DioNiSio, DNS Scanner

Intro

Download

Documentation

Links

Project Page

DioNiSio man page

NAME

dionisio - fast and simple DNS scanner

SYNOPSIS

dionisio [OPTION] target_domain [...]

dionisio -r [OPTION] ip_range [...]

dionisio -x [OPTION] target_domain

dionisio -u [OPTION] dump_file

DESCRIPTION

DioNiSio is a DNS scanner written in pure C without any dependence on other libraries or tools. It implements three scans types (dictionary, reverse lookup and recursive zone transfers) and can detect DNS misconfigurations or anomalities. Its main targets are portability, rational resources usage, and ease of use.

It can perform three types of scan:

*

Dictionary scan. DioNiSio can read a dictionary and try to resolve hosts in a certain domain. It can detect subdomains and analyzes all responses to discover more hostnames. In the spite of the simplicity of this kind of scan the results obtained with this scan can be impressive and can show a bad policy in choosing host names in a network.

*

Reverse scan. DioNiSio can make mass reverse lookups in a network. A lot of administrators configure their DNS servers so they make the reverse address lookup of any host. This can be used to gather a lot of information in a network; the final result is like a network scan but using only DNS questions, so it is not easy to detect and sometimes gives a lot of information extra that you cannot obtain simply with a traditional network scanner like nmap.

*

Recursive zone transfer. This scan is developed specially for penetration tests. Usually DNS servers doesn't allow zone transfers to external IP addresses, but a lof of administrators allow zone transfer to any machine in their networks. When an auditor gets control on a machine, and he is working under the black-box paradigm, he will need surely to gather more information from her/his new point of view and one good way could be to make an agressive zone transfers. The problem is that a compromised machine usually have not installed the necessary tools; DioNiSio is targeted to be completely independent from system libraries, easy to port and low memory and CPU consumption.

Also DioNiSio can manage a pool of recursive DNS servers so it can make distributed DNS scans (only dictionary and reverse scans). A distributed DNS scan is usually hard to detect and give an extra layer of protection to your identity.

OPTIONS

-c, --comments

Add comments to output. Note that this flag does not give any extra information, it only gives some additional commentaries that would ease the human analysis.

-d, --dictionary

Dictionary scanner. This attack consists to discover machines in a domain in a bruteforce way applying a dictionary, word by word. Each time a new subdomain is discovered, the dictionary attack is applied recursively.

-D, --domain-test

Do a domain analysis on each new domain found. It means that DioNiSio will try to resolve domain name servers and, if --axfr-test enabled, then it tries to make zone transfers from name servers in discovered domain. This test will also try to found some other information.

-f value, --max-fail=value

Max fails per nameserver.

-g, --debug

Debug mode (all possible messages).

-h, --help

Help.

-H, --host-test

Do a host analysis on each new HOST found. It means that DioNiSio will make some questions about each new host discovered (MX, SOA, NS, A, AAAA, etc).

-l path, --ns-list=path

Path to nameservers list.

-m mode, --mode=mode

Set scanner mode. Valid values:

0

Recursive zone transfer (same as -x).

1

Dictionary analysis (same as -d).

2

Reverse lookup network analysis (same as -r).

3

Read dump (same as -u).

-M mode, --follow-mode=mode

How to follow new discovered domains. Each time a new domain/host is discovered DioNiSio must decide if it has to continue to investigate on it or leave it alone. Accepted values:

0

Follow only subdomains.

1

Follow any domain.

2

Ask to follow new domains (not implemented yet).

-n path, --names=path

Path to dictionary file for dictionary scanner.

-o format, --output=format

Final report output format.

0

TXT (normal)

1

CSV (Comma Separated Value)

-q, --quiet

Quiet mode (only errors).

-r, --reverse

Reverse lookup scanner. This scan it is based on making a mass reverse lookup on indicated network range.

-R, --reverse-test

Do reverse lookup on each new IP found.

-u, --read-dump

Reads dump made with option -U and generates a report from the answers found in it. It makes possible to debug the program or generate a report in a different format. Note that if you use a dump to regenerate a report the resultant report not will be exactly the same, but it will be very similar.

