在普通的DNS穷举中,如果使用字典进行穷举,会发现没有哪个字典能穷举完所有的域名,国外安全研究者在常年累月的DNS记录收集中发现,很多域名有大量的短主机名,并且很易记,通常为4个字符或更少,所以有了以下脚本:
<span>#!/usr/bin/env ruby</span><span>#</span><span>## Brute code stolen form.: http://www.myhack58.com/</span><span>#</span><span>@domain</span><span>=</span><span>'microsoft.com'</span><span>def</span><span>result</span><span>?(</span><span>sub</span><span>)</span><span>results = %x</span><span>(</span><span>dig +noall #{sub</span><span>}.#{</span><span>@domain</span><span>} +</span><span>answer</span><span>)</span><span></span><span>if</span><span>results !=</span><span>""</span><span>puts</span><span>"============================"</span><span>puts</span><span>"FOUND: \t#{sub}"</span><span>puts</span><span>"============================"</span><span>puts</span><span>"#{results}"</span><span>puts</span><span>"============================"</span><span>end</span><span>1</span><span>==</span><span>2</span><span>end</span><span>def</span><span>crack_yielding</span><span>(</span><span>chars</span><span>)</span><span>crack_yield</span><span>(</span><span>chars</span><span>){ |</span><span>p</span><span>|</span><span></span><span>return</span><span>p</span><span>if</span><span>result</span><span>?(</span><span>p</span><span>)</span><span>}end</span><span>def</span><span>crack_yield</span><span>(</span><span>chars</span><span>)</span><span>chars</span><span>.</span><span>each { |c</span><span>|</span><span>yield</span><span>c } crack_yield</span><span>(</span><span>chars</span><span>) { |</span><span>c</span><span>|</span><span>chars</span><span>.</span><span>each</span><span>do</span><span>|x</span><span>|</span><span></span><span>yield</span><span>c + x end }endchars = (</span><span>'a'</span><span>..</span><span>'z'</span><span>).</span><span>to_a</span><span>(</span><span>0.</span><span>.</span><span>9</span><span>).</span><span>each {|x</span><span>|</span><span>chars << x</span><span>.</span><span>to_s</span><span>}</span><span>crack_yielding</span><span>(</span><span>chars</span><span>)</span>gist: http://www.myhack58.com/mubix/9107284
它能正常运行,但是速度比较慢,所以进行了改进,
DNS迭代穷举脚本脚本安全
。<span>#!/usr/bin/env ruby</span><span>#</span><span>## Brute code stolen form.: http://gist.github.com/petehamilton/4755855</span><span>#</span><span>def</span><span>result</span><span>?(</span><span>sub</span><span>)</span><span>puts sub</span><span>1</span><span>==</span><span>2</span><span>end</span><span>def</span><span>crack_yielding</span><span>(</span><span>chars</span><span>)</span><span>crack_yield</span><span>(</span><span>chars</span><span>){ |</span><span>p</span><span>|</span><span></span><span>return</span><span>p</span><span>if</span><span>result</span><span>?(</span><span>p</span><span>)</span><span>}</span><span>end</span><span>def</span><span>crack_yield</span><span>(</span><span>chars</span><span>)</span><span>chars</span><span>.</span><span>each { |c</span><span>|</span><span>yield</span><span>c } crack_yield</span><span>(</span><span>chars</span><span>) { |</span><span>c</span><span>|</span><span>chars</span><span>.</span><span>each</span><span>do</span><span>|x</span><span>|</span><span></span><span>yield</span><span>c + x</span><span>end</span><span>}</span><span>end</span><span>chars = (</span><span>'a'</span><span>..</span><span>'z'</span><span>).</span><span>to_a</span><span>(</span><span>0.</span><span>.</span><span>9</span><span>).</span><span>each {|x</span><span>|</span><span>chars << x</span><span>.</span><span>to_s</span><span>}</span><span>crack_yielding</span><span>(</span><span>chars</span><span>)</span>开始使用
<span>ruby brutelist</span><span>.</span><span>rb | parallel -j100 dig +noall {}</span><span>.</span><span>microsoft</span><span>.</span><span>com +answer</span>工作回显如下所示:
