Skip to content

m-1tZ/dnstake2

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

DNSTake2

MODIFIED VERSION OF https://github.com/pwnesia/dnstake

DNSTake

A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.


New Features

  • CNAME aware (follows CNAMES)
  • Checks hostname against each NS to find that weird one

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹

Installation

from Binary

The ez way! You can download a pre-built binary from releases page, just unpack and run!

from Source

NOTE: Go 1.16+ compiler should be installed & configured!

Very quick & clean!

▶ go install github.com/m-1tZ/dnstake2@latest

— or

Manual building executable from source code:

▶ git clone https://github.com/m-1tZ/dnstake2
▶ go build .
▶ (sudo) mv dnstake /usr/local/bin

Usage

$ dnstake -h

  ·▄▄▄▄   ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .
  ██▪ ██ •█▌▐█▐█ ▀.•██  ▐█ ▀█ █▌▄▌▪▀▄.▀·
  ▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄ 2
  ██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌
  ▀▀▀▀▀• ▀▀ █▪ ▀▀▀▀ ▀▀▀  ▀  ▀ ·▀  ▀ ▀▀▀


Usage:
  [stdin] | dnstake2 [options]
  dnstake2 -t HOSTNAME [options]

Options:
  -t, --target <HOST/FILE>    Define single target host/list to check
  -c, --concurrent <i>        Set the concurrency level (default: 25)
  -s, --silent                Suppress errors and/or clean output
  -o, --output <FILE>         Save vulnerable hosts to FILE
  -a, --availability          Checks whether the domain is available (dns.google)
  -h, --help                  Display its help


Examples:
  dnstake2 -t (sub.)domain.tld
  dnstake2 -t hosts.txt
  dnstake2 -t hosts.txt -o ./dnstake2.out
  dnstake2 -t hosts.txt -a -o ./dnstake2.out
  cat hosts.txt | dnstake2
  subfinder -silent -d domain.tld | dnstake2

Workflow

DNSTake use RetryableDNS client library to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than NOERROR/NXDOMAIN), then it's vulnerable to be taken over. More or less like this in form of a diagram.

Currently supported DNS providers, see here.

References

TODO

  • Use fasthttp of golang to increase performance

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages