DioNiSio, DNS Scanner
Intro Download Documentation Links Project Page

DioNiSio man page

NAME

dionisio - fast and simple DNS scanner

SYNOPSIS

dionisio [OPTION] target_domain [...]

dionisio -r [OPTION] ip_range [...]

dionisio -x [OPTION] target_domain

dionisio -u [OPTION] dump_file

DESCRIPTION

DioNiSio is a DNS scanner written in pure C without any dependence on other libraries or tools. It implements three scans types (dictionary, reverse lookup and recursive zone transfers) and can detect DNS misconfigurations or anomalities. Its main targets are portability, rational resources usage, and ease of use.

It can perform three types of scan:

*
Dictionary scan. DioNiSio can read a dictionary and try to resolve hosts in a certain domain. It can detect subdomains and analyzes all responses to discover more hostnames. In the spite of the simplicity of this kind of scan the results obtained with this scan can be impressive and can show a bad policy in choosing host names in a network.
*
Reverse scan. DioNiSio can make mass reverse lookups in a network. A lot of administrators configure their DNS servers so they make the reverse address lookup of any host. This can be used to gather a lot of information in a network; the final result is like a network scan but using only DNS questions, so it is not easy to detect and sometimes gives a lot of information extra that you cannot obtain simply with a traditional network scanner like nmap.
*
Recursive zone transfer. This scan is developed specially for penetration tests. Usually DNS servers doesn't allow zone transfers to external IP addresses, but a lof of administrators allow zone transfer to any machine in their networks. When an auditor gets control on a machine, and he is working under the black-box paradigm, he will need surely to gather more information from her/his new point of view and one good way could be to make an agressive zone transfers. The problem is that a compromised machine usually have not installed the necessary tools; DioNiSio is targeted to be completely independent from system libraries, easy to port and low memory and CPU consumption.

Also DioNiSio can manage a pool of recursive DNS servers so it can make distributed DNS scans (only dictionary and reverse scans). A distributed DNS scan is usually hard to detect and give an extra layer of protection to your identity.

OPTIONS

-c, --comments
Add comments to output. Note that this flag does not give any extra information, it only gives some additional commentaries that would ease the human analysis.
-d, --dictionary
Dictionary scanner. This attack consists to discover machines in a domain in a bruteforce way applying a dictionary, word by word. Each time a new subdomain is discovered, the dictionary attack is applied recursively.
-D, --domain-test
Do a domain analysis on each new domain found. It means that DioNiSio will try to resolve domain name servers and, if --axfr-test enabled, then it tries to make zone transfers from name servers in discovered domain. This test will also try to found some other information.
-f value, --max-fail=value
Max fails per nameserver.
-g, --debug
Debug mode (all possible messages).
-h, --help
Help.
-H, --host-test
Do a host analysis on each new HOST found. It means that DioNiSio will make some questions about each new host discovered (MX, SOA, NS, A, AAAA, etc).
-l path, --ns-list=path
Path to nameservers list.
-m mode, --mode=mode
Set scanner mode. Valid values:
0
Recursive zone transfer (same as -x).
1
Dictionary analysis (same as -d).
2
Reverse lookup network analysis (same as -r).
3
Read dump (same as -u).
-M mode, --follow-mode=mode
How to follow new discovered domains. Each time a new domain/host is discovered DioNiSio must decide if it has to continue to investigate on it or leave it alone. Accepted values:
0
Follow only subdomains.
1
Follow any domain.
2
Ask to follow new domains (not implemented yet).
-n path, --names=path
Path to dictionary file for dictionary scanner.
-o format, --output=format
Final report output format.
0
TXT (normal)
1
CSV (Comma Separated Value)
-q, --quiet
Quiet mode (only errors).
-r, --reverse
Reverse lookup scanner. This scan it is based on making a mass reverse lookup on indicated network range.
-R, --reverse-test
Do reverse lookup on each new IP found.
-u, --read-dump
Reads dump made with option -U and generates a report from the answers found in it. It makes possible to debug the program or generate a report in a different format. Note that if you use a dump to regenerate a report the resultant report not will be exactly the same, but it will be very similar.
-U, --dump-file
Dumps sent/recvd DNS packets for debugging. The file format used is simple: divided in DNS packets, where each data packet follows two 32 bit integers: the first integer is 0 if packet is a question, or 1 if packet is an answer. The second integer is the packet size.
-x, --axfr
Perform a recursive zone transfer. The idea of a recursive zone transfer is to make an initial zone transfer, detect subdomains and domains associated in the answer and then try perform a recursive zone transfer on each.
-X, --axfr-test
Do a zone transfer on each new NS found.
-v, --verbose[=level]
Set verbosity level (default 3).

