find_dns is a tool that scans networks looking for DNS servers.
4da66d417bfefc4925a3eeb9dd2262ff8c71c6e574b06dbc73d0ff5e977c9405
#!/usr/bin/env python2
#
# ./find_dns.py -l IPs.txt -t 500 -o dnsservers.txt
#
# dns-server finder by dash
#
#
#./find_dns.py -l rIP.txt -t 100
#[*] Found 1001 entries
#[*] Entries 1001 in queue
#[*] Running with 100 threads
#==================================================
#IP NAME
#==================================================
#91.x.x.x (x.info)
#191.x.x.x (191.x.br)
#67.x.x.x (name.info)
#==================================================
#[*] Done
#
import os
import sys
import time
import Queue
import struct
import socket
import random
import argparse
import threading
global rQ
rQ = Queue.Queue()
def openFile(hostList):
fr = open(hostList,'r')
rBuf = fr.readlines()
return rBuf
def openWriteFile(outfile):
fw = open(outfile,'wb')
return fw
def parseDomain(domain):
do = domain.split('.')
if len(do) != 2:
print '[!] Sorry, unknown domain type: %s\nExample:google.com' % (domain)
return False
tld = do[1]
tld_len = struct.pack('>B', len(tld))
tld_sub = do[0]
tld_sub_len = struct.pack('>B', len(tld_sub))
dom_pay = '%c%s%c%s' % (tld_sub_len,tld_sub,tld_len,tld)
return dom_pay
def checkDNS(payload,host,resolv,debug,version):
# settimeout so recv is not block
rBuf_len = -1
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.settimeout(5)
s.connect((host,53))
s.send(payload)
rBuf = s.recv(1024)
rBuf_len = len(rBuf)
name = ''
# default we resolve IPs as long as -n is not choosen
if resolv:
try:
name = socket.gethostbyaddr(host)[0]
except socket.herror,e:
pass
if version:
# FEFE packet!
ver_req = '\xfe\xfe\x01 \x00\x01\x00\x00\x00\x00\x00\x01\x07version\x04bind\x00\x00\x10\x00\x03\x00\x00)\x10\x00\x00\x00\x00\x00\x00\x00'
try:
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.settimeout(3)
s.connect((host,53))
s.send(ver_req)
vBuf = s.recv(1024)
except socket.error,e:
vBuf = ''
pass
if name == '':
if debug:
print '%s\t%d\t%s\t%s' % (host,rBuf_len,repr(rBuf),repr(vBuf))
data = '%s\t%d\t%s\t%s\n' % (host,rBuf_len,repr(rBuf),repr(vBuf))
else:
print '%s\t%d' % (host,rBuf_len)
data = '%s\t%d\n' % (host,rBuf_len)
else:
if debug:
print '%s\t(%s) %d\t%s' % (host,name,rBuf_len,repr(rBuf))
data = '%s\t(%s) %d\t%s\n' % (host,name,rBuf_len,repr(rBuf))
else:
print '%s\t(%s) %d' % (host,name,rBuf_len)
data = '%s\t(%s) %d\n' % (host,name,rBuf_len)
rQ.put(data)
except socket.error,e:
# print e
pass
return
def run(args):
""" mighty mighty function """
if not args.thrCnt:
thrCnt=50
else:
thrCnt = int(args.thrCnt)
if args.outfile:
fw = openWriteFile(args.outfile)
dom_pay = parseDomain(args.domain)
payload = 'J\x8e\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00%s\x00\x00\x01\x00\x01' % (dom_pay)
hostList = args.hostList
q = Queue.Queue()
rBuf = openFile(hostList)
print '[*] Found %d entries' % len(rBuf)
for r in rBuf:
r = r.rstrip('\n')
r = r.rstrip('\r')
q.put(r)
print '[*] Entries %d in queue' % q.qsize()
print '[*] Running with %d threads' % thrCnt
print '='*50
if args.resolv:
print 'IP\t\tNAME\tPAYLEN'
else:
print 'IP\t\tPAYLEN'
print '='*50
thrList = []
org_qlen = float(q.qsize())
while True:
#TODO percents calc
#qlen = q.qsize()
#cur_cnt = (qlen / org_qlen) * 100
#cur_cnt = int(100 - cur_cnt)
#if cur_cnt % 5 == 0 and cur_cnt != 0:
#print '='*20+' %d ' % (cur_cnt)+'='*20
if len(thrList) < thrCnt and q.qsize()>0:
# enable random transaction ids
if args.randTrans:
rd = random.randint(0,65535)
rd_pack = struct.pack('>H',rd)
payload = '%s%s' % (rd_pack,payload[2:])
thrDns = threading.Thread(target = checkDNS, args = (payload,q.get(),args.resolv,args.debug,args.version))
thrDns.daemon = True
thrDns.start()
thrList.append(thrDns)
for entry in thrList:
if entry.isAlive()==False:
entry.join()
thrList.remove(entry)
if args.outfile and rQ.qsize()>0:
i = rQ.get()
data = "%s" % (i)
fw.write(data)
fw.flush()
else:
if rQ.qsize()>0:
rQ.get()
if q.qsize()==0 and len(thrList) == 0:
break
if args.outfile:
fw.close()
print '='*50
print '[*] Done'
print '='*50
def main():
parser_desc = 'dns server finder, by dash'
prog_desc = 'find_dns.py'
parser = argparse.ArgumentParser( prog = prog_desc, description = parser_desc)
parser.add_argument("-l",action='store',required=True,help='host list with ips',dest='hostList')
parser.add_argument('-t',action='store',required=False,help='thread count', dest='thrCnt')
parser.add_argument('-o',action='store',required=False,help='write found data to file', dest='outfile')
parser.add_argument('-n',action='store_false',default=True,required=False,help='do not resolve ips', dest='resolv')
parser.add_argument('-d',action='store',default='google.com',required=False,help='choose the domain for the dns request', dest='domain')
parser.add_argument('-r',action='store_false',default=True,required=False,help='deactivate random transaction ids', dest='randTrans')
parser.add_argument('-v',action='store_true',default=False,required=False,help='grab version from dns server enable debug mode for it! (experimental!)', dest='version')
parser.add_argument('-V',action='store_true',default=False,required=False,help='print version information', dest='versinfo')
parser.add_argument('--debug',action='store_true',default=False,required=False,help='debug output', dest='debug')
args = parser.parse_args()
# add some more info here sometime
if args.versinfo:
print desc
sys.exit(23)
run(args)
if __name__ == "__main__":
main()