-
Notifications
You must be signed in to change notification settings - Fork 3
/
dns_cachesnoop.pl
executable file
·125 lines (90 loc) · 2.85 KB
/
dns_cachesnoop.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
#!/usr/bin/env perl
# Description: Performs DNS cache snooping against a DNS server
# Depends on: nmap p5-net-dns
#
# (c) 2020 Alexandr Savca, alexandr dot savca89 at gmail dot com
use strict;
use warnings;
use Getopt::Long;
use Net::DNS;
BEGIN { $" = ',' }
sub usage {
print <<EOF;
Performs DNS cache snooping against a DNS server.
Usage: $0 [OPTIONS] <TARGET>
where OPTIONS are:
-h|--help
This message.
-m|--mode <0|nonrecursive>
Queries are sent to the server with the RD (recursion desired) flag set
to 0. The server should respond positively to these only if it has the
domain cached. The default mode.
-m|--mode <1|timed>
The mean and standard deviation response times for a cached domain are
calculated by sampling the resolution of a name (www.google.com)
several times.
-t|--tcp / -u|--udp
Connect via TCP/UDP or both.
Default is UDP.
-p|--port
Connection port.
-d|--domains <DOMAINS|WORDLIST>
An array of domain (separated by comma) to check in place of the
default list. The default list of domains to check consists of the
top 50 most popular sites, each site being listed twice, once with
"www." and once without.
Ex.: -d www.google.com,www.yahoo.com,google.com,yahoo.com
-d ~/wordlist.txt
<TARGET>
DNS server to perform DNS cache snooping for.
EOF
exit +shift;
}
my %OPTS;
GetOptions(
'h|help!' => \$OPTS{help},
'v|verbose!' => \$OPTS{verbose},
't|tcp!' => \$OPTS{tcp},
'u|udp!' => \$OPTS{udp},
'p|port=i' => \$OPTS{port},
'm|mode=s' => \$OPTS{mode},
'd|domains=s' => \$OPTS{domains},
) or die;
usage(1) if $OPTS{help};
usage(2) unless @ARGV;
die "The script must run as root!\n" if $> != 0;
if ($OPTS{domains} && -f $OPTS{domains}) {
print "Found wordlist: $OPTS{domains}.\n";
my @domain_list;
open my $fh, $OPTS{domains};
while (<$fh>) {
chomp;
push @domain_list, $_;
}
close $fh;
$OPTS{domains} = "@domain_list";
}
# default values
$OPTS{mode} //= 'nonrecursive';
$OPTS{mode} = 'nonrecursive' if $OPTS{mode} eq 0;
$OPTS{mode} = 'timed' if $OPTS{mode} eq 1 || \
$OPTS{mode} eq 'timed';
$OPTS{target} = shift;
$OPTS{port} //= 53;
$OPTS{udp} //= 1 unless $OPTS{tcp};
$OPTS{args} .= ' -d ' if $OPTS{verbose};
$OPTS{args} .= ' -sU ' if $OPTS{udp};
$OPTS{args} .= ' -sT ' if $OPTS{tcp};
$OPTS{args} .= ' -p'.$OPTS{port};
$OPTS{script} = '--script dns-cache-snoop.nse ';
$OPTS{script_args} = "--script-args 'dns-cache-snoop.mode=$OPTS{mode}";
$OPTS{script_args} .= ",dns-cache-snoop.domains={$OPTS{domains}}"
if $OPTS{domains};
$OPTS{script_args} .= "'";
print \
">>> nmap $OPTS{args} $OPTS{script} $OPTS{script_args} $OPTS{target}\n";
print qx(
nmap $OPTS{args} $OPTS{script} $OPTS{script_args} $OPTS{target}
);
# vim:sw=4:ts=4:sts=4:et:tw=71:cc=72
# End of file.