now storing AXFR responses in a directory containing the date to track changes in which dns servers allow AXFRs over time

This commit is contained in:
Dionysus 2024-03-06 16:49:33 -05:00
parent 084bca55d0
commit 8d0b01e7aa
Signed by: acidvegas
GPG Key ID: EF4B922DB85DC9DE
5 changed files with 64 additions and 23 deletions

View File

@ -18,7 +18,7 @@ It is expected to set *realistic* expectations when using this tool. In contempo
## Information
I only wrote this to shit on **[this bozo](https://github.com/flotwig/TLDR-2/)** who took a dead project & brought it back to life by making it even worse. Rather than making a pull request to give this bloke more credit in his "tenure" as a developer, I decided to just rewrite it all from scratch so people can fork off of *clean* code instead.
This repostiory also contains a [pure POSIX version](./mdaxfr) for portability, aswell as a [script](./opennic) to do zone transfers on [OpenNIC TLDs](https://wiki.opennic.org/opennic/dot) and a special [ozones](./ozones) script for fetching a few obscure additional zones.
This repostiory also contains a [pure POSIX version](./mdaxfr) for portability, aswell as a [script](./extras/opennic) to do zone transfers on [OpenNIC TLDs](https://wiki.opennic.org/opennic/dot), a special [ozones](./extras/ozones) script for fetching a few obscure additional zones, and a [domain axfr script](./extras/daxfr) to target a specific website.
## Statistics, laughs, & further thinking...
As of my last scan in 2023, I was only able to AXFR the zones for **8** out of **1,456** root TLDs, with a few of them being zones that were already retrieved by [acidvegas/czds](https://github.com/acidvegas/czds/), & **114** out of **7,977** TLDs in the [Public suffix list](https://publicsuffix.org/). The addition scripts in this repository provide an additional **37** zone files.

40
extras/daxfr Normal file
View File

@ -0,0 +1,40 @@
#!/bin/sh
# Domain AXFR - developed by acidvegas (https://git.acid.vegas/mdaxfr)
# This one will take a domain as an argument and attempt to perform an AXFR against all of the nameservers for that domain.
# Colors
CYAN="\033[1;36m"
YELLOW="\033[1;33m"
RED="\033[1;31m"
GREEN="\033[1;32m"
RESET="\033[0m"
GREY="\033[1;90m"
domain="$1" # base domain only, no http, https, or www (can have a subdomain though)
[ -z "$domain" ] && echo "Invalid URL. Exiting." && exit 1
echo "${YELLOW}Attempting AXFR against ${domain}...${RESET}"
nameservers=$(dig NS +short "$domain")
[ -z "$nameservers" ] && echo "${GREY}No nameservers found for ${domain}${RESET}" && exit 1
echo "$nameservers" | while read -r ns; do
ns=$(echo "$ns" | sed 's/\.$//')
ips=$(host "$ns" | awk '/has address/ { print $4 }')
[ -z "$ips" ] && echo "${GREY}No IP addresses found for nameserver $ns under ${domain}. Skipping...${RESET}" && continue
echo "$ips" | while read -r ip; do
axfr_output=$(dig @$ip AXFR "$domain")
if echo "$axfr_output" | grep -q "Transfer failed."; then
echo "${RED}AXFR attempt from $ip ($ns) on ${domain} was not successful.${RESET}"
elif echo "$axfr_output" | grep -q "IN"; then
echo "${GREEN}Successful AXFR from $ip ($ns) on on ${domain}:${RESET}"
echo "${CYAN}$axfr_output${RESET}"
else
echo "${RED}AXFR attempt from $ip ($ns) on on ${domain} was not successful.${RESET}"
fi
done
done

View File

@ -12,11 +12,14 @@ dig @zone.internet.ee ee. AXFR > ee.txt
dig @ns1.gov.ps xn--ygbi2ammx. AXFR > xn--ygbi2ammx.txt
wget -O sk.txt https://sk-nic.sk/subory/domains.txt
wget -O gov.txt https://raw.githubusercontent.com/cisagov/dotgov-data/main/gov.txt
wget -O nc.txt https://www.domaine.nc/whos?who=A*
wget -O sk.txt https://sk-nic.sk/subory/domains.txt # not rfc compliant
wget -O gov.txt https://raw.githubusercontent.com/cisagov/dotgov-data/main/gov.txt # czds available also
wget -O nc.txt https://www.domaine.nc/whos?who=A* # Need to crawl the http maybe for this one...
# https://www.afnic.fr/produits-services/services-associes/donnees-partagees/