-U, --dump-file

Dumps sent/recvd DNS packets for debugging. The file format used is simple: divided in DNS packets, where each data packet follows two 32 bit integers: the first integer is 0 if packet is a question, or 1 if packet is an answer. The second integer is the packet size.

-x, --axfr

Perform a recursive zone transfer. The idea of a recursive zone transfer is to make an initial zone transfer, detect subdomains and domains associated in the answer and then try perform a recursive zone transfer on each.

-X, --axfr-test

Do a zone transfer on each new NS found.

-v, --verbose[=level]

Set verbosity level (default 3).

EXIT STATUS

DioNiSio returns a zero exit status if it succeeds or non zero is returned in case of failure.

FILES

This program uses following files:

nslist.txt

List of nameservers. This file must contain a list of working recursive DNS servers. If you want to hide your identity choose them carefully and try to make this list so big as possible to make the scan the more distributed as possible.

dionisio.dic

This file contains one word per line. It is used in dictionary scans.

NSLIST.TXT FILE FORMAT

This file can contain comments, void lines and nameservers addresses.

Void lines and comments will be ignored.

Comments begin with a # and they are ignored until new line. There are not multiline comments. You can also add a comment in a non-void line at the end.

Non-void lines should contain only one IP, in IPv4 or IPv6 format.

For example, one valid file:

# Sample DNS list file.

# verizon servers
4.2.2.2         # Verizon (Level3)
4.2.2.3         # Verizon (Level3)
4.2.2.4         # Verizon (Level3)
4.2.2.5         # Verizon (Level3)
4.2.2.6         # Verizon (Level3)

# other servers
10.0.0.1
10.0.0.254

DUMP FILE FORMAT

A dump file contains all the questions sent and answers received during a DioNiSio session. A dump file is very useful to restore a DioNiSio session interrupted by a segmentation fault or by user. It is also very practical for debugging.

The ''official'' way to create a dump file is using parameter -U. You only have to invoke DioNiSio adding option -U filename.dump and all DNS messages will be written to that file.

With mode -u you can read and load all data contained in a dump file.

Dump file structure is quite simple: it is a succession of messages where each message is composed of three parts:

answer

32 bit unsigned integer. 0 if this message is a question, or != 0 if this message is an answer.

message_size

32 bit unsigned integer. It is the size, in bytes, of DNS message following this integer.

message

A block of data, of message_size bytes containing a DNS message in network raw format.

For file portability between different platforms all data in file is written in big endian (network format).

NOTES

This program will react to some signals:

SIGINT, SIGQUIT, SIGTERM

The first and second time one of this signals is received the program will try to finish everything that is initiated and then it will finish printing the partial report. If one of this signals is received for third time the program will be terminated inmediately without printing any result.

SIGHUP

This signal forces DioNiSio to reload the nameservers list (see file nslist.txt in section FILES) on runtime.

BUGS

This program does not have bugs. It only has crazy, dangerous and unuseful undocumented features.

EXAMPLES

Do a reverse analysis in network 192.168.0.0/16:

dionisio -r 192.168.0.0/16

If you only want to work in some computers in network 192.168.0.0/16, from 192.168.5.10 to 192.168.7.59, you can use this notation:

dionisio -r 192.168.5.10-7.59

Perhaps you would like to receive some extra-feedback of analysis adding the --verbose flag. Also you can use the option -c to get a final report with some interesting comments.

dionisio -vcr 192.168.5.10-7.59

Also, if you plan to use some spreadsheet software to analyse results you will find interesting to use the CSV output format:

dionisio -vcr --output=1 192.168.5.10-7.59

Another working mode could be a dictionary scan on domain example.com using dictionary /home/ger/dic/nsnames.txt, trying to perform a zone transfer on each new NS found, and trying to discover more hostnames on new hosts found with a reverse lookup:

dionisio -d --names="/home/ger/dic/nsnames.txt" -XR example.com

Or simply execute a recursive AXFR on domain example.com:

dionisio -x example.com

AUTHOR

Gerardo García Peña (gerardo (at) kung-foo.dhs.org)

---

Copyright © 2006-2010 Gerardo García Peña
Verbatim copying and redistribution of this web page are permitted provided this notice is preserved. This page was updated on 2008-01-13 11:20:45 by gerardo.
This page uses valid XHTML 1.1 and CSS.