|
txdns (Those eXtra Domain NameS)
Domain name information is available from a number of sources, be it
from registration sites like RIPE and ARIN or specific hosting
companies. Other tools exist that can gather top level
information, but apart from this what a vulnerability
analyst/penetration tester really needs is information regarding the
disparate servers and hosts residing on the internal network or as many
valid internet facing hosts as possible to target. DNS
hardening as hopefully been carried out and this information should be
quite dificult to come by since the usual zone transfers should fail.
TXNDS is a command-line
application that launches multiple threads in its goal to discover DNS
information about a Domain namespace/site. Due to this multi-thread
approach the tool can perform thousands of disparate DNS queries every
minute and utilises a number of techniques including:
Typos - look for possible phishing variations based on common well-know
typo algorithms and return dns queries on both used and not used
names.
Top Level Domain rotation
Dictionary based attack
Brute force attack
TXDNS can perform many different types of queries:
Resource Record queries i.e.:
-
A,
-
CNAME,
-
HINFO,
-
NS,
-
TXT
-
SOA.
Non-recursive,
Given DNS server.
TXDNS can also be utilised excellently as a stress testing tool for DNS
servers to see how they perform against aggressive intrusive scans and
more importantly determine what information they are leaking to the
wild.
TXDNS is available from
here.
Installation:
You can either download a zipped executable which runs to 56k or the
fully exe. As this is a windows based application you just open a
command prompt and type txdns.exe
Execution:
txdns.exe [options] {target domain}
Options:
TYPO
-t, --typo Checks for missed, wrong,
double and transposed keystroke typos.
-rt, --rot-tld Rotate between IANA's top-level
domains:
http://www.iana.org/cctld/cctld-whois.htm
http://www.iana.org/gtld/gtld.htm
DICTIONARY
-f[m], --wordlist <file> Perform dictionary attack using input
file.
'-fm' will pre-load the file on memory. This will improve
performance w/ large files. Parser will loop (0..9) when tag # is found.
The word 'web#' will render 'web0', 'web1'...'web9'. Multiple tags like
'w#eb#' will be ignored.
BRUTE FORCE
-bb, --be-brute Perform brute-force lookup
--min
Min size bruted sub-string. Defaults 4 (1-250)
--max
Min size bruted sub-string. Defaults 8 (1-250)
--charset <type> Specify charset to use. Defaults 1.
-
1 {a..z},
-
2 {0..9}, -
3 {a..z,0..9}
QUERY OPTIONS
-rr --record <type> Specify RR type
to query for. Defaults to an 'A' query.
-
A,
-
CNAME,
-
HINFO,
-
MX,
-
NS,
-
SOA,
-
TXT.
-n --no-recursion Forces DNS
server to perform an interactive query.
-s, --server <IP> Lookup against
especified DNS server.
-x, --threads <n> Defines how many
threads will use. Defaults 5.'n' may have a min of 1 :-) and a max of
50.
-w, --wait <seconds> Force sleep between
queries.
--rnd
Randomize sleep interval.
OUTPUT
-v, --verbose Tell me, tell me, tell
me...
-i, --inverse Returns failed
queries.
-h, --hostlist <file> Generates a
file with host labels (leftmost part) of all resolved names. If the file
already exists names will be appended to the end of the file.
If '-bb --brute' or '-f[m] --wordlist' is mixed along with '-t --typo'
or '-r --rot-tld' many duplicates names may be found on the list.
Tip: You may further use this list as '-f[m] --wordlist' input file
along with '-s --server' and '--no-reverse' to lookup against different
name/cache servers.
MISC
-V, Version information.
-H, This help summary page.
Example Syntax:
Scan for all Top Level Domain and Typo variations of domain
vulnerabilityassessment.co.uk
c:\>txdns -rt -t vulnerabilityassessment.co.uk
Brute-force vulnerabilityassessment.co.uk domain namespace using 50
threads
c:\> txdns -x 50 -bb
vulnerabilityassessment.co.uk
Dictionary attack vulnerabilityassessment.co.uk for SOA records against
a specified DNS Server,display results on verbose mode and append found
hosts to an output file.
