rbsec / dnscan Goto Github PK

I have noticed that when using dnscan with a DNS provider that redirects bad requests to a search page, the current approach doesn't always work to detect wildcard. For example, my ISP (CableOne) will fail and not redirect for a domain like 12345.twitter.com. But if I add an 'a' to the beginning (a12345.twitter.com) it works as expected and redirects, thus detecting the wildcard behavior. Otherwise, all non existent domains are redirected to the "failed DNS query search page" thus giving a ton of false positives.

# Use current unix time as a test subdomain
epochtime = 'a' + str(int(time.time())) 

Changing the above code in the get_wildcard() method to include a prefixed alpha character worked for me.

Hello,

Thank you for your work.

I am testing dnscan to find some valid domains with all existing tlds.
But for domains that I checked by hand for which I found several hundred matches dnsscan found me only 16 with the command.

./dnscan.py -d example -R 1.1.1.1 -T --output example_domains.txt

then

with my DNS server (DNSSEC active)

 python3 dnscan.py -d google -R 127.0.0.1 -T --output google_domains.txt

 python3 dnscan.py -d google -R 1.1.1.1 -T --output google_domains.txt

I have 286 domains on the screen but the google_domains.txt file contains:

[] Processing domain google
[] Using specified resolvers: 1.1.1.1
[+] TLD Scan

With the command

 python3 dnscan.py -d google -R 1.1.1.1 -T > google_domains.txt

My file is well populated but with several line breaks like this
...
google.ac - ns1.google.com

google.af - ns1.google.com

google.aero - ns1.101domain.com

google.ad - ns1.google.com
...

NS outputs are not useful to me and will generate a workload.

What are the tips to understand to help me?
Thank you for your help.
__

Hi,
i have error, looking for help
Thanks.

C:\Users\nng\Desktop\dnscan-master>dnscan.py -d dev-%%.example.org
usage: dnscan.py [-h] (-d DOMAIN | -l DOMAIN_LIST) [-w WORDLIST] [-t THREADS] [-6] [-z] [-r] [-m MAXDEPTH] [-a]
[-R RESOLVERS] [-L RESOLVER_LIST] [-T] [-o OUTPUT_FILENAME] [-i OUTPUT_IPS] [-D] [-N] [-v] [-n] [-q]
dnscan.py: error: one of the arguments -d/--domain -l/--list is required

On Windows neither CMD or PowerShell support ANSI colour control sequences.

PowerShell itself does somehow support colours, just not the ANSI colour control sequences. I bet there's a library that handles such things.

It is possible to add support for module like import to be used in conjunction with other Modules
for example

import dnscan
or
from dnscan import finder

So that it can be used like

results = finder.subdomainfinder("example.com") # return dict

The reason am asking for this is because I have intergrated this module here at
https://www.nmmapper.com/sys/tools/subdomainfinder/
But I just use the hard way not module like import.
Thank you.

Can we have stdout silent feature to show only output like :

$python3 dnscan.py -d example.com -R 8.8.8.8 -silent

13.126.128.222 - example.com
13.126.119.83 - api.example.com
13.235.126.49 - api.example.com
13.35.191.126 - assets.example.com

Hi @rbsec!

I really enjoy using dnscan and it is really helpful during the recon process.

However, when using the output with other tools the format becomes a major challenge. Any chance of including an option to get plaintext output.

Thanks in advance.

Best,
sumgr0

Would be cool if output was:

mail.somedomain.com - 127.0.0.1

Instead of

127.0.0.1 - mail.somedomain.com

So that the list can be sorted easily with tools like sort -u

i enumerate valid subdomains by dnscan,but it was wrong,How should I solve it？

If the input is given as www.example.com dnscan still tries to enumerate domains,with the prefix www.

Can we have step in dnscan.py to clean/filter the input.

i was providing list of subdomains from which a subdomain was missing to list down though it was available .
like was scanning abc.com and from list there was keyword analytic but tool bypass this subdomain
but actually analytics.abc.com is available . when I retried it, the tool identified that particular sub domain . so is there any extensive setting which i should implement to scan all list thoroughly. other wise how can we rely on tool .

Hello,
I got this error when trying to bruteforce subdomains:
Traceback (most recent call last):
File "dnscan.py", line 499, in
get_dnssec(target, nsip)
File "dnscan.py", line 263, in get_dnssec
dns.dnssec.validate(answer[0],answer[1],{name:answer[0]})
File "/usr/local/lib/python3.8/dist-packages/dns/dnssec.py", line 490, in _validate
_validate_rrsig(rrset, rrsig, keys, origin, now)
File "/usr/local/lib/python3.8/dist-packages/dns/dnssec.py", line 287, in _validate_rrsig
candidate_keys = _find_candidate_keys(keys, rrsig)
File "/usr/local/lib/python3.8/dist-packages/dns/dnssec.py", line 170, in _find_candidate_keys
value = keys.get(rrsig.signer)
AttributeError: 'DNSKEY' object has no attribute 'signer'

Regards

Hello, there is a bug inside dnscan.py at line 114: add_target(domain) # Recursively scan subdomains

This function must be run only when wildcard = get_wildcard(domain) is empty, so it is needed to add a condition if not wildcard:, or wildcard domain will be added to recursive subdomain scan.

Allow passing a file with a list of domains to scan.

hi,
when i try to use dnscan with option -l to bruteforce multiple domains, this bug appear

Traceback (most recent call last): File "/usr/bin/dnscan", line 386, in <module> if not '%%' in args.domain: TypeError: argument of type 'NoneType' is not iterable

Hi,

I'm no longer able to run dnscan due to the following error:

:~/dnscan$ python3 dnscan.py -d test.com
Traceback (most recent call last):
  File "dnscan.py", line 349, in <module>
    resolver.resolve('.', 'NS')
AttributeError: 'Resolver' object has no attribute 'resolve'

I tried to update dnspython and install dsnpython3, but I still have the same error, with python2 and python3.

I googled a lot to find a potential fix, without success.

help me with this please

Write stdout to a file. Maybe also CSV?

The tool adds noise in the output file even verbose flag is not set. It's ok to print verbose output to console, but not in file.

I run dnscan with the following args:

dnscan -d example.com -D -o sds.txt

The content of sds.txt:

[*] Processing domain example.com
[*] Using system resolvers ['127.0.0.53']
[+] Getting nameservers
199.43.133.53 - b.iana-servers.net
199.43.135.53 - a.iana-servers.net
[-] Zone transfer failed

[+] IPv6 (AAAA) records found. Try running dnscan with the -6 option.
2606:2800:220:1:248:1893:25c8:1946
[+] TXT records found
"v=spf1 -all"
"8j5nfqld20zpcyr8xjw0ydcfq9rk8hgm"
[-] Invalid DNSKEY record length

[+] MX records found, added to target list
0 .
[*] Scanning example.com for A records
example.com - 93.184.216.34
www.example.com - 93.184.216.34

If you agree with this change, I'll be happy to create a PR.