pdknockr

- a passive dns drive-by tool 🏎️💨
git clone git://git.acid.vegas/-c.git
Log | Files | Refs | Archive | README

commit 5c799ee239a2b2aa2d526a1d53e876416fe80f52
parent 7bd5e21828276cc19d3199b270f1559fcb7a3955
Author: acidvegas <acid.vegas@acid.vegas>
Date: Fri, 9 Feb 2024 11:35:03 -0500

Added --noise

Diffstat:
MREADME.md | 3++-
Mpdknockr.py | 22+++++++++++++---------
Avpn_dns.txt | 12++++++++++++

3 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
@@ -26,8 +26,9 @@ This will return `151.202.0.84`, marking it as a DNS server that is actively log
 ## WORK IN PROGRESS (STAY TUNED)
 
 - [ ] Bind server running accepting wildcard DNS lookups on custom domain.
-- [ ] Hunt down specific DNS servers used by ISP's from an ASN lookup
+- [X] Hunt down specific DNS servers used by ISP's from an ASN lookup
 - [ ] Any way to apply this to custom DNS servers used by VPNs?
+- [ ] Noise generator to abuse known logging servers.
 
 This is all very theoretical right now, interested to see how this pans out.
 

diff --git a/pdknockr.py b/pdknockr.py
@@ -59,15 +59,18 @@ async def main(args):
     semaphore = asyncio.BoundedSemaphore(args.concurrency)
     tasks = []
 
-    for domain in args.domains.split(','):
-        for dns_server in dns_keys:
-            if len(tasks) < args.concurrency:
-                query_record = random.choice(args.rectype)
-                task = asyncio.create_task(dns_lookup(domain, dns_keys[dns_server], dns_server, query_record, args.timeout, semaphore))
-                tasks.append(task)
-            else:
-                done, pending = await asyncio.wait(tasks, return_when=asyncio.FIRST_COMPLETED)
-                tasks = list(pending)
+    while True:
+        for domain in args.domains.split(','):
+            for dns_server in dns_keys:
+                if len(tasks) < args.concurrency:
+                    query_record = random.choice(args.rectype)
+                    task = asyncio.create_task(dns_lookup(domain, dns_keys[dns_server], dns_server, query_record, args.timeout, semaphore))
+                    tasks.append(task)
+                else:
+                    done, pending = await asyncio.wait(tasks, return_when=asyncio.FIRST_COMPLETED)
+                    tasks = list(pending)
+        if not args.noise:
+            break
 
 
 
@@ -83,6 +86,7 @@ if __name__ == '__main__':
     parser.add_argument('-r', '--resolvers', help='File containing list of DNS resolvers (uses public-dns.info if not specified)')
     parser.add_argument('-rt', '--rectype', default='A,AAAA', help='Comma-seperated list of  DNS record type (default: A)')
     parser.add_argument('-t', '--timeout', type=int, default=3, help='Timeout for DNS lookup (default: 3)')
+    parser.add_argument('-n', '--noise', action='store_true', help='Enable random subdomain noise')
     args = parser.parse_args()
 
     sh = logging.StreamHandler()

diff --git a/vpn_dns.txt b/vpn_dns.txt
@@ -0,0 +1,12 @@
+103.86.96.100  # NordVPN
+103.86.99.100  # NordVPN
+104.223.91.194 # TorGuard
+104.223.91.210 # TorGuard
+35.170.152.112 # TorGuard
+34.228.48.172  # TorGuard
+
+https://mullvad.net/en/help/dns-over-https-and-dns-over-tls
+
+54.225.156.17 ns1.airvpn.org
+52.48.66.85   ns2.airvpn.org
+dig ANY earth.all.vpn.airdns.org @dns1.airvpn.org +short