DNS Probing Module
idealeer opened this issue · comments
Help
Type xmap -4 -h -M dnsx -O json
to show the help information.
This module sends out DNS queries and parses basic responses.
By default, the module performs anA
record lookup forwww.qq.com
.
You can specify other queries using the--probe-args
argument
in the form:label_type:input_src:type,query;type,query
, e.g.,
raw:text:A,qq.com;NS,qq.com
. The module supports
sending the the following types of queries:A
,NS
,CNAME
,SOA
,PTR
,
MX
,TXT
,AAAA
,RRSIG
,ANY
,SIG
,SRV
,DS
,DNSKEY
,TLSA
,SVCB
,HTTPS
,
CAA
, andHTTPSSVC
. The module will accept and attempt
to parse all DNS responses. There is currently support for parsing
out full data fromA
,NS
,CNAME
,MX
,TXT
, andAAAA
.
Query format:label_type:recurse:input_src:type,query;type,query
Any other types will be output in raw form.
label_type:raw
,str
,time
,random
,dst-ip
raw
: do nothing to the query domain, e.g.,qq.com
str
: add the 'str' subdomain www, e.g.,www.qq.com
time
: add the s+μs subdomain, e.g.,1620027515-568043.qq.com
random
: add random subdomain lefzwnrq, e.g.,lefzwnrq.qq.com
dst-ip
: add probe num + src ip, e.g.,1.1-2-3-4.qq.com
recurse:recurse
,no-recurse
recurse
: recursive query
no-recurse
: non-recursive query
input_src:text
,file
text
: likeA,qq.com;AAAA,qq.com
file
: each line is like a text
type:A
,NS
,CNAME
,SOA
,PTR
,MX
,TXT
,AAAA
,RRSIG
,ANY
,SIG
,
SRV
,DS
,DNSKEY
,TLSA
,SVCB
,HTTPS
,CAA
, andHTTPSSVC
query:A,qq.com;AAAA,qq.com
Examples:
--probe-args="raw/time/random:recurse/no-recurse:text:type,query"
--probe-args="raw/time/random:recurse/no-recurse:file:file_name"
--probe-args="str:SomeText:recurse/no-recurse:text:type,query"
--probe-args="str:SomeText:recurse/no-recurse:file:file_name"
--probe-args="dst-ip:recurse/no-recurse:text:type,query"
--probe-args="dst-ip:recurse/no-recurse:file:file_name"
Usage Examples
- Query
qq.com A
targeting8.8.8.8
:
xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 1 --probe-args="raw:recurse:text:A,qq.com" -R 1000 -o result.txt 8.8.8.8
- Query
qq.com A
andbaidu.com NS
targeting8.8.8.8
:
xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P 2 --probe-args="raw:recurse:text:A,qq.com;NS,baidu.com" -R 1000 -o result.txt 8.8.8.8
- Query each domain from a
domain.txt
targeting all IPs from aip.txt
:
xmap -4 -x 32 -p 53 -M dnsx -O json --output-fields="*" --output-filter="success = 1 || success = 0" -P domain_number --probe-args="raw:recurse:file:domain.txt" -R 1000 -o result.txt -I ip.txt
Note
: Each line in domain.txt
is in the form like A,qq.com
and -P domain_number
= the number of domains.