Commits

Tim Tomes committed a15459b

renamed the dns_scrape module to cache_snoop, renamed the domains-scrape list to av_domains, and made minor changes to the cache_snoop and resolve modules.

  • Participants
  • Parent commits 19e03ab

Comments (0)

Files changed (5)

data/av_domains.lst

+www.es-latest-3.sophos.com/update
+www.es-web.sophos.com
+www.es-web.sophos.com.edgesuite.net
+www.es-web-2.sophos.com
+www.es-web-2.sophos.com.edgesuite.net
+www.dnl-01.geo.kaspersky.com
+www.downloads2.kaspersky-labs.com
+www.liveupdate.symantecliveupdate.com
+www.liveupdate.symantec.com
+www.update.symantec.com
+www.update.nai.com
+www.download797.avast.com
+www.guru.avg.com
+www.osce8-p.activeupdate.trendmicro.com
+www.forefrontdl.microsoft.com
+es-latest-3.sophos.com/update
+es-web.sophos.com
+es-web.sophos.com.edgesuite.net
+es-web-2.sophos.com
+es-web-2.sophos.com.edgesuite.net
+dnl-01.geo.kaspersky.com
+downloads2.kaspersky-labs.com
+liveupdate.symantecliveupdate.com
+liveupdate.symantec.com
+update.symantec.com
+update.nai.com
+download797.avast.com
+guru.avg.com
+osce8-p.activeupdate.trendmicro.com
+forefrontdl.microsoft.com

data/domains-scrape.lst

-www.es-latest-3.sophos.com/update
-www.es-web.sophos.com
-www.es-web.sophos.com.edgesuite.net
-www.es-web-2.sophos.com
-www.es-web-2.sophos.com.edgesuite.net
-www.dnl-01.geo.kaspersky.com
-www.downloads2.kaspersky-labs.com
-www.liveupdate.symantecliveupdate.com
-www.liveupdate.symantec.com
-www.update.symantec.com
-www.update.nai.com
-www.download797.avast.com
-www.guru.avg.com
-www.osce8-p.activeupdate.trendmicro.com
-www.forefrontdl.microsoft.com
-es-latest-3.sophos.com/update
-es-web.sophos.com
-es-web.sophos.com.edgesuite.net
-es-web-2.sophos.com
-es-web-2.sophos.com.edgesuite.net
-dnl-01.geo.kaspersky.com
-downloads2.kaspersky-labs.com
-liveupdate.symantecliveupdate.com
-liveupdate.symantec.com
-update.symantec.com
-update.nai.com
-download797.avast.com
-guru.avg.com
-osce8-p.activeupdate.trendmicro.com
-forefrontdl.microsoft.com

modules/auxiliary/cache_snoop.py

+import framework
+# unique to module
+import os
+import dns
+import re
+
+class Module(framework.module):
+
+    def __init__(self, params):
+        framework.module.__init__(self, params)
+        self.register_option('nameserver', '', 'yes', 'ip address of target\'s nameserver')
+        self.register_option('domains', './data/av_domains.lst', 'yes', 'domain or list of domains to snoop for')
+        self.register_option('verbose', self.goptions['verbose']['value'], 'yes', self.goptions['verbose']['desc'])
+        self.info = {
+                     'Name': 'DNS Cache Snooper',
+                     'Author': 'thrapt (thrapt@gmail.com)',
+                     'Description': 'Uses the DNS cache snooping technique to check for visited domains',
+                     'Comments': [
+                                  'Nameserver must be in IP form.',
+                                  'Domains options: host.domain.com, <path/to/infile>',
+                                  'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html'
+                                 ]
+                     }
+
+    def do_run(self, params):
+        if not self.validate_options(): return
+        # === begin here ===
+        self.cachesnoop()
+
+    def cachesnoop(self):
+        verbose = self.options['verbose']['value']
+        domains = self.options['domains']['value']
+        nameserver = self.options['nameserver']['value']
+        
+        if os.path.exists(domains):
+            hosts = open(domains).read().split()
+        else:
+            hosts = [domains]
+        
+        self.output('Starting queries...')
+        
+        for host in hosts:
+            status = 'Not found'
+            # prepare our query
+            query = dns.message.make_query(host, dns.rdatatype.A, dns.rdataclass.IN)
+            # unset the Recurse flag 
+            query.flags ^= dns.flags.RD
+            try:
+                # try the query
+                response = dns.query.udp(query, nameserver)
+            except KeyboardInterrupt:
+                print ''
+                return
+            except dns.resolver.NXDOMAIN: status = 'Unknown'
+            except dns.resolver.NoAnswer: status = 'No answer'
+            except dns.exception.SyntaxError:
+                self.error('Nameserver must be in IP form.')
+                return
+            except: status = 'Error'
+
+            # searchs the response to find the answer
+            if len(response.answer) > 0:
+                status = 'Snooped!'
+                self.alert('%s => %s' % (host, status))
+            else:
+                if verbose: self.output('%s => %s' % (host, status))

