pwnesia/dnstake pwnesia/dnstake

  • Stars
    star
    815
  • Rank 55,957 (Top 2 %)
  • Language
    Go
  • License
    MIT License
  • Created over 3 years ago
  • Updated almost 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
pwnesia/dnstake
github

pwnesia

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

DNSTake โ€” A fast tool to check missing hosted DNS zones that can lead to subdomain takeover

DNSTake

DNSTake

A fast tool to check missing hosted DNS zones that can lead to subdomain takeover.

What is a DNS takeover?

DNS takeover vulnerabilities occur when a subdomain (subdomain.example.com) or domain has its authoritative nameserver set to a provider (e.g. AWS Route 53, Akamai, Microsoft Azure, etc.) but the hosted zone has been removed or deleted. Consequently, when making a request for DNS records the server responds with a SERVFAIL error. This allows an attacker to create the missing hosted zone on the service that was being used and thus control all DNS records for that (sub)domain.ยน

Installation

from Binary

The ez way! You can download a pre-built binary from releases page, just unpack and run!

from Source

NOTE: Go 1.16+ compiler should be installed & configured!

Very quick & clean!

โ–ถ go install github.com/pwnesia/dnstake/cmd/dnstake@latest

โ€” or

Manual building executable from source code:

โ–ถ git clone https://github.com/pwnesia/dnstake
โ–ถ cd dnstake/cmd/dnstake
โ–ถ go build .
โ–ถ (sudo) mv dnstake /usr/local/bin

Usage

$ dnstake -h

  ยทโ–„โ–„โ–„โ–„   โ– โ–„ .โ–„โ–„ ยทโ–„โ–„โ–„โ–„โ–„ โ–„โ–„โ–„ยท โ–„ โ€ขโ–„ โ–„โ–„โ–„ .
  โ–ˆโ–ˆโ–ช โ–ˆโ–ˆ โ€ขโ–ˆโ–Œโ–โ–ˆโ–โ–ˆ โ–€.โ€ขโ–ˆโ–ˆ  โ–โ–ˆ โ–€โ–ˆ โ–ˆโ–Œโ–„โ–Œโ–ชโ–€โ–„.โ–€ยท
  โ–โ–ˆยท โ–โ–ˆโ–Œโ–โ–ˆโ–โ–โ–Œโ–„โ–€โ–€โ–€โ–ˆโ–„โ–โ–ˆ.โ–ชโ–„โ–ˆโ–€โ–€โ–ˆ โ–โ–€โ–€โ–„ยทโ–โ–€โ–€โ–ชโ–„
  โ–ˆโ–ˆ. โ–ˆโ–ˆ โ–ˆโ–ˆโ–โ–ˆโ–Œโ–โ–ˆโ–„โ–ชโ–โ–ˆโ–โ–ˆโ–Œยทโ–โ–ˆ โ–ชโ–โ–Œโ–โ–ˆ.โ–ˆโ–Œโ–โ–ˆโ–„โ–„โ–Œ
  โ–€โ–€โ–€โ–€โ–€โ€ข โ–€โ–€ โ–ˆโ–ช โ–€โ–€โ–€โ–€ โ–€โ–€โ–€  โ–€  โ–€ ยทโ–€  โ–€ โ–€โ–€โ–€

        (c) pwnesia.org โ€” v0.0.1

Usage:
  [stdin] | dnstake [options]
  dnstake -t HOSTNAME [options]

Options:
  -t, --target <HOST/FILE>    Define single target host/list to check
  -c, --concurrent <i>        Set the concurrency level (default: 25)
  -s, --silent                Suppress errors and/or clean output
  -o, --output <FILE>         Save vulnerable hosts to FILE
  -h, --help                  Display its help

Examples:
  dnstake -t (sub.)domain.tld
  dnstake -t hosts.txt
  dnstake -t hosts.txt -o ./dnstake.out
  cat hosts.txt | dnstake
  subfinder -silent -d domain.tld | dnstake

Workflow

DNSTake use RetryableDNS client library to send DNS queries. Initial engagement using Google & Cloudflare DNS as the resolver, then check & fingerprinting the nameservers of target host โ€” if there is one, it will resolving the target host again with its nameserver IPs as resolver, if it gets weird DNS status response (other than NOERROR/NXDOMAIN), then it's vulnerable to be taken over. More or less like this in form of a diagram.

Currently supported DNS providers, see here.

References

License

DNSTake is distributed under MIT. See LICENSE.

More Repositories

1

ssb

Secure Shell Bruteforcer โ€” A faster & simpler way to bruteforce SSH server
Shell
1,244
star
2

pler

PIN Lockscreen Bruteforcer
5
star