| 1 | use threads; |
|---|
| 2 | use threads::shared; |
|---|
| 3 | |
|---|
| 4 | # $Id$ |
|---|
| 5 | package tBruteForceDNS; |
|---|
| 6 | { |
|---|
| 7 | use Object::InsideOut qw(:SHARED AttackObj); |
|---|
| 8 | use Data::Dumper; |
|---|
| 9 | use Fierce::Base; |
|---|
| 10 | use Fierce::Domain; |
|---|
| 11 | use Socket; |
|---|
| 12 | use Thread::Queue; |
|---|
| 13 | use Net::hostent; |
|---|
| 14 | use Data::Validate::IP qw(is_public_ipv4 is_ipv4); |
|---|
| 15 | |
|---|
| 16 | ### required parameters |
|---|
| 17 | # none |
|---|
| 18 | |
|---|
| 19 | ## optional parameters |
|---|
| 20 | # prefixes to use during bruteforce |
|---|
| 21 | my @prefix_list : Field : Arg(prefix_list) : Get(prefix_list) : |
|---|
| 22 | Type(Array) : |
|---|
| 23 | Default( ['imap','www', 'mail', 'files', 'file', 'ftp', 'dns','smtp', 'ns', 'mx', 'dev', 'devel', 'svn', 'cvs', 'test', 'vpn', 'unix', 'webmail'] ); |
|---|
| 24 | |
|---|
| 25 | # max number of interation to use for bruteforce attempts |
|---|
| 26 | my @max_bruteforce : Field : Arg(max_bruteforce) : Get(max_bruteforce) : |
|---|
| 27 | Default(5); |
|---|
| 28 | |
|---|
| 29 | # contiue to perform bruteforce if a wildcard is being used |
|---|
| 30 | my @test_with_wildcard : Field : Arg(test_with_wildcard) : |
|---|
| 31 | All(test_with_wildcard) : Default(0); |
|---|
| 32 | |
|---|
| 33 | # Base Configuration infomation |
|---|
| 34 | my @base : Field : Arg(base) : All(base) : Type(Base); |
|---|
| 35 | |
|---|
| 36 | ### populated parameters |
|---|
| 37 | # list of nodes found |
|---|
| 38 | my @result : Field : Arg(result) : All(result) : Type(List(Node)) : |
|---|
| 39 | Default([]); |
|---|
| 40 | |
|---|
| 41 | # domain object from execute |
|---|
| 42 | my @domain_obj : Field : Arg(domain_obj) : All(domain_obj) : Type(Domain); |
|---|
| 43 | |
|---|
| 44 | # initialize the base obj |
|---|
| 45 | sub _init : Init { |
|---|
| 46 | my ($self) = @_; |
|---|
| 47 | |
|---|
| 48 | # Set default if needed |
|---|
| 49 | if ( !exists( $base[$$self] ) ) { |
|---|
| 50 | $self->set( \@base, Base->new() ); |
|---|
| 51 | } |
|---|
| 52 | } |
|---|
| 53 | |
|---|
| 54 | # execute: Domain -> Fierce::Domain::tBruteForceDNS |
|---|
| 55 | # kicks off the dns bruteforce worker threads |
|---|
| 56 | sub execute { |
|---|
| 57 | my ( $self, $domain_obj ) = @_; |
|---|
| 58 | |
|---|
| 59 | $self->_setup; |
|---|
| 60 | $self->domain_obj($domain_obj); |
|---|
| 61 | |
|---|
| 62 | my $stream = Thread::Queue->new(); |
|---|
| 63 | |
|---|
| 64 | foreach my $prefix ( @{ $self->prefix_list } ) { |
|---|
| 65 | $stream->enqueue($prefix); |
|---|
| 66 | } |
|---|
| 67 | my $base = $self->base; |
|---|
| 68 | foreach ( 1 .. $base->threads ) { |
|---|
| 69 | threads->new( \&thr_work, $self, $stream ); |
|---|
| 70 | $stream->enqueue(undef); # for each thread |
|---|