modules/auxiliary/dns_scrape.py

-import framework
-# unique to module
-import os
-import dns
-import re
-
-class Module(framework.module):
-
-    def __init__(self, params):
-        framework.module.__init__(self, params)
-        self.register_option('nameserver', '', 'yes', 'ip address of nameserver')
-        self.register_option('domains', 'default', 'yes', 'list of domains to check')
-        self.register_option('verbose', self.goptions['verbose']['value'], 'yes', self.goptions['verbose']['desc'])
-        self.info = {
-                     'Name': 'DNS cache snooping',
-                     'Author': 'thrapt (thrapt@gmail.com)',
-                     'Description': 'Uses the DNS cache snooping technique to check for visited domains',
-                     'Comments': [
-                                  'Based on the work of 304geeks.com',
-                                  'http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html',
-                                  '',
-                                  'domains options: default, <hostname>, <path/to/infile>',
-                                  'Nameserver must be in IP form.'
-                                 ]
-                     }
-
-    def do_run(self, params):
-        if not self.validate_options(): return
-        # === begin here ===
-        self.cachesnoop()
-
-    def cachesnoop(self):
-        verbose = self.options['verbose']['value']
-        domains = self.options['domains']['value']
-        nameserver = self.options['nameserver']['value']
-        
-        if domains == 'default': domains = 'data/domains-scrape.lst'
-        if os.path.exists(domains): hosts = open(domains).read().split()
-        else: hosts = [domains]
-        
-        self.output('Starting queries...')
-        
-        for host in hosts:
-            # prepare our query
-            query = dns.message.make_query(host, dns.rdatatype.A, dns.rdataclass.IN)
-            # unset the Recurse flag 
-            query.flags ^= dns.flags.RD
-            try:
-                # try the query
-                response = dns.query.udp(query, nameserver)
-            except KeyboardInterrupt:
-                print ''
-                return
-            except dns.resolver.NXDOMAIN: 
-                self.output('%s => Unknown', host)
-                return
-            except dns.resolver.NoAnswer: 
-                self.output('%s => No answer', nameserver)
-                return
-            except dns.exception.SyntaxError:
-                self.error('Nameserver must be in IP form.')
-                return
-            except: response = 'error'
-
-            # searchs the response to find the answer
-            response = re.findall(r';ANSWER\s^(?=(?!;))(.*)$', str(response), re.MULTILINE)
-            
-            if len(response) > 0:
-                ip = response[0].split()[-1]
-                self.output('%s %s' % (host.ljust(50), ip))
-            else:
-                if verbose: self.output('%s not found' % (host.ljust(50)))

modules/auxiliary/resolve.py

             except KeyboardInterrupt:
                 print ''
                 return
-            except dns.resolver.NXDOMAIN: address = 'unknown'
-            except dns.resolver.NoAnswer: address = 'no answer'
+            except dns.resolver.NXDOMAIN: address = 'Unknown'
+            except dns.resolver.NoAnswer: address = 'No answer'
             except dns.exception.SyntaxError:
                 self.error('Nameserver must be in IP form.')
                 return
-            except: address = 'error'
+            except: address = 'Error'
             self.output('%s => %s' % (host, address))
             self.query('UPDATE hosts SET address="%s" WHERE rowid="%s"' % (address, row))