abss0x7tbh / bass Goto Github PK

i see you're missing various AWS .txt's. I thought I'd go and grab em and contribute this at least. i've deviated from your suggested process a little, instead of looking at just the one /24 for each nameserver, i've just seen 'aws' and gone and got all the IP ranges for AWS (using asnip which might get the info from all sorts of places but whatever it does it does so reliably and comprehensively and i've never felt the need to investigate further). big as these people are you're still talking about minutes of scan time...

root@h04s10:~/nomad/contrib/xmap/examples/udp-probes# wc -l ~/aws_dns_53_*
4638118 /root/aws_dns_53_tcp
63408 /root/aws_dns_53_udp
4701526 total

obviously the tcp responses are mostly lies (syn scan only), udp we know we have a dns server at least - it reinforces the need to validate such things. i will write something now to wallop through lists of potential DNS servers and identify a) authoritative b) recursive c) selfish/fraudulent ones for a given domain.

its a little shy of your approach (which is far more precise and less labour intensive at the user end of things) but if i make a pull request with (probably) a go application to do the above (take resolvers and identify useful ones for enumeration like you're doing) would you have any interest in including it?

if not i'll probably start doing this and end up doing something entirely different. your call... i guess.

simple shit like this is the most useful... in fact if we dont do this i will finally make a version of vhost-sieve to work rapido.... another superb underrated (imo) essential part of ANY pen test.

There are some blocks of CIDR's completely missed out. My approach at extracting OrgName or OriginAS from a whois query on the authoritative nameserver IP is not enough. This surely does get me the Organization name needed for an asnlookup but it's not fruitful or the most efficient way.

Might probe into Censys / Shodan / Securitytrails and services alike.

For each of these I'll give an example domain and then the provider names.
Domain: discordapp.com
Providers: cloudflare

Domain: gizmodo.com
Providers: awsdns-14, awsdns-13, awsdns-15, public, awsdns-37

Domain: github.com
Providers: awsdns-01, awsdns-21, awsdns-32, awsdns-52

Domain: yahoo.com
Providers: yahoo

Domain: google.com
Providers: google

Domain: qq.com
Providers: qq

The last 3 seem like they have their own private nameservers as opposed to using a DNS service so those cases would probably need a different functionality in place to handle them rather than adding new provider txts (adding a new list of nameservers doesn't seem to be the right way to go to cover those edge cases)