| 71 | } |
|---|
| 72 | foreach my $thr ( threads->list() ) { |
|---|
| 73 | $thr->join(); |
|---|
| 74 | } |
|---|
| 75 | $self->_complete; |
|---|
| 76 | return $self; |
|---|
| 77 | } |
|---|
| 78 | |
|---|
| 79 | # thr_work: Thread::Queue -> |
|---|
| 80 | # perform dns bruteforce using prefix and url |
|---|
| 81 | sub thr_work { |
|---|
| 82 | my ( $self, $q ) = @_; |
|---|
| 83 | my $domain = $self->domain_obj->domain; |
|---|
| 84 | my $base = $base[$$self]; |
|---|
| 85 | #print( 'Thread = ', threads->tid(), "\n" ); |
|---|
| 86 | sleep( $base->delay() ); |
|---|
| 87 | |
|---|
| 88 | while ( my $prefix = $q->dequeue() ) { |
|---|
| 89 | my $i = 2; |
|---|
| 90 | my $max = $self->max_bruteforce + 2; |
|---|
| 91 | chomp($prefix); |
|---|
| 92 | #print "testing $prefix.$domain\n"; |
|---|
| 93 | my $inet = inet_aton("$prefix.$domain"); |
|---|
| 94 | |
|---|
| 95 | # checking to see if prefix1 resolves |
|---|
| 96 | if ( !defined $inet ) { |
|---|
| 97 | $prefix .= "1"; |
|---|
| 98 | $inet = inet_aton("$prefix.$domain"); |
|---|
| 99 | } |
|---|
| 100 | |
|---|
| 101 | # checking to see if prefix01 resolves |
|---|
| 102 | if ( !defined $inet ) { |
|---|
| 103 | $prefix =~ s/1$//g; |
|---|
| 104 | $prefix .= "01"; |
|---|
| 105 | $inet = inet_aton("$prefix.$domain"); |
|---|
| 106 | } |
|---|
| 107 | |
|---|
| 108 | if ( defined $inet and is_public_ipv4(inet_ntoa($inet)) ) { |
|---|
| 109 | my $node = Node->new( |
|---|
| 110 | hostname => "$prefix.$domain", |
|---|
| 111 | ip => inet_ntoa($inet), |
|---|
| 112 | from => 'DNS Prefix BruteForece' |
|---|
| 113 | ); |
|---|
| 114 | push( @{ $result[$$self] }, $node ); |
|---|
| 115 | my $wildcard_dns = 1e11 - int( rand(1e10) ) . "." . $domain; |
|---|
| 116 | my $h = gethost("$wildcard_dns"); |
|---|
| 117 | if ( !$h or $self->test_with_wildcard == 1 ) { |
|---|
| 118 | $prefix =~ s/01$|1$//g; |
|---|
| 119 | while ( $i <= $max ) { |
|---|
| 120 | my $num = $i; |
|---|
| 121 | |
|---|
| 122 | # checking to see if prefix"NUMBER" or prefix"0NUMBER" resolves |
|---|
| 123 | $inet = inet_aton("$prefix$num.$domain"); |
|---|
| 124 | if ( !defined $inet ) { |
|---|
| 125 | $num = "0$i"; |
|---|
| 126 | $inet = inet_aton("$prefix$num.$domain"); |
|---|
| 127 | } |
|---|
| 128 | |
|---|
| 129 | if ( defined $inet ) { |
|---|
| 130 | my $node = Node->new( |
|---|
| 131 | hostname => "$prefix$num.$domain", |
|---|
| 132 | ip => inet_ntoa($inet), |
|---|
| 133 | from => 'DNS Prefix BruteForece' |
|---|
| 134 | ); |
|---|
| 135 | push( @{ $result[$$self] }, $node ); |
|---|
| 136 | $max++; |
|---|
| 137 | } |
|---|
| 138 | $i++; |
|---|
| 139 | } |
|---|
| 140 | } |
|---|
| 141 | } |
|---|
| 142 | |
|---|
| 143 | # Let others run |
|---|
| 144 | threads->yield(); |
|---|
| 145 | } |
|---|
| 146 | } |
|---|
| 147 | } |
|---|
| 148 | |
|---|
| 149 | 1; |
|---|
