search

idealeer / xmap

XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.
Apache License 2.0
373 stars 46 forks source link

DNS Probing Module #11

Open idealeer opened 2 years ago

idealeer commented 2 years ago

Help

Type xmap -4 -h -M dnsx -O json to show the help information.

This module sends out DNS queries and parses basic responses. By default, the module performs an A record lookup for www.qq.com. You can specify other queries using the --probe-args argument in the form: label_type:input_src:type,query;type,query, e.g., raw:text:A,qq.com;NS,qq.com. The module supports sending the the following types of queries: A, NS, CNAME, SOA, PTR, MX, TXT, AAAA, RRSIG, ANY, SIG, SRV, DS, DNSKEY, TLSA, SVCB, HTTPS, CAA, and HTTPSSVC. The module will accept and attempt to parse all DNS responses. There is currently support for parsing out full data from A, NS, CNAME, MX, TXT, and AAAA. Query format: label_type:recurse:input_src:type,query;type,query Any other types will be output in raw form.  label_type: raw, str, time, random, dst-ip   raw: do nothing to the query domain, e.g., qq.com   str: add the 'str' subdomain www, e.g., www.qq.com   time: add the s+μs subdomain, e.g., 1620027515-568043.qq.com   random: add random subdomain lefzwnrq, e.g., lefzwnrq.qq.com   dst-ip: add probe num + src ip, e.g., 1.1-2-3-4.qq.comrecurse: recurse, no-recurse   recurse: recursive query   no-recurse: non-recursive query  input_src: text, file   text: like A,qq.com;AAAA,qq.com   file: each line is like a text  type: A, NS, CNAME, SOA, PTR, MX, TXT, AAAA, RRSIG, ANY, SIG,   SRV, DS, DNSKEY, TLSA, SVCB, HTTPS, CAA, and HTTPSSVCquery: A,qq.com;AAAA,qq.com Examples:  --probe-args="raw/time/random:recurse/no-recurse:text:type,query"  --probe-args="raw/time/random:recurse/no-recurse:file:file_name"  --probe-args="str:SomeText:recurse/no-recurse:text:type,query"  --probe-args="str:SomeText:recurse/no-recurse:file:file_name"  --probe-args="dst-ip:recurse/no-recurse:text:type,query"  --probe-args="dst-ip:recurse/no-recurse:file:file_name"

Usage Examples

  1. Query qq.com A targeting 8.8.8.8:

    xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 1 --probe-args="raw:recurse:text:A,qq.com" -R 1000 -o result.txt 8.8.8.8

  2. Query qq.com A and baidu.com NS targeting 8.8.8.8:

    xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 2 --probe-args="raw:recurse:text:A,qq.com;NS,baidu.com" -R 1000 -o result.txt 8.8.8.8

  3. Query each domain from a domain.txt targeting all IPs from a ip.txt:

    xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P domain_number --probe-args="raw:recurse:file:domain.txt" -R 1000 -o result.txt -I ip.txt

Note: Each line in domain.txt is in the form like A,qq.com and -P domain_number = the number of domains.

zhangbufan commented 10 months ago

我想用这个工具,做一些DNS系统的漏洞自测,我发现你论文中提供的test.tudoor.net工具已经不能打开了

我该怎么用这个工具来构造包自测?

idealeer commented 9 months ago

tudoor的数据包构造是在权威服务器侧,这个使用python+scapy就可以了。

nerotix commented 2 months ago

@idealeer are these also the commands we can use to identify vulnerable DNS resolvers/auths? if not, can you show some examples of these commands?

idealeer commented 2 months ago

before scanning, what types of vulnerable resolvers do you want to find?