在普通的DNS穷举中,如果使用字典进行穷举,会发现没有哪个字典能穷举完所有的域名,国外安全研究者在常年累月的DNS记录收集中发现,很多域名有大量的短主机名,并且很易记,通常为4个字符或更少,所以有了以下脚本:
#!/usr/bin/env ruby # ## Brute code stolen form: https://gist.github.com/petehamilton/4755855 # @domain = 'microsoft.com' def result?(sub) results = %x(dig +noall #{sub}.#{@domain} +answer) if results != "" puts "============================" puts "FOUND: \t#{sub}" puts "============================" puts "#{results}" puts "============================" end 1 == 2 end def crack_yielding(chars) crack_yield(chars){ |p| return p if result?(p) } end def crack_yield(chars) chars.each { |c| yield c } crack_yield(chars) { |c| chars.each do |x| yield c + x end } end chars = ('a'..'z').to_a (0..9).each {|x| chars << x.to_s} crack_yielding(chars)
gist: https://gist.github.com/mubix/9107284
它能正常运行,但是速度比较慢,所以进行了改进。
#!/usr/bin/env ruby # ## Brute code stolen form: https://gist.github.com/petehamilton/4755855 # def result?(sub) puts sub 1 == 2 end def crack_yielding(chars) crack_yield(chars){ |p| return p if result?(p) } end def crack_yield(chars) chars.each { |c| yield c } crack_yield(chars) { |c| chars.each do |x| yield c + x end } end chars = ('a'..'z').to_a (0..9).each {|x| chars << x.to_s} crack_yielding(chars)
开始使用
ruby brutelist.rb | parallel -j100 dig +noall {}.microsoft.com +answer
工作回显如下所示:
c.microsoft.com. 2 IN CNAME c.microsoft.akadns.net. c.microsoft.akadns.net. 499 IN A 65.55.58.184 e.microsoft.com. 3599 IN A 191.234.1.50 g.microsoft.com. 2798 IN CNAME g.msn.com. g.msn.com. 99 IN CNAME g.msn.com.nsatc.net. g.msn.com.nsatc.net. 148 IN A 131.253.34.154 i.microsoft.com. 779 IN CNAME i.toggle.www.ms.akadns.net. i.toggle.www.ms.akadns.net. 44 IN CNAME i.g.www.ms.akadns.net. i.g.www.ms.akadns.net. 225 IN CNAME i.microsoft.com.edgesuite.net. i.microsoft.com.edgesuite.net. 116 IN CNAME a1475.g.akamai.net. a1475.g.akamai.net. 16 IN A 23.45.65.26 a1475.g.akamai.net. 16 IN A 23.45.65.33 m.microsoft.com. 3599 IN CNAME origin.mobile.ms.akadns.net. origin.mobile.ms.akadns.net. 299 IN A 65.55.186.235 s.microsoft.com. 3599 IN CNAME reroute.microsoft.com. reroute.microsoft.com. 3599 IN A 65.55.58.201 reroute.microsoft.com. 3599 IN A 64.4.11.37 cs.microsoft.com. 81 IN CNAME wedcs.trafficmanager.net. wedcs.trafficmanager.net. 7 IN CNAME wedcseus.cloudapp.net. wedcseus.cloudapp.net. 8 IN A 137.116.48.250 ...
[via room362]