Just a quick glance at the domain_analyzer script from Sebastián García and Verónica Valeros. “Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way.” Nice one. If you’re running your own DNS servers you should check e.g. whether your firewall rules are correct (scanned with Nmap) or whether you’re not allowing zone transfer, etc.
Installation
Domain Analyzer is written in phyton. I am using it on an Ubuntu server which requires the following commands to install the appropriate tools:
1 2 3 4 |
sudo apt-get install python-dnspython python-geoip nmap git clone https://github.com/eldraco/domain_analyzer.git cd domain_analyzer/ |
Quite easy.
Basic Usage Example
The tool provides many different options. For a basic test I am using only the --domain <domain> option and --not-common-hosts-names to limit the noise (since I am merely interested in the name servers itself). It offers a colored output which helps in reading it. Following are two output examples for my own zone weberdns.de which I tested from two different hosts.
The first test was from a normal PC through the Internet. Hence, no zone transfer were possible (lines 31-34) and only port 53 was discovered:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
weberjoh@jw-vm09-nmap:~/domain_analyzer$ sudo ./domain_analyzer.py --domain weberdns.de --not-common-hosts-names +----------------------------------------------------------------------+ | ./domain_analyzer.py Version 0.8.2 | | This program is free software; you can redistribute it and/or modify | | it under the terms of the GNU General Public License as published by | | the Free Software Foundation; either version 2 of the License, or | | (at your option) any later version. | | | | Author: Garcia Sebastian, eldraco@gmail.com | | Author: Veronica Valeros, vero.valeros@gmail.com | | www.mateslab.com.ar - Argentina | +----------------------------------------------------------------------+ Domains still to check: 1 Checking if the hostname weberdns.de. given is in fact a domain... Analyzing domain: weberdns.de. Checking NameServers using system default resolver... IP: 213.61.29.182 (Germany) HostName: ns2.weberdns.de Type: NS IP: 193.24.225.53 (Germany) HostName: ns3.weberdns.de Type: NS IP: 87.190.30.114 (Germany) HostName: ns1.weberdns.de Type: NS Checking MailServers using system default resolver... IP: 87.190.30.115 (Germany) HostName: mail.weberdns.de Type: MX Checking the zone transfer for each NS... (if this takes more than 10 seconds, just hit CTRL-C and it will continue. Bug in the libs) No zone transfer found on nameserver 87.190.30.114 No zone transfer found on nameserver 213.61.29.182 No zone transfer found on nameserver 193.24.225.53 Checking SPF record... No SPF record Checking 0 most common hostnames using system default resolver... Checking with nmap the reverse DNS hostnames of every <ip>/24 netblock using system default resolver... Checking netblock 87.190.30.0 Checking netblock 213.61.29.0 Checking netblock 193.24.225.0 Searching for weberdns.de. emails in Google Checking 4 active hosts using nmap... (nmap -sn -n -v -PP -PM -PS80,25 -PA -PY -PU53,40125 -PE --reason <ip> -oA <output_directory>/nmap/<ip>.sn) Host 87.190.30.114 is up (echo-reply ttl 56) Host 213.61.29.182 is up (echo-reply ttl 56) Host 87.190.30.115 is up (echo-reply ttl 56) Host 193.24.225.53 is up (echo-reply ttl 56) Checking ports on every active host using nmap... (nmap -O --reason --webxml --traceroute -sS -sV -sC -Pn -n -v -F <ip> -oA <output_directory>/nmap/<ip>) Scanning ip 87.190.30.114 (ns1.weberdns.de): 22/tcp open ssh? syn-ack ttl 56 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu Scanning ip 213.61.29.182 (ns2.weberdns.de): 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu Running: Linux 3.X|4.X Scanning ip 87.190.30.115 (mail.weberdns.de): 25/tcp open tcpwrapped syn-ack ttl 56 |_smtp-commands: Couldn't establish connection