mdaxfr

- Mass DNS AXFR
git clone git://git.acid.vegas/mdaxfr.git
Log | Files | Refs | Archive | README | LICENSE

commit 4c8ac71c62619d3d7ab276f82b859d5b737a64ea
parent 8d0b01e7aade347151f2fd3c3bfec3f2a78df987
Author: acidvegas <acid.vegas@acid.vegas>
Date: Sat, 9 Mar 2024 15:05:52 -0500

dAXFR script now can read AXFR output logs and perform an AXFR on all unique domains found. Added a weird ICANN AXFR script.

Diffstat:
Mextras/daxfr | 77+++++++++++++++++++++++++++++++++++++++++++++++++++++------------------------
Aextras/icann_axfr | 30++++++++++++++++++++++++++++++

2 files changed, 83 insertions(+), 24 deletions(-)

diff --git a/extras/daxfr b/extras/daxfr
@@ -1,40 +1,69 @@
 #!/bin/sh
 # Domain AXFR - developed by acidvegas (https://git.acid.vegas/mdaxfr)
 # This one will take a domain as an argument and attempt to perform an AXFR against all of the nameservers for that domain.
+# You can also pass an AXFR output file as an argument to attempt AXFR against all of the unique domains found in the file.
 
 # Colors
+BLUE="\033[1;34m"
 CYAN="\033[1;36m"
-YELLOW="\033[1;33m"
-RED="\033[1;31m"
 GREEN="\033[1;32m"
-RESET="\033[0m"
 GREY="\033[1;90m"
+PURPLE='\033[0;35m'
+RED="\033[1;31m"
+YELLOW="\033[1;33m"
+RESET="\033[0m"
 
-domain="$1" # base domain only, no http, https, or www (can have a subdomain though)
+# Globals
+output_dir="daxfrout"
 
-[ -z "$domain" ] && echo "Invalid URL. Exiting." && exit 1
+perform_axfr() {
+    domain=$1
+    ns=$2
+    ip=$3
 
-echo "${YELLOW}Attempting AXFR against ${domain}...${RESET}"
+    echo "${YELLOW}Attempting AXFR for ${CYAN}${domain}${YELLOW} from ${PURPLE}${ns} ${GREY}(${ip})${RESET}"
 
-nameservers=$(dig NS +short "$domain")
+    axfr_output=$(dig +retry=3 +time=10 @$ip AXFR $domain)
+    axfr_status=$?
 
-[ -z "$nameservers" ] && echo "${GREY}No nameservers found for ${domain}${RESET}" && exit 1
+    if [ $axfr_status -eq 0 ] && echo "$axfr_output" | grep -q "XFR size: "; then
+        echo "$axfr_output" > "${output+dir}/axfr-${domain}_${ns}_${ip}.txt"
+        size=$(echo "$axfr_output" | awk '/XFR size:/ {print $4}')
+        echo "${GREEN}Successful AXFR for ${CYAN}${domain}${GREEN} from ${PURPLE}${ns} ${GREY}(${ip}) ${BLUE}[${size} records]${RESET}"
+    else
+        echo "${RED}    Failed AXFR for ${CYAN}${domain}${RED} from ${PURPLE}${ns} ${GREY}(${ip})${RESET}"
+    fi
+}
+
+process_domain() {
+    domain=$1
+    nameservers=$(dig +short +retry=3 +time=10 $domain NS)
+
+    [ -z "$nameservers" ] && echo "${GREY}No nameservers found for ${CYAN}${domain}{$RESET}" && return
+
+    for ns in $nameservers; do
+        ns=$(echo "$ns" | sed 's/\.$//')
+        ns_ip=$(host $ns | awk '/has (IPv6 )?address/ { print $NF }')
+
+        [ -z "$ns_ip" ] && echo "${GREY}No IP addresses found for nameserver ${PURPLE}${ns}${GREY} under ${CYAN}${domain}{RESET}" && continue
+
+        for ip in $ns_ip; do
+            perform_axfr "$domain" "$ns" "$ip"
+        done
+    done
+}
 
-echo "$nameservers" | while read -r ns; do
-    ns=$(echo "$ns" | sed 's/\.$//')
-    ips=$(host "$ns" | awk '/has address/ { print $4 }')
+[ $# -eq 0 ] && echo "Usage: $0 <domain> or <path_to_axfr_output>" && exit 1
 
-    [ -z "$ips" ] && echo "${GREY}No IP addresses found for nameserver $ns under ${domain}. Skipping...${RESET}" && continue
+mkdir -p $output_dir
 
-    echo "$ips" | while read -r ip; do
-        axfr_output=$(dig @$ip AXFR "$domain")
-        if echo "$axfr_output" | grep -q "Transfer failed."; then
-            echo "${RED}AXFR attempt from $ip ($ns) on ${domain} was not successful.${RESET}"
-        elif echo "$axfr_output" | grep -q "IN"; then
-            echo "${GREEN}Successful AXFR from $ip ($ns) on on ${domain}:${RESET}"
-            echo "${CYAN}$axfr_output${RESET}"
-        else
-            echo "${RED}AXFR attempt from $ip ($ns) on on ${domain} was not successful.${RESET}"
-        fi
+if [ -f "$1" ]; then
+    root=$(grep -m1 '^; <<>> DiG' $1 | awk '{print $(NF-1)}') # Get the root domain from the dig output
+    domains=$(grep -a $'\t'IN$'\t'NS$'\t' "$1" | awk '{print $1}' | sort -u | sed 's/\.$//' | grep -v "^$root\.$") # Get the unique domains from the dig output (excluding the root domain)
+    
+    for domain in $domains; do
+        process_domain $domain
     done
-done
-\ No newline at end of file
+else
+    process_domain $1
+fi
+\ No newline at end of file
diff --git a/extras/icann_axfr b/extras/icann_axfr
@@ -0,0 +1,30 @@
+#!/bin/sh
+# ICANN AXFR - developed by acidvegas (https://git.acid.vegas/mdaxfr)
+
+# Notes: None of these nameservers show in an NS lookup for the zone, but they do respond to AXFR (https://www.dns.icann.org/services/axfr/)
+nameservers="lax.xfr.dns.icann.org iad.xfr.dns.icann.org"
+zones_served=". in-addr.arpa. arpa. root-servers.