xmap icon indicating copy to clipboard operation
xmap copied to clipboard
verified publisher icon idealeer

DNS Probing Module

Open idealeer opened this issue 3 years ago • 4 comments

Help

Type xmap -4 -h -M dnsx -O json to show the help information.

This module sends out DNS queries and parses basic responses. By default, the module performs an A record lookup for www.qq.com. You can specify other queries using the --probe-args argument in the form: label_type:input_src:type,query;type,query, e.g., raw:text:A,qq.com;NS,qq.com. The module supports sending the the following types of queries: A, NS, CNAME, SOA, PTR, MX, TXT, AAAA, RRSIG, ANY, SIG, SRV, DS, DNSKEY, TLSA, SVCB, HTTPS, CAA, and HTTPSSVC. The module will accept and attempt to parse all DNS responses. There is currently support for parsing out full data from A, NS, CNAME, MX, TXT, and AAAA. Query format: label_type:recurse:input_src:type,query;type,query Any other types will be output in raw form.  label_type: raw, str, time, random, dst-ip   raw: do nothing to the query domain, e.g., qq.com   str: add the 'str' subdomain www, e.g., www.qq.com   time: add the s+μs subdomain, e.g., 1620027515-568043.qq.com   random: add random subdomain lefzwnrq, e.g., lefzwnrq.qq.com   dst-ip: add probe num + src ip, e.g., 1.1-2-3-4.qq.comrecurse: recurse, no-recurse   recurse: recursive query   no-recurse: non-recursive query  input_src: text, file   text: like A,qq.com;AAAA,qq.com   file: each line is like a text  type: A, NS, CNAME, SOA, PTR, MX, TXT, AAAA, RRSIG, ANY, SIG,   SRV, DS, DNSKEY, TLSA, SVCB, HTTPS, CAA, and HTTPSSVCquery: A,qq.com;AAAA,qq.com Examples:  --probe-args="raw/time/random:recurse/no-recurse:text:type,query"  --probe-args="raw/time/random:recurse/no-recurse:file:file_name"  --probe-args="str:SomeText:recurse/no-recurse:text:type,query"  --probe-args="str:SomeText:recurse/no-recurse:file:file_name"  --probe-args="dst-ip:recurse/no-recurse:text:type,query"  --probe-args="dst-ip:recurse/no-recurse:file:file_name"

Usage Examples

  1. Query qq.com A targeting 8.8.8.8:

xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 1 --probe-args="raw:recurse:text:A,qq.com" -R 1000 -o result.txt 8.8.8.8

  1. Query qq.com A and baidu.com NS targeting 8.8.8.8:

xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 2 --probe-args="raw:recurse:text:A,qq.com;NS,baidu.com" -R 1000 -o result.txt 8.8.8.8

  1. Query each domain from a domain.txt targeting all IPs from a ip.txt:

xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P domain_number --probe-args="raw:recurse:file:domain.txt" -R 1000 -o result.txt -I ip.txt

Note: Each line in domain.txt is in the form like A,qq.com and -P domain_number = the number of domains.

idealeer avatar Oct 20 '22 01:10 idealeer

我想用这个工具,做一些DNS系统的漏洞自测,我发现你论文中提供的test.tudoor.net工具已经不能打开了

我该怎么用这个工具来构造包自测?

zhangbufan avatar Dec 21 '23 11:12 zhangbufan

tudoor的数据包构造是在权威服务器侧,这个使用python+scapy就可以了。

idealeer avatar Jan 13 '24 12:01 idealeer

@idealeer are these also the commands we can use to identify vulnerable DNS resolvers/auths? if not, can you show some examples of these commands?

nerotix avatar Aug 06 '24 14:08 nerotix

before scanning, what types of vulnerable resolvers do you want to find?

idealeer avatar Aug 09 '24 02:08 idealeer