<span>c</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>2</span><span>IN CNAME c</span><span>.</span><span>microsoft</span><span>.</span><span>akadns</span><span>.</span><span>net</span><span>.</span><span>c</span><span>.</span><span>microsoft</span><span>.</span><span>akadns</span><span>.</span><span>net</span><span>.</span><span>499</span><span>IN A</span><span>65.55</span><span>.</span><span>58.184</span><span>e</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>3599</span><span>IN A</span><span>191.234</span><span>.</span><span>1.50</span><span>g</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>2798</span><span>IN CNAME g</span><span>.</span><span>msn</span><span>.</span><span>com</span><span>.</span><span>g</span><span>.</span><span>msn</span><span>.</span><span>com</span><span>.</span><span>99</span><span>IN CNAME g</span><span>.</span><span>msn</span><span>.</span><span>com</span><span>.</span><span>nsatc</span><span>.</span><span>net</span><span>.</span><span>g</span><span>.</span><span>msn</span><span>.</span><span>com</span><span>.</span><span>nsatc</span><span>.</span><span>net</span><span>.</span><span>148</span><span>IN A</span><span>131.253</span><span>.</span><span>34.154</span><span>i</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>779</span><span>IN CNAME i</span><span>.</span><span>toggle</span><span>.</span><span>www</span><span>.</span><span>ms</span><span>.</span><span>akadns</span><span>.</span><span>net</span><span>.</span><span>i</span><span>.</span><span>toggle</span><span>.</span><span>www</span><span>.</span><span>ms</span><span>.</span><span>akadns</span><span>.</span><span>net</span><span>.</span><span>44</span><span>IN CNAME i</span><span>.</span><span>g</span><span>.</span><span>www</span><span>.</span><span>ms</span><span>.</span><span>akadns</span><span>.</span><span>net</span><span>.</span><span>i</span><span>.</span><span>g</span><span>.</span><span>www</span><span>.</span><span>ms</span><span>.</span><span>akadns</span><span>.</span><span>net</span><span>.</span><span>225</span><span>IN CNAME i</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>edgesuite</span><span>.</span><span>net</span><span>.</span><span>i</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>edgesuite</span><span>.</span><span>net</span><span>.</span><span>116</span><span>IN CNAME a1475</span><span>.</span><span>g</span><span>.</span><span>akamai</span><span>.</span><span>net</span><span>.</span><span>a1475</span><span>.</span><span>g</span><span>.</span><span>akamai</span><span>.</span><span>net</span><span>.</span><span>16</span><span>IN A</span><span>23.45</span><span>.</span><span>65.26</span><span>a1475</span><span>.</span><span>g</span><span>.</span><span>akamai</span><span>.</span><span>net</span><span>.</span><span>16</span><span>IN A</span><span>23.45</span><span>.</span><span>65.33</span><span>m</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>3599</span><span>IN CNAME origin</span><span>.</span><span>mobile</span><span>.</span><span>ms</span><span>.</span><span>akadns</span><span>.</span><span>net</span><span>.</span><span>origin</span><span>.</span><span>mobile</span><span>.</span><span>ms</span><span>.</span><span>akadns</span><span>.</span><span>net</span><span>.</span><span>299</span><span>IN A</span><span>65.55</span><span>.</span><span>186.235</span><span>s</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>3599</span><span>IN CNAME reroute</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>reroute</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>3599</span><span>IN A</span><span>65.55</span><span>.</span><span>58.201</span><span>reroute</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>3599</span><span>IN A</span><span>64.4</span><span>.</span><span>11.37</span><span>cs</span><span>.</span><span>microsoft</span><span>.</span><span>com</span><span>.</span><span>81</span><span>IN CNAME wedcs</span><span>.</span><span>trafficmanager</span><span>.</span><span>net</span><span>.</span><span>wedcs</span><span>.</span><span>trafficmanager</span><span>.</span><span>net</span><span>.</span><span>7</span><span>IN CNAME wedcseus</span><span>.</span><span>cloudapp</span><span>.</span><span>net</span><span>.</span><span>wedcseus</span><span>.</span><span>cloudapp</span><span>.</span><span>net</span><span>.</span><span>8</span><span>IN A</span><span>137.116</span><span>.</span><span>48.250</span>