Skip to content

m-1tZ/dnstake2

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
internal
internal
 
 
pkg
pkg
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

DNSTake2

MODIFIED VERSION OF https://github.com/pwnesia/dnstake

DNSTake

A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.

New Features

  • CNAME aware (follows CNAMES)
  • Checks hostname against each NS to find that weird one

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.¹

Installation

from Binary

The ez way! You can download a pre-built binary from releases page, just unpack and run!

from Source

NOTE: Go 1.16+ compiler should be installed & configured!

Very quick & clean!

▶ go install github.com/m-1tZ/dnstake2@latest

— or

Manual building executable from source code:

▶ git clone https://github.com/m-1tZ/dnstake2
▶ go build .
▶ (sudo) mv dnstake /usr/local/bin

Usage

$ dnstake -h

  ·▄▄▄▄   ▐ ▄ .▄▄ ·▄▄▄▄▄ ▄▄▄· ▄ •▄ ▄▄▄ .
  ██▪ ██ •█▌▐█▐█ ▀.•██  ▐█ ▀█ █▌▄▌▪▀▄.▀·
  ▐█· ▐█▌▐█▐▐▌▄▀▀▀█▄▐█.▪▄█▀▀█ ▐▀▀▄·▐▀▀▪▄ 2
  ██. ██ ██▐█▌▐█▄▪▐█▐█▌·▐█ ▪▐▌▐█.█▌▐█▄▄▌
  ▀▀▀▀▀• ▀▀ █▪ ▀▀▀▀ ▀▀▀  ▀  ▀ ·▀  ▀ ▀▀▀


Usage:
  [stdin] | dnstake2 [options]
  dnstake2 -t HOSTNAME [options]

Options:
  -t, --target <HOST/FILE>    Define single target host/list to check
  -c, --concurrent <i>        Set the concurrency level (default: 25)
  -s, --silent                Suppress errors and/or clean output
  -o, --output <FILE>         Save vulnerable hosts to FILE
  -a, --availability          Checks whether the domain is available (dns.google)
  -h, --help                  Display its help


Examples:
  dnstake2 -t (sub.)domain.tld
  dnstake2 -t hosts.txt
  dnstake2 -t hosts.txt -o ./dnstake2.out
  dnstake2 -t hosts.txt -a -o ./dnstake2.out
  cat hosts.txt | dnstake2
  subfinder -silent -d domain.tld | dnstake2

Workflow

DNSTake use RetryableDNS client library to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host — if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than NOERROR/NXDOMAIN), then it's vulnerable to be taken over. More or less like this in form of a diagram.

Currently supported DNS providers, see here.

References

TODO

  • Use fasthttp of golang to increase performance

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages