Scraping DNS records with BlueDanube
DNS is the heart of all things on the internet. It is the system that lets us type in amazon.com rather than 18.104.22.168 to do our shopping, and making it much easier for us to find Google than if we had to remember it as 22.214.171.124. This is not going to be a post on how DNS works, there are many explanations of it online already. This post is about how to use the vast amount of data held in DNS records for helping with all sorts of things.
We have created a lot of tools in-house to help us with our penetration and ethical hacking assessments. As these tools are updated and improved, we try to release the original version, where possible, to help other companies perform their work faster and more thoroughly. It's part of our Go-Giver philosophy within Cygenta.
This week we have released BlueDanube a tool written to query and scrape DNS records on a mass scale. We shall get onto some of the findings we can release publicly in a minute but for now let's look at the tool and some of the real world uses for it.
BlueDanube, as some of you may recognise, is the name of a Waltz written by Struass and made famous by being used as the docking music to the brilliant computer game series of Elite. However, BlueDanube was also the codename for the first working British Nuclear Hydrogen bomb, based on the physics package of Hurricane. It was not designed as a weapon but more of a science experiment, hence the name of the tool we first created to help with a specific issue that has now found its own tree of software in-house to grow and change.
BlueDanube has helped Cygenta to provide invaluable information to our clients and to our internal teams on penetration assesments. Here are a few of the things you can use BlueDanube for:
1) domain reconnaissance - for example thesun.co.uk has the following domain listed in its records
archerfield.wearegifted.co.uk. 60 IN CNAME admin.wearegifted.co.uk.
It is absolutely the fastest way to find subdomains for your target.
2) you can work out name servers used by domains, particularly good if you want to try doing Zone Transfer testing, for example;
newportbeachca.gov. 60 IN NS ns1.cityofnewportbeach.net.
3) listing mailservers, find out who is running their own MX server, for example;
mowerphoto.com. 60 IN MX 0 mowerphoto.com.
4) find email addresses; self explanatory really
5) IPv6 endpoints
cheetah3d.com. 60 IN AAAA 2a01:488:42:1000:53a9:1db0:4e:b113
6) Internal IP addresses
prometheusbooks.com. 60 IN NS 192.168.1.100.
Or find those that have broken their sites!
ci.salinas.ca.us. 60 IN A 192.168.0.12ci.salinas.ca.us. 60 IN A 192.168.0.17
7) Technology stacks
critgames.com. 60 IN TXT "firebase=game-on-e543c"
There is a ton of other incredible information available in DNS records that we leave as an exercise for the reader.
Cygenta maintains a live record set of over 10 million domains, resulting in gigabytes of text kept in a mysql database for easy querying. We have found some interesting statistics and lists from this vast swathe of data.
For example, out of those 10 million domains, 663,525 unique name servers are in use and we also see 2,164,306 unique mail servers in use across the web. Many domains have internal IP addresses as their A record and for IPV6 we can see almost 500,000 addresses in use. We even found a few .onion addresses revealing some TOR endpoints.
Go and try it out and let us know what you find on twitter @CygentaHQ