• Save
A @textfiles approach to gathering the world's DNS
Upcoming SlideShare
Loading in...5

A @textfiles approach to gathering the world's DNS



My talk from ShmooCon 2012

My talk from ShmooCon 2012



Total Views
Views on SlideShare
Embed Views



20 Embeds 12,894

http://www.room362.com 12494
http://feeds.feedburner.com 182
http://www.scoop.it 147
http://www.newsblur.com 13
http://translate.googleusercontent.com 11
http://r362.squarespace.com 8
https://mubix.wordpress.com 6
http://mubix.wordpress.com 5
https://www.linkedin.com 4
http://newsblur.com 4 3
http://a0.twimg.com 3
http://www.linkedin.com 3
http://rob-fuller.squarespace.com 3 2
http://webcache.googleusercontent.com 2
http://www.room362.com&_=1333840691516 HTTP 1
http://us-w1.rockmelt.com 1
http://feedproxy.google.com 1
http://www.hardreboot.net 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

A @textfiles approach to gathering the world's DNS A @textfiles approach to gathering the world's DNS Presentation Transcript

  • What s in a name? A @textfiles attempt atgathering all of the world s DNS
  • Intro TEAM
  • Not quite this cool... View slide
  • maybe... View slide
  • Black Box Testing
  • Starts like this right?
  • CompanyX Go...
  • Step 1:
  • ARIN’s REST Web Services
  • Whois Black Magic whois -h whois.arin.net > ! COMPANY Microsoft (C00006676) DIRECP-NET1-206-71-11 (NET-206-71-119-0-1) - (C00006677) DIRECP- NET1-118 (NET-206-71-118-0-1) - (C00006678) DIRECP-NET1-117 (NET-206-71-117-0-1) - (C00061532) UUHIL-BLK1-C155-112 (NET-209-154-155-112-1) - (C00168056) SBCIS-101411-164355 (NET-65-68-62-152-1) - (C00313928) SBC067039208168020503 (NET-67-39-208-168-1) - (C00330795) () -Microsoft (C00446770) SBC066136085192030113 (NET-66-136-85-192-1) - (C00458472) MFN- T280-64-124-184-72-29 (NET-64-124-184-72-1) - (C00459322) () -Microsoft (C00637972) CW-204-71-191-0 (NET-204-71-191-0-1) - (C01563731) CVNET-454AA20 (NET-69-74-162-0-1) - (C01647285) UU-65-221-5 (NET-65-221-5-0-1) - (C01793454) MICROSOFT (NET-74-93-205-144-1) - (C01793455) MICROSOFT (NET-74-93-205-152-1) - (C01793456) MICROSOFT (NET-74-93-206-64-1) - (C01807326) MICROSOFT (NET-70-89-139-120-1) - (C02008777) RSPC-1218167167199384 (NET-67-192-225-208-1) - (C02312189) OW-3236-1 (NET-206-72-124-64-1) - (C02313555) OW-4867-1 (NET-206-72-120-248-1) - (C02313803) OW-4469-1 (NET-206-72-120-104-1) - (C02499241) MICROSOFT (NET-64-119-153-72-1) - (C02499329) MICROSOFT (NET-64-119-130-112-1) - (C02499544) MICROSOFT (NET-64-119-153-80-1) - (C02570623) MCRS-68-188-29-64 (NET-68-188-29-64-1) - (C02580886) RACKS-8-1283476925266189 (NET-184-106-14-208-1) - (C02597593) MICROSOFT (NET-66-228-68-96-1) - (C02597706) () -Microsoft (C02599338) RACKS-8-1286223485308418 (NET-184-106-32-152-1) - (C02654382) () -Microsoft (C02677592) MICROSOFT (NET-64-119-136-168-1) - (C02718410) MICROSOFT (NET-64-119-136-240-1) - (C02768521) MICROSOFT (NET-66-228-80-160-1) -
  • ShoNuff! By Jason Ross
  • Step 2: Listen to this guy OSINT
  • Step 3: Bounce!
  • Step 4: DNS brute force and hope thatGW.COMPANYX.COM exists
  • But the best way... but...
  • Problems: Very small percentage of companies OWN IP space You rarely get Internal IP space from OSINT Getting more rare to see companies host their own EMAIL gateway
  • TL;DR or TL;Want-To-Party
  • PTR Records IN ADDR ARPA AKA.. the bastard child of DNS everyone forgets about
  • Why?
  • Only 4.294 Billion address...
  • Bash + Dig = 1 request per second (.5 msec + proc time) NMAP w/ just DNS resolution = 2 seconds per /24 IF everyone’s servers were as fast as Google’s
  • didn t want to be old by the time it finished
  • MassResolve: ~3000 requests per second = mubix@research:~ time massresolve IPv4.txt l 262974m1.855suser 394461m0.007ssys 3x262974m0
  • Quick tangent... •  Is there parent here that doesn t wish this was true?
  • But people don t like it whenyou DoS their DNS servers
  • but it s not malicious...
  • a bunch of text files... 40 GBs of text files Most commands don’t like receiving 30,000+ text files in STDIN I broke grep... xargs -I mutex FTW 668,246,000 - Initial DB load
  • REALLY SLOW TO SEARCH... we’ll come back to this...
  • So I bought one of these...
  • from
  • and someone forgot to format it...