on port 25 Scanning ip 193.24.225.53 (ns3.weberdns.de): 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu Running (JUST GUESSING): Linux 3.X|4.X (92%) WebCrawling domain's web servers... up to 50 max links. --Finished-- Summary information for domain weberdns.de. ----------------------------------------- Domain Ips Information: IP: 87.190.30.114 HostName: ns1.weberdns.de Type: NS Country: Germany Is Active: True (echo-reply ttl 56) Port: 22/tcp open ssh? syn-ack ttl 56 Port: 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu Script Info: | dns-nsid: Script Info: |_ bind.version: 9.10.3-P4-Ubuntu IP: 213.61.29.182 HostName: ns2.weberdns.de Type: NS Country: Germany Is Active: True (echo-reply ttl 56) Port: 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu Script Info: | dns-nsid: Script Info: |_ bind.version: 9.10.3-P4-Ubuntu Script Info: Running: Linux 3.X|4.X IP: 87.190.30.115 HostName: mail.weberdns.de Type: MX Country: Germany Is Active: True (echo-reply ttl 56) Port: 25/tcp open tcpwrapped syn-ack ttl 56 Script Info: |_smtp-commands: Couldn't establish connection on port 25 IP: 193.24.225.53 HostName: ns3.weberdns.de Type: NS Country: Germany Is Active: True (echo-reply ttl 56) Port: 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu Script Info: | dns-nsid: Script Info: |_ bind.version: 9.10.3-P4-Ubuntu Script Info: Running (JUST GUESSING): Linux 3.X|4.X (92%) --------------End Summary -------------- ----------------------------------------- |
In order to see some differences I tested it from an internal workstation with other firewall rules. Hence port 22 (ssh) was possible now, while zone transfers are still not allowed, which is correct:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
weberjoh@nb15-lx:~/domain_analyzer$ sudo ./domain_analyzer.py --domain weberdns.de --not-common-hosts-names +----------------------------------------------------------------------+ | ./domain_analyzer.py Version 0.8.1 | | This program is free software; you can redistribute it and/or modify | | it under the terms of the GNU General Public License as published by | | the Free Software Foundation; either version 2 of the License, or | | (at your option) any later version. | | | | Author: Garcia Sebastian, eldraco@gmail.com | | Author: Veronica Valeros, vero.valeros@gmail.com | | www.mateslab.com.ar - Argentina | +----------------------------------------------------------------------+ Domains still to check: 1 Checking if the hostname weberdns.de given is in fact a domain... Analyzing domain: weberdns.de Checking NameServers using system default resolver... IP: 87.190.30.114 (Germany) HostName: ns1.weberdns.de Type: NS IP: 213.61.29.182 (Germany) HostName: ns2.weberdns.de Type: NS IP: 193.24.225.53 (Germany) HostName: ns3.weberdns.de Type: NS Checking MailServers using system default resolver... IP: 87.190.30.115 (Germany) HostName: mail.weberdns.de Type: MX Checking the zone transfer for each NS... (if this takes more than 10 seconds, just hit CTRL-C and it will continue. Bug in the libs) No zone transfer found on nameserver 193.24.225.53 No zone transfer found on nameserver 213.61.29.182 No zone transfer found on nameserver 87.190.30.114 Checking SPF record... No SPF record Checking 0 most common hostnames using system default resolver... Checking with nmap the reverse DNS hostnames of every <ip>/24 netblock using system default resolver... Checking netblock 193.24.225.0 Checking netblock 213.61.29.0 Checking netblock 87.190.30.0 Searching for weberdns.de emails in google Checking 4 active hosts using nmap... (nmap -sn -n -v -PP -PM -PS80,25 -PA -PY -PU53,40125 -PE --reason <ip> -oA <output_directory>/nmap/<ip>.sn) Host 193.24.225.53 is up (reset ttl 56) Host 213.61.29.182 is up (udp-response ttl 56) Host 87.190.30.115 is down Host 87.190.30.114 is up (echo-reply ttl 63) Checking ports on every active host using