36
mdaxfr
View File

@ -1,22 +1,21 @@
#!/bin/sh
# Mass DNS AXFR (POSIX version) - developed by acidvegas (https://git.acid.vegas/mdaxfr)
OUTPUT_DIR="axfrout"
mkdir -p "$OUTPUT_DIR"
mkdir -p "$OUTPUT_DIR/root"
mkdir -p "$OUTPUT_DIR/psl"
# Define the current date for data organization
now=$(date +"%Y-%m-%d")
resolve_nameserver() {
dig +short AAAA $1 +short -t A $1 2>/dev/null
}
# Define the output directory
output="axfrout/$now"
# Function to attempt an AXFR request on all possible IP addresses for a nameserver
attempt_axfr() {
tld=$1
nameserver=$2
filename="$3"
temp_file="${filename}.temp"
nameserver_ips=$(resolve_nameserver "$nameserver")
temp_file="${filename}.temp"
nameserver_ips=$(dig +short A +retry=3 +time=10 $nameserver && dig +short AAAA +retry=3 +time=10 $nameserver)
if [ -z "$nameserver_ips" ]; then
echo -e "\e[31m[FAIL]\e[0m AXFR for \e[36m$tld\e[0m on \e[33m$nameserver\e[0m \e[90m(failed to resolve nameserver)\e[0m"
return
@ -35,21 +34,20 @@ attempt_axfr() {
done
}
echo "[\e[31mWARNING\e[0m] Most nameservers will block AXFR requests \e[90m(It is normal for most of these to fail)\e[0m"
sleep 3
# Create the output directories (if they don't exist)
mkdir -p "$output/root"
mkdir -p "$output/psl"
# For root IP space zones
for i in $(seq 0 255); do
dig +nocmd +noall +answer +multiline $i.in-addr.arpa NS >> $OUTPUT_DIR/root/in-addr.arpa.txt
done
# Give a warning about the current state of AXFR requests
echo "[\e[31mWARNING\e[0m] Most nameservers will block AXFR requests \e[90m(It is normal for most of these to fail)\e[0m" && sleep 3
# For root nameservers
for root in $(dig +short . NS | sed 's/\.$//'); do
attempt_axfr "." "$root" "$OUTPUT_DIR/root/$root.txt"
attempt_axfr "." "$root" "$output/root/$root.txt"
done
# Parse the tld list from a root nameserver
rndroot=$(find $OUTPUT_DIR/root/*.root-servers.net.txt -type f | shuf -n 1)
rndroot=$(find $output/root/*.root-servers.net.txt -type f | shuf -n 1)
if [ -z $rndroot ]; then
echo "Failed to AXFR a root nameserver (using IANA list instead)"
tlds=$(curl -s 'https://data.iana.org/TLD/tlds-alpha-by-domain.txt' | tail -n +2 | tr '[:upper:]' '[:lower:]')
@ -60,13 +58,13 @@ fi
# For TLD nameservers
for tld in $tlds; do
for ns in $(dig +short "$tld" NS | sed 's/\.$//'); do
attempt_axfr "$tld" "$ns" "$OUTPUT_DIR/$tld.txt"
attempt_axfr "$tld" "$ns" "$output/$tld.txt"
done
done
# For Public Suffix List TLD nameservers
for tld in $(curl -s https://publicsuffix.org/list/public_suffix_list.dat | grep -vE '^(//|.*[*!])' | grep '\.' | awk '{print $1}'); do
for ns in $(dig +short "$tld" NS | sed 's/\.$//'); do
attempt_axfr "$tld" "$ns" "$OUTPUT_DIR/psl/$tld.txt"
attempt_axfr "$tld" "$ns" "$output/psl/$tld.txt"
done
done