#!/usr/bin/perl $version='$Id: brute-dns.pl,v 1.4 2007/09/25 11:34:55 torh Exp $'; ## (c) 2007 torh@bogus.net $|=1; ## use Time::HiRes qw(usleep); use Getopt::Long; GetOptions("h", "w=s" => \$wait, "t=s" => \$tick, "domain=s" => \$domain, "--dict=s" => \$dict); if($opt_h) { print <] [-t ] [--dict ] --domain -h : this -w : wait (microseconds) before next DNS query (OPTIONAL) -t : show status indicator after every queries (OPTIONAL) --dict : use as secondary input (OPTIONAL) --domain : query (MANDATORY) EOM exit(0); } @common = ( "ns","www","vpn","mail","dev","intra","net","mx","login","dialup", "dialin","voip","gw","gateway","devel","development","lookingglass", "monitor","snmp","smtp","http","gate","router","ad","doc","devil", "server","cisco","3com","switch","fw","firewall","hpov","dn","ca", "juniper","zeus","mars","apollo","web","mobile","wap","ecom","domain", "ecommerce","commerce","odin","tor","thor","loki","luke","solo", "diana","c3p0","r2d2","thx1138","pic","video","sale","remote", "evil","good","donald","mickey","scan","laserjet","lj","win","cart", "print","printer","scanner","docutech","search","db","database","dc", "oracle","sybase","mssql","sql","mysql","irc","chat","ftp","ssh", "scp","manage","public","private","dhcp","sap","blog","nt","xp", "win","windows","balder","baldur","hugin","munin","nas","san", "brocade","ibm","rs9000","rs9k","blue","exchserv","exchange","pdc", "qmail","sendmail","exim","exch","owa","lotus","domino","java","bdc", "dyn","skywalker","obi-wan","kenobi","vader","darth","goofy", "batman","superman","flash","spiderman","spider-man","hulk","angel", "wolverine","penguin","linux","openbsd","debian","redhat","standby", "backup","dr","disaster","recovery","offline","online","isa","imail", "isaserver","proxy","squid","secure","insecure","ra","radius", "tacac","ldap","id","sensor","tap","trap","boot","tftp","union", "interface","customer","client","extranet","bigip","bill","billing", "jumpstart","openview","carp","traffic","trafmon","bgp","core","zebra", "rr","reflector","route-reflector","honeypot","honey","hp","wlan", "wan","gc","stick","stone","bone","ora","oradb","bh","black", "blackhole","grey","virus","av","screen","clean","mcafee","clam", "clamav","adm","admin","trade","mms","mm","b2b","home","content", "user","gopher","call","sip","pbx","pabx","connect","einstein", "lib","library","directory","order","orion","mitel","asterisk", "edoc","training","beta","alpha","fire","mirror","book","ebook", "tour","tv","portal","store","eagle","falcon","f4","f5","people", "tornado","balance","lb","forum","preview","gallery","gallerie", "partner","statistic","stat","jsp","pda","alert","hr","personal", "ronin","corp","corporate","access","account","accounting","agent", "active","inactive","ap","apple","archive","citrix","office", "teleworker","tele","work","controller","conf","conference","cpanel", "developer","example","exec","dmz","ds","download","up","down", "files","fileserver","finance","feed","event","desktop","demo", "ftpd","helpdesk","ilo","lightsout","group","game","hotspot","intern", "internal","imap","pop","pop3","ipsec","irix","lab","member","lan", "mrtg","cacti","neon","netmail","meeting","mmc","maps","netmeeting", "oper","operation","outlook","notes","nntp","news","newsfeed","live", "static","noc","netscaler","netscreen","netstat","postgres","ppp", "relay","report","research","rss","share","sharepoint","security", "sandbox","stage","sun","solaris","mom","sus","tmp","temp","ts", "fddi","uddi","unix","virt","virtual","staff","center","centre", "central","webadmin","vnc","wingate","wsus","xml","xss" ); $DEBUG=1 if($opt_d); if(!$domain) { print "STOP: valid domain name required (--domain=example.com)\n"; exit(0); } if($wait) { $sleep=$wait; } else { $sleep=6000; } if($tick) { $mod=$tick; } else { $mod=0; } $SHOUT=1; $SHOUT=1; print "DNS,MX and any TXT records for $domain:\n"; system("host -t NS $domain. 2>&1 > /dev/stdout | grep -v NXDOMAIN"); system("host -t MX $domain. 2>&1 > /dev/stdout | egrep -v '(NXDOMAIN| has no )'"); system("host -t TXT $domain. 2>&1 > /dev/stdout | egrep -v '(NXDOMAIN| has no )'"); print "\nTrying built-in hostnames (and variants)...\n"; $c=0; for($i=0;$i<($#common+1);$i++) { Lookup($c,$common[$i],$domain); usleep($sleep); for($n=0;$n<3;$n++) { Lookup($c,$common[$i].$n,$domain); usleep($sleep); Lookup($c,$common[$i]."0".$n,$domain); usleep($sleep); Lookup($c,$common[$i]."-".$n,$domain); usleep($sleep); Lookup($c,$common[$i]."-0".$n,$domain); usleep($sleep); } Lookup($c,$common[$i]."a",$domain); usleep($sleep); Lookup($c,$common[$i]."-a",$domain); usleep($sleep); Lookup($c,$common[$i]."b",$domain); usleep($sleep); Lookup($c,$common[$i]."-b",$domain); usleep($sleep); Lookup($c,$common[$i]."c",$domain); usleep($sleep); Lookup($c,$common[$i]."-c",$domain); usleep($sleep); Lookup($c,$common[$i]."#",$domain); usleep($sleep); Lookup($c,$common[$i]."s",$domain); usleep($sleep); $c++; $SHOUT=1; } if($dict && -r $dict) { print "Trying words in $dict ...\n"; open(DICT,$dict); while() { $SHOUT=1 if($c > 0 && (($c % 25) == 0)); if($_ =~ /^([a-z0-9\-_]+)/i) { Lookup($c,$1,$domain); usleep($sleep); Lookup($c,$1."a",$domain); usleep($sleep); Lookup($c,$1."-a",$domain); usleep($sleep); Lookup($c,$1."0",$domain); usleep($sleep); Lookup($c,$1."-0",$domain); usleep($sleep); Lookup($c,$1."1",$domain); usleep($sleep); Lookup($c,$1."-1",$domain); usleep($sleep); } $c++; $SHOUT=1; } close(DICT); } sub Lookup() { my($count,$host,$domain) = @_; my($res) = `host $host.$domain. 2>&1 > /dev/stdout | grep -v NXDOMAIN`; if($res) { print $res; my($res) = `host -t MX $host.$domain. 2>&1 > /dev/stdout | egrep -v '(NXDOMAIN| has no )'`; print $res if($res); my($res) = `host -t TXT $host.$domain. 2>&1 > /dev/stdout | egrep -v '(NXDOMAIN| has no )'`; print $res if($res); } if($mod) { if((($count % $mod) == 0) && ($count > 0)) { print "->> $count : $host\n" if($SHOUT); $SHOUT=0; } } }