EXIT STATUS

DioNiSio returns a zero exit status if it succeeds or non zero is returned in case of failure.

FILES

This program uses following files:
nslist.txt
List of nameservers. This file must contain a list of working recursive DNS servers. If you want to hide your identity choose them carefully and try to make this list so big as possible to make the scan the more distributed as possible.
dionisio.dic
This file contains one word per line. It is used in dictionary scans.

NSLIST.TXT FILE FORMAT

This file can contain comments, void lines and nameservers addresses.

Void lines and comments will be ignored.

Comments begin with a # and they are ignored until new line. There are not multiline comments. You can also add a comment in a non-void line at the end.

Non-void lines should contain only one IP, in IPv4 or IPv6 format.

For example, one valid file:

# Sample DNS list file.

# verizon servers
4.2.2.2         # Verizon (Level3)
4.2.2.3         # Verizon (Level3)
4.2.2.4         # Verizon (Level3)
4.2.2.5         # Verizon (Level3)
4.2.2.6         # Verizon (Level3)

# other servers
10.0.0.1
10.0.0.254

DUMP FILE FORMAT

A dump file contains all the questions sent and answers received during a DioNiSio session. A dump file is very useful to restore a DioNiSio session interrupted by a segmentation fault or by user. It is also very practical for debugging.

The ''official'' way to create a dump file is using parameter -U. You only have to invoke DioNiSio adding option -U filename.dump and all DNS messages will be written to that file.

With mode -u you can read and load all data contained in a dump file.

Dump file structure is quite simple: it is a succession of messages where each message is composed of three parts:

answer
32 bit unsigned integer. 0 if this message is a question, or != 0 if this message is an answer.
message_size
32 bit unsigned integer. It is the size, in bytes, of DNS message following this integer.
message
A block of data, of message_size bytes containing a DNS message in network raw format.

For file portability between different platforms all data in file is written in big endian (network format).

NOTES

This program will react to some signals:
SIGINT, SIGQUIT, SIGTERM
The first and second time one of this signals is received the program will try to finish everything that is initiated and then it will finish printing the partial report. If one of this signals is received for third time the program will be terminated inmediately without printing any result.
SIGHUP
This signal forces DioNiSio to reload the nameservers list (see file nslist.txt in section FILES) on runtime.

BUGS

This program does not have bugs. It only has crazy, dangerous and unuseful undocumented features.

EXAMPLES

Do a reverse analysis in network 192.168.0.0/16:

dionisio -r 192.168.0.0/16

If you only want to work in some computers in network 192.168.0.0/16, from 192.168.5.10 to 192.168.7.59, you can use this notation:

dionisio -r 192.168.5.10-7.59

Perhaps you would like to receive some extra-feedback of analysis adding the --verbose flag. Also you can use the option -c to get a final report with some interesting comments.

dionisio -vcr 192.168.5.10-7.59

Also, if you plan to use some spreadsheet software to analyse results you will find interesting to use the CSV output format:

dionisio -vcr --output=1 192.168.5.10-7.59

Another working mode could be a dictionary scan on domain example.com using dictionary /home/ger/dic/nsnames.txt, trying to perform a zone transfer on each new NS found, and trying to discover more hostnames on new hosts found with a reverse lookup:

dionisio -d --names="/home/ger/dic/nsnames.txt" -XR example.com

Or simply execute a recursive AXFR on domain example.com:

dionisio -x example.com

AUTHOR

Gerardo García Peña (gerardo (at) kung-foo.dhs.org)


Copyright © 2006-2010 Gerardo García Peña
Verbatim copying and redistribution of this web page are permitted provided this notice is preserved. This page was updated on 2008-01-13 11:20:45 by gerardo.
This page uses valid XHTML 1.1 and CSS.