  • now what?
  • Continuing the addiction
  • there’s more?!!!
  • There are 66 types but over 200 in use that I ve found
  • what s the fastest way to get them?
  • Zone Transfer kickin it like it s 1999
  • What is a Zone?
  • MICROSOFT IS WRONG ok...well somewhat wrong
  • What is a Zone? these are zones
  • HD Moore: Its 2012 and youcan still perform zonetransfers from 65 of 312TLDs, including ORG, INFO,PRO, and XXX (zones:http://t.co/rwFQbzjw )
  • What is a Zone? this is also a zone
  • B,C,F,G, and K Why? I don’t know...
  • but... •  COM, NET failed to transfer their zones
  • learning when to quit...
  • What is a Zone?
  • What other sources?
  • Alexa Top “One Million” Domains
  • 908584: 0: Testing AXFR on ns899.hostgator.com. for lancasterpuppies.com - Output:4908584: 1: Testing AXFR on ns900.hostgator.com. for lancasterpuppies.com - Output:4908585: 0: Testing AXFR on ns1.webserver.at. for promi.at - Output: 16908585: 1: TestingAXFR on ns2.webserver.at. for promi.at - Output: 16908586: 0: Testing AXFR onns2.bluehost.com. for eveliux.com - Output: 41908586: 1: Testing AXFR onns1.bluehost.com. for eveliux.com - Output: 41908587: 0: Testing AXFR onns2.hongkonghosting.com.hk. for godiva.com.hk - Output: 4908587: 1: Testing AXFR onns1.hongkonghosting.com.hk. for godiva.com.hk - Output: 4908588: 0: Testing AXFR onns01.businesscatalyst.com. for willcuttguitars.com - Output: 4
  • NS2 FTW!!
  • 21 and 22
  • Making OSINT easy... • xxx.xxx.net. 38400 IN HINFO "intel" "linux • _xmpp-server._tcp.im.xx.net. 86400 IN SRV 5 0 5269 im.xx.net. • admin.xx.net. 86400 IN SSHFP 1 1 493E20AA602AA0844823DD5CDF4F4A013B61FACD • xx.xx.ru. 10800 IN HINFO "SCSI/Pentium/133" "BSDI3.1" • admin.xx.k12.xx.us. 86400 IN HINFO "PC" "MS-WINDOWS-98" • www.xx.net. 86400 IN HINFO "NonAlpha" "NetBSD"
  • TXT records are not your password manager xxxx.xxx.net. 86400 IN TXT "ssh: F8nn2009#@ppyf33t"
  • same problem lots of text files -> database = slow searching and how do you put 200+ DNS types into a database?
  • Becoming a DBA
  • TEAM not telling you the back-end... at least on camera
  • What would you search for?
  • there’s more?!!!
  • DNS
  • Sources •  Alexa •  Zone Transfers •  Brute forcing with an actively updated list of the Top 50,000 sub zones •  MassResolve •  My wife s DNS traffic •  Other online resources •  You! If you want to submit a DNS log for your company GREAT! ;-) or a ZT, or just want me to update a domain, I accept it all.
  • 9109 sites in database
  • Parsing •  New NS records go to ZT and Domain brute forcer •  New A records go to PTR and Type brute forcer •  New PTR records attempt to resolve forward and break down into zones then go to respective parsers •  New other records go to Type Brute forcer •  Anything older than 6 months get rechecked •  MOR PARSERS!! •  you see where this is going..... •  New input gets checked against DB, new records get ADDED, they don t replace, so historical data will stay with date/time stamps
  • DNS traffic... •  In September of 2011, DNS traffic surpassed my family s TOTAL other bandwidth per month...
  • How is this different from Shodan? •  Results aren t based on open ports •  I m not going to monetize it, I m doing it for my use, but since it needs to be available everywhere so I can use it, so can you ;-) •  And I ll give you the code to do it yourself if you want to... although...
  • there’s more?!!!
  • Why is this useful? •  Because now I have one place to get as much data as I can on a target in regards to DNS (including historical) and I never have to touch one of their servers
  • and here it is... https://www.deepmagic.com/ $record_type remember the (s), I usually have mean stuff on 80 “everything” search is cludgy right now I am not a web coder •  Free to use, and always will be (PERIOD) •  That means I make no money on it •  Logs last for 24 hours •  so I can catch issues, then they go to /dev/null •  And those will never be released to anyone and long as I can help it, and if that does happen I will just pull it down
  • Next steps... •  Integration with Sho-nuff •  Idea? Ways to make it better? •  DARPA Security Fast Track?
  • How d I do Jason?
  • Questions? •  Rob Fuller •  @mubix •  mubix@hak5.org