Open kawaiipantsu opened 2 years ago
A little progress update, SOA, NS and Addresses lookup is done
First sneak preview of "host fuzz" output, it shows if the subdomain have A and/or AAAA resolving etc. And color code green/red.
So in the example below you know that your target has etc. "jira.mytarget.com" and so forth. I am making it so if you click a "subdomain/fuzz" word it will be set as the new target and you can rerun intel gathering etc.
SPF traverse :D That was something - But i think the end-result was okay ??
With a little SPF note function that can add a note on spf records to make it more readable for non-spf players :)
Forgotten to add DMARC on the list. So this is added after MX and before SPF. Just as a short little segment.
Now with proper DMARC lookup and explenations
Test screenshot of fingerprinting in the TXT section.
Any fingerprints that matches will output the vendor service instead of the "vendor verification string"
Any unknown fingerprints will just show the original "vendor verification string"
DNS Information Recon (Deep dive)
Item condition criteria: Target must be a host/domain name Item gather type: Passive
Use 'system' DNS or config provided DNS servers for lookup ie. Public or Private DNS server for lan lookup etc...
[ ] DNS Zone Transfer
target
'[x] #13
[x] Lookup '
target
' NSNS
server(s) to IP[x] Lookup '
target
' addressesA, AAAA, CNAME
[x] DNS Fuzz (simple array only)
A, AAAA, CNAME
)www
,www1
,www2
,ftp
,mail
,ns
,ns1
,ns2
,admin
,blog
,admin
,firewall
,gw
,exchange
,owa
,jira
,wiki
,serec
,beta
,test
,sso
,login
,portal
,intranet
,files
,srv
,srv1
,ad
,dl
,download
,server
,archive
,backup
,bak
,support
,tracker
,srv2
,cdn
,vdi
,vpn
,citrix
,vmware
,git
,svn
,code
,vnc
,ingress
,k8s
,kube
,kubenetes
,cloud
,cluster
,mon
,monitor
,grafana
,dashboard
,ldap
,autodiscover
,sip
,web
,snmp
,auth
,ha
,elb
,vm
,hyper
,hyperv
,vcenter
,vami
,psc
,vcsa
,cam
,camera
,dvr
,nvr
,cctv
,sec
,security
,api
,apis
,mq
,mqtt
,queue
,iot
,db
,database
,mysql
,db2
,oracle
,tomcat
)host-fuzz
'.'target
'[x] Lookup '
target
' MXMX
server(s) to IP[x] Lookup '
target
' DMARCLookup special records of interest
target
'include:
directivesdomainkey
,dmarc
,host
,salt
,info
,contact
,abuse
,spf
,mail
,smb
,ad
,bgp
,peer
,dyn
,ip
,vlan
,vlanif
,cpe
,peer-as
,dynamic
,static
,customer
,a1
,a10
,a100
,link
,ldn
,nto
,tcore
,tcore1
,tcore2
,sv
,sv1
,sv2
,sql
,eql
,dhcp
,net
,edge
,cidr
,as
,as1
,as2
,ospf
,igp
,egp
,rules
,mail
,local
,config
,pref
,conf
,cfg
)target
'txt-fuzz
'.'target
'_
'txt-fuzz
'.'target
'ldap
,kerberos
,caldav
,caldavs
,carddav
,carddavs
,sip
,xmpp-server
,xmpp-client
,ftp
,finger
,ssh
,telnet
,ntp
,nntp
,http
,https
,idb
,db
,smtp
,h323cs
,h323ls
,h323rs
,sips
,federation
,sipfederationtls
,pexapp
,xmpp
,cuplogin
,cisco-phone-tftp
,bgp
,cisco-phone-http
,ciscowtp
,pcoip-bootstrap
,daap
,irc
,printer
,ipp
,pdl-datastream
,riousbprint
,ipp-printer
,dicom
,avaya-ep-config
,gc
,kpasswd
,smb
,wins
,netbios
,nfs
,dns
,rip
,nat
,stun
,snmp
,syslog
,splunk
,dhcp
,trunk
,socks
,proxy
,socks5
,tor
,edge
,gw
,elb
,ha
,kafka
,casandra
,mysql
,postgresql
,nosql
,db2
,oracle
)target
'_
'service-fuzz
'._tcp
.'target
'_
'service-fuzz
'._udp
.'target
'_
'service-fuzz
'._tls
.'target
'_
'service-fuzz
'._tcp.dc._msdcs
.'target
'target
'www
.'target
'mail
.'target
'target
'Flag
into human readableProtocol
into human readableAlgorithm
into human readable[x] Validation token fingerprinting
google-site-verification=(<hash>)
Match:ms=(<hash>)
Match:mscid=(<hash-base64>)
Match:facebook-domain-verification=(<hash>)
Match:_globalsign-domain-verification=(<hash>)-(<hash>)
Attached files
DNS-Token-Fingerprints.txt