nmap... (nmap -O --reason --webxml --traceroute -sS -sV -sC -Pn -n -v -F <ip> -oA <output_directory>/nmap/<ip>) Scanning ip 193.24.225.53 (ns3.weberdns.de): 22/tcp open ssh syn-ack ttl 56 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fd:19:2e:cd:87:c0:10:ed:91:72:3e:95:9a:97:fb:9e (RSA) |_ 256 e8:a4:7d:b6:00:9b:ef:21:08:d4:61:43:78:85:6a:b3 (ECDSA) 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu Running: Linux 3.X|4.X OS Info: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Scanning ip 213.61.29.182 (ns2.weberdns.de): 22/tcp open ssh syn-ack ttl 56 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 9d:7d:ac:7c:6f:87:4b:0b:c9:c0:8d:3d:23:f0:91:53 (RSA) |_ 256 b1:0d:bb:18:89:9b:81:39:64:7b:3e:da:02:8d:41:9f (ECDSA) 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu Running: Linux 3.X|4.X OS Info: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Scanning ip 87.190.30.114 (ns1.weberdns.de): 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:fd:66:4e:4d:b3:e6:bc:33:9d:97:14:b1:95:7c:81 (RSA) |_ 256 1f:25:ff:70:7d:6e:a6:63:6f:a5:44:e1:29:eb:dc:7d (ECDSA) 53/tcp open domain syn-ack ttl 63 ISC BIND 9.10.3-P4-Ubuntu | dns-nsid: |_ bind.version: 9.10.3-P4-Ubuntu OS Info: Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel WebCrawling domain's web servers... up to 50 max links. --Finished-- Summary information for domain weberdns.de ----------------------------------------- Domain Ips Information: IP: 193.24.225.53 HostName: ns3.weberdns.de Type: NS Country: Germany Is Active: True (reset ttl 56) Port: 22/tcp open ssh syn-ack ttl 56 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) Script Info: | ssh-hostkey: Script Info: | 2048 fd:19:2e:cd:87:c0:10:ed:91:72:3e:95:9a:97:fb:9e (RSA) Script Info: |_ 256 e8:a4:7d:b6:00:9b:ef:21:08:d4:61:43:78:85:6a:b3 (ECDSA) Port: 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu Script Info: | dns-nsid: Script Info: |_ bind.version: 9.10.3-P4-Ubuntu Script Info: Running: Linux 3.X|4.X Os Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel IP: 213.61.29.182 HostName: ns2.weberdns.de Type: NS Country: Germany Is Active: True (udp-response ttl 56) Port: 22/tcp open ssh syn-ack ttl 56 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) Script Info: | ssh-hostkey: Script Info: | 2048 9d:7d:ac:7c:6f:87:4b:0b:c9:c0:8d:3d:23:f0:91:53 (RSA) Script Info: |_ 256 b1:0d:bb:18:89:9b:81:39:64:7b:3e:da:02:8d:41:9f (ECDSA) Port: 53/tcp open domain syn-ack ttl 56 ISC BIND 9.10.3-P4-Ubuntu Script Info: | dns-nsid: Script Info: |_ bind.version: 9.10.3-P4-Ubuntu Script Info: Running: Linux 3.X|4.X Os Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel IP: 87.190.30.115 HostName: mail.weberdns.de Type: MX Country: Germany Is Active: False IP: 87.190.30.114 HostName: ns1.weberdns.de Type: NS Country: Germany Is Active: True (echo-reply ttl 63) Port: 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) Script Info: | ssh-hostkey: Script Info: | 2048 db:fd:66:4e:4d:b3:e6:bc:33:9d:97:14:b1:95:7c:81 (RSA) Script Info: |_ 256 1f:25:ff:70:7d:6e:a6:63:6f:a5:44:e1:29:eb:dc:7d (ECDSA) Port: 53/tcp open domain syn-ack ttl 63 ISC BIND 9.10.3-P4-Ubuntu Script Info: | dns-nsid: Script Info: |_ bind.version: 9.10.3-P4-Ubuntu Os Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel --------------End Summary -------------- ----------------------------------------- |
Of course you can read out much more info than this. For example the server versions such as BIND 9.10.3-P4-Ubuntu, googled mails, other active hosts on the subnets, geo-ip contries where the servers reside, and much more. You should definitely give it a try!
(Note that domain_analyzer currently supports only legacy IP and not IPv6. But I already requested that feature. ;)) Cheers.
Featured image “Mikroskop” by Dirk Vorderstraße is licensed under CC BY 2.0.
You made it a easy tutorial and is very easy to understand and play in the server.