c:\> txdns --verbose -fm wordlist.dic --server
10.1.10.1 -rr SOA vulnerabilityassessment.co.uk -h c:
\hostlist.txt
Example output:
C:\>txdns.exe -rt -t
logicallysecure.com
-------------------------------------------------------------------------------
TXDNS (http://www.txdns.net) v1.0.0 running:
Brute Force [ ] Dictionary [ ] TLD Rotation [X] Typo Guessing [X]
-------------------------------------------------------------------------------
> logicallysecure.com - xxx.xxx.xxx.xxx
> kogicallysecure.museum - 195.7.77.20
> pogicallysecure.museum - 195.7.77.20
> oogicallysecure.museum - 195.7.77.20
> ligicallysecure.museum - 195.7.77.20
> lkgicallysecure.museum - 195.7.77.20
> l0gicallysecure.museum - 195.7.77.20
> lpgicallysecure.museum - 195.7.77.20
> llgicallysecure.museum - 195.7.77.20
> lohicallysecure.museum - 195.7.77.20
> lovicallysecure.museum - 195.7.77.20
> lobicallysecure.museum - 195.7.77.20
> l9gicallysecure.museum - 195.7.77.20
> loficallysecure.museum - 195.7.77.20
> loyicallysecure.museum - 195.7.77.20
> loticallysecure.museum - 195.7.77.20
> logucallysecure.museum - 195.7.77.20
> logjcallysecure.museum - 195.7.77.20
> logocallysecure.museum - 195.7.77.20
> logkcallysecure.museum - 195.7.77.20
> log8callysecure.museum - 195.7.77.20
> log9callysecure.museum - 195.7.77.20
> logixallysecure.museum - 195.7.77.20
> logivallysecure.museum - 195.7.77.20
> logifallysecure.museum - 195.7.77.20
> logiczllysecure.museum - 195.7.77.20
> logidallysecure.museum - 195.7.77.20
> logicsllysecure.museum - 195.7.77.20
> logicqllysecure.museum - 195.7.77.20
> logicwllysecure.museum - 195.7.77.20
> logicaplysecure.museum - 195.7.77.20
> logicaklysecure.museum - 195.7.77.20
> logicaolysecure.museum - 195.7.77.20
> logicalltsecure.museum - 195.7.77.20
> logicaloysecure.museum - 195.7.77.20
> logicallgsecure.museum - 195.7.77.20
> logicallusecure.museum - 195.7.77.20
> logicallhsecure.museum - 195.7.77.20
> logicalkysecure.museum - 195.7.77.20
> logicalpysecure.museum - 195.7.77.20
> logicall7secure.museum - 195.7.77.20
> logicall6secure.museum - 195.7.77.20
> logicallyaecure.museum - 195.7.77.20
> logicallyzecure.museum - 195.7.77.20
> logicallyxecure.museum - 195.7.77.20
> logicallydecure.museum - 195.7.77.20
> logicallyeecure.museum - 195.7.77.20
> logicallywecure.museum - 195.7.77.20
> logicallyswcure.museum - 195.7.77.20
> logicallysscure.museum - 195.7.77.20
> logicallysrcure.museum - 195.7.77.20
> logicallys4cure.museum - 195.7.77.20
> logicallysdcure.museum - 195.7.77.20
> logicallysexure.museum - 195.7.77.20
> logicallys3cure.museum - 195.7.77.20
> logicallysedure.museum - 195.7.77.20
> logicallysevure.museum - 195.7.77.20
> logicallysefure.museum - 195.7.77.20
> logicallysecyre.museum - 195.7.77.20
> logicallysechre.museum - 195.7.77.20
> logicallysecjre.museum - 195.7.77.20
> logicallysecire.museum - 195.7.77.20
> logicallysec8re.museum - 195.7.77.20
> logicallysecuee.museum - 195.7.77.20
> logicallysec7re.museum - 195.7.77.20
> logicallysecu4e.museum - 195.7.77.20
> logicallysecu5e.museum - 195.7.77.20
> logicallysecude.museum - 195.7.77.20
> logicallysecufe.museum - 195.7.77.20
> logicallysecute.museum - 195.7.77.20
> logicallysecurw.museum - 195.7.77.20
> logicallysecurs.museum - 195.7.77.20
> logicallysecurd.museum - 195.7.77.20
> logicallysecur4.museum - 195.7.77.20
> logicallysecurr.museum - 195.7.77.20
> logicallysecur3.museum - 195.7.77.20
> ogicallysecure.museum - 195.7.77.20
> lgicallysecure.museum - 195.7.77.20
> loicallysecure.museum - 195.7.77.20
> logcallysecure.museum - 195.7.77.20
> logiallysecure.museum - 195.7.77.20
> logicllysecure.museum - 195.7.77.20
> logicalysecure.museum - 195.7.77.20
> logicalysecure.museum - 195.7.77.20
> logicallsecure.museum - 195.7.77.20
> logicallyecure.museum - 195.7.77.20
> logicallyscure.museum - 195.7.77.20
> logicallyseure.museum - 195.7.77.20
> logicallysecre.museum - 195.7.77.20
> logicallysecue.museum - 195.7.77.20
> logicallysecur.museum - 195.7.77.20
> llogicallysecure.museum - 195.7.77.20
> loogicallysecure.museum - 195.7.77.20
> loggicallysecure.museum - 195.7.77.20
> logiicallysecure.museum - 195.7.77.20
> logiccallysecure.museum - 195.7.77.20
> logicaallysecure.museum - 195.7.77.20
> logicalllysecure.museum - 195.7.77.20
> logicalllysecure.museum - 195.7.77.20
> logicallyseecure.museum - 195.7.77.20
> logicallyssecure.museum - 195.7.77.20
> logicallysecurre.museum - 195.7.77.20
> logicallysecuree.museum - 195.7.77.20
> logicallyysecure.museum - 195.7.77.20
> logicallyseccure.museum - 195.7.77.20
> logicallysecuure.museum - 195.7.77.20
> lgoicallysecure.museum - 195.7.77.20
> olgicallysecure.museum - 195.7.77.20
> loigcallysecure.museum - 195.7.77.20
> logciallysecure.museum - 195.7.77.20
> logiacllysecure.museum - 195.7.77.20
> logicallysecure.museum - 195.7.77.20
> logiclalysecure.museum - 195.7.77.20
> logicalylsecure.museum - 195.7.77.20
> logicallsyecure.museum - 195.7.77.20
> logicallyescure.museum - 195.7.77.20
> logicallyseucre.museum - 195.7.77.20
> logicallysceure.museum - 195.7.77.20
> logicallysecrue.museum - 195.7.77.20
> logicallysecuer.museum - 195.7.77.20
C:\>txdns.exe -x 50 -bb microsoft.com
-------------------------------------------------------------------------------
TXDNS (http://www.txdns.net) v1.0.0 running:
Brute Force [X] Dictionary [ ] TLD Rotation [ ] Typo Guessing [ ]
-------------------------------------------------------------------------------
> asia.microsoft.com - 207.46.130.108
> asia.microsoft.com - 207.46.250.119
> atbd.microsoft.com - 131.107.1.7
ctrl-C^
| 
