Class: Ronin::Recon::DNS::SRVEnum

Inherits:
Ronin::Recon::DNSWorker show all
Defined in:
lib/ronin/recon/builtin/dns/srv_enum.rb

Overview

Finds other host names by querying common SRV record names under a domain.

Constant Summary collapse

RECORD_NAMES =

Common SRV record names.

%w[
  _gc._tcp
  _kerberos._tcp
  _kerberos._udp
  _ldap._tcp
  _test._tcp
  _sips._tcp
  _sip._udp
  _sip._tcp
  _aix._tcp
  _aix._tcp
  _finger._tcp
  _ftp._tcp
  _http._tcp
  _nntp._tcp
  _telnet._tcp
  _whois._tcp
  _h323cs._tcp
  _h323cs._udp
  _h323be._tcp
  _h323be._udp
  _h323ls._tcp
  _https._tcp
  _h323ls._udp
  _sipinternal._tcp
  _sipinternaltls._tcp
  _sip._tls
  _sipfederationtls._tcp
  _jabber._tcp
  _xmpp-server._tcp
  _xmpp-client._tcp
  _xmpp-server._udp
  _xmpp-client._udp
  _imap.tcp
  _certificates._tcp
  _crls._tcp
  _pgpkeys._tcp
  _pgprevokations._tcp
  _cmp._tcp
  _svcp._tcp
  _crl._tcp
  _ocsp._tcp
  _PKIXREP._tcp
  _smtp._tcp
  _hkp._tcp
  _hkps._tcp
  _jabber._udp
  _jabber-client._tcp
  _jabber-client._udp
  _kerberos.tcp.dc._msdcs
  _ldap._tcp.ForestDNSZones
  _ldap._tcp.dc._msdcs
  _ldap._tcp.pdc._msdcs
  _ldap._tcp.gc._msdcs
  _kerberos._tcp.dc._msdcs
  _kpasswd._tcp
  _kpasswd._udp
  _imap._tcp
  _imaps._tcp
  _submission._tcp
  _pop3._tcp
  _pop3s._tcp
  _caldav._tcp
  _caldavs._tcp
  _carddav._tcp
  _carddavs._tcp
  _x-puppet._tcp
  _x-puppet-ca._tcp
  _autodiscover._tcp
]

Constants included from Mixins::DNS

Mixins::DNS::IDN, Mixins::DNS::RECORD_TYPES

Instance Attribute Summary

Attributes included from Mixins::DNS

#dns_resolver

Instance Method Summary collapse

Methods included from Mixins::DNS

#dns_get_a_address, #dns_get_a_addresses, #dns_get_a_record, #dns_get_a_records, #dns_get_aaaa_address, #dns_get_aaaa_addresses, #dns_get_aaaa_record, #dns_get_aaaa_records, #dns_get_address, #dns_get_addresses, #dns_get_any_records, #dns_get_cname, #dns_get_cname_record, #dns_get_hinfo_record, #dns_get_loc_record, #dns_get_mailservers, #dns_get_minfo_record, #dns_get_mx_records, #dns_get_name, #dns_get_names, #dns_get_nameservers, #dns_get_ns_records, #dns_get_ptr_name, #dns_get_ptr_names, #dns_get_ptr_record, #dns_get_ptr_records, #dns_get_record, #dns_get_records, #dns_get_soa_record, #dns_get_srv_records, #dns_get_txt_record, #dns_get_txt_records, #dns_get_txt_string, #dns_get_txt_strings, #dns_get_wks_records, #initialize

Methods inherited from Worker

accepts, concurrency, #initialize, intensity, outputs, register, run

Instance Method Details

#process(domain) {|host| ... } ⇒ Object

Bruteforce resolves common SRV records for a domain.

Parameters:

Yields:

  • (host)

    A discovered host from SRV record under the domain.

Yield Parameters:

  • host (Values::Host)

    A host name pointed to by a SRV record under the domain.



134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
 
# File 'lib/ronin/recon/builtin/dns/srv_enum.rb', line 134

def process(domain)
  wordlist = RECORD_NAMES
  queue    = Async::LimitedQueue.new(params[:concurrency])

  Async do |task|
    task.async do
      # populate the queue with SRV record names to query
      wordlist.each do |name|
        queue << "#{name}.#{domain.name}"
      end

      # send stop messages for each sub-task
      params[:concurrency].times do
        queue << nil
      end
    end

    # spawn the sub-tasks
    params[:concurrency].times do
      task.async do
        while (name = queue.dequeue)
          records = dns_get_srv_records(name)

          records.each do |record|
            # BUG: async-dns will return `CNAME` records for domains
            # with catch-all subdomain aliases.
            if record.kind_of?(Resolv::DNS::Resource::IN::SRV)
              hostname = record.target.to_s
              hostname.chomp!('.')

              unless hostname.empty?
                yield Host.new(hostname)
              end
            end
          end
        end
      end
    end
  end
end