summary report of found hosts from the brute force attacks

# File 'lib/wmap/dns_bruter.rb', line 299

def print_discovered_hosts_from_bruter
	puts "\nSummary Report of the Discovered Hosts:"
	@discovered_hosts_from_dns_bruter.each do |domain,hosts|
		puts "Domain: #{domain}"
		puts "Found hosts:"
		puts @discovered_hosts_from_dns_bruter[domain]['hosts']
	end
	puts "End of the summary"
end

#zone_transfer(domain) ⇒ Object

Perform zone transfer on a domain, return found host entries in an array

# File 'lib/wmap/dns_bruter.rb', line 101

def zone_transfer(domain)
	puts "Perform zone transfer on zone: #{domain}"
	domain=domain.downcase
	nameservers = get_nameservers(domain)
	hosts=Array.new
	puts "Retrieved name servers: #{nameservers}" if @verbose
	nameservers.each do |nssrv|
		begin
			puts "Attempt zone transfer on name server: #{nssrv}"
			if nssrv.nil?
				abort "Method input variable error: no name server found!" if @verbose
				next
			end
			zt = Dnsruby::ZoneTransfer.new
			zt.server=nssrv unless nssrv.empty?
			records = zt.transfer(domain)
			if records==nil
				puts "Zone transfer failed for zone #{domain} on: #{nssrv}"
				next
			else
				puts "Zone transfer successfully for zone #{domain} on the name server: #{nssrv}"
				records = records.delete_if {|x| not x.to_s=~/(\s+|\t+)IN/ }
				records.each  { |line| puts line.to_s } if @verbose
				hosts=records.collect {|x| x.to_s.split(/\.(\s+|\t+)/).first}
				hosts=hosts.sort!.uniq!
				puts "Found hosts: #{hosts}" if @verbose
				@discovered_hosts_from_dns_bruter[domain] = hosts
				return hosts
			end
		rescue Exception=>ee
			puts "Exception on method #{__method__}: #{ee}" if @verbose
		end
	end
	return hosts
end