So I have written a normal DNS BruteForcing tool a few times before. However, I have yet to write an extension Brute Force tool so I wrote one.

http://spl0it.org/files/ext_brutedns.pl

$ perl ext_brutedns.pl -d google.com
google.com      64.233.167.99
google.net       64.233.167.99
google.org       72.14.207.104
google.co.uk   66.249.93.104
google.de        216.239.59.104
google.info      66.249.93.104
google.tv         72.14.207.104
google.biz       72.14.207.104
google.cc        72.14.207.104
google.cn        64.233.161.99
google.name   193.109.220.143
google.us        64.233.161.104
google.la         64.233.161.104

I have also added a module to do this to the next version of Fierce!

I was working on a WhoisLookup module for Fierce tonight. I got it working but there was a minor issue with returning elements that were not defined. If one of the elements of the query was not defined, it croaked with an undefined messaged in AUTOLOAD.

Therefore, I fixed this by replacing this with the return of undef.

http://rt.cpan.org/Ticket/Display.html?id=31839

An here is an example to demonstrate this bug:

#!/usr/bin/perl -w
# 
# Net::Whois::ARIN undefined / undef bug
#
# Joshua D. Abraham < jabra@spl0it.org > 
# Sun Dec 23 23:53:48 EST 2007
#
use strict;
use Net::Whois::ARIN;
my $w = Net::Whois::ARIN->new(
              host    => 'whois.arin.net',
              port    => 43,
              timeout => 30,
          );
my @output = $w->network( gethostbyname('google.com') );
foreach my $net (@output) {
      print "OrgName is " . $net->OrgName  . "\n" if ( defined($net->OrgName));
      print "NetHandle is " . $net->NetHandle . "\n" if ( defined($net->NetHandle));
      print "NetRange is " . $net->NetRange . "\n" if ( defined($net->NetRange));
      print "NameServer is " . $net->NameServer . "\n" if ( defined($net->NameServer));
}

I was working on a PingScan module for Fierce 2.0 tonight. I have used Nmap::Parser in the past, which made it easier.

package PingScan;
{
    use Object::InsideOut;
    use Nmap::Parser;

    # execute: Iprange -> Output(Array)
    # find all the IPs that respond to ping 
    sub execute {
        my ($self, $iprange_obj) = @_;
        my $iprange = $iprange_obj->iprange;
        my $np  = Nmap::Parser->new;
        my $nmap_path = "nmap";
        my $args = "-sP";
        my @output;
        push(@output, "\nTrying to find IPs that respond to ping...\n");
        $np->parsescan( $nmap_path, $args, @$iprange );
        for my $host ( $np->get_ips('up') ) {
            push(@output,"\t$host\n");
        }
        return @output;
    }
}
1;

Simple enough right? Then we can write the following code using it:

my $ips = Iprange->new( 'iprange' => ["192.168.1.0/24"],);
my $ping_scan = PingScan->new(  );
@output = $ping_scan->execute($ips);

The @output array contains the output. Here is an example:

Trying to find IPs that respond to ping...
        192.168.1.1
        192.168.1.50
        192.168.1.60

I sat down tonight and built a solid foundation for the next version of Fierce. I'm not to go post the code for the first time in a long time, but I will say that things are *MOVING* along very nicely.

Here is a snippet of the code:

my $bf = BruteForceDNS->new(
    'prefix_list'       => \@prefix_list,                                            
    'max_bruteforce'    => $max_bruteforce,
);
@bf_output = $bf->execute($domain);

my $wild_card = CheckWildCard->new();
@wildcard_output = $wild_card->execute($domain);

my $reverse_lookup = ReverseLookup->new();
@reverse_output = $reverse_lookup->execute($domain);

my $find_mx = FindMX->new();
@findmx_output = $find_mx->execute($domain);

Having taken Software Development, I wrote my tests!

% prove -vl t/domain.t
t/domain....#
# t::Test::Domain->fields
ok 1 - domain1
ok 2 - domain2
ok 3 - domain3
ok 4 - Google - BruteForce
ok 5 - Google - BruteForce output > 2
ok 6 - Aol - BruteForce
ok 7 - Aol - BruteForce output > 2
ok 8 - Google - ZoneTranfer trying Servers for Google
ok 9 - Google - ZoneTranfer failed
ok 10 - Google - CheckWildcard failed
ok 11 - Aol - CheckWildcard failed
ok 12 - Google - Trying ReverseLookup
ok 13 - Google - CheckWildcard output > 2
ok 14 - Google - Trying FindMX
ok 15 - Google - FindMX output > 2
1..15
ok
All tests successful.
Files=1, Tests=15, 11 wallclock secs ( 0.40 cusr + 0.06 csys = 0.46 CPU)

So I sat down tonight and added some more functionality to Fierce. I added the ability for it to be able to determine all the IPs for a CNAME by doing a reverse lookup. When Rsnake and I went to confirm that things were working, there were some funky issues with the results.

Here is an small example:

Results from one location:

www.google.com alias www.l.google.com
www.l.google.com address 64.233.169.99
www.l.google.com address 64.233.169.147
www.l.google.com address 64.233.169.104
www.l.google.com address 64.233.169.103

Results from another location:

www.google.com alias www.l.google.com
www.l.google.com address 74.125.47.147
www.l.google.com address 74.125.47.103
www.l.google.com address 74.125.47.99
www.l.google.com address 74.125.47.104

The reason for this is that the hosting for Google is done with Akamai which caused different results based on the physical location. This functionality is correct, but it a bit strange at first.

The code is included in the 1.0.1 version of Fierce which can be found at http://ha.ckers.org/fierce

The coding rampage continues!

Security + Perl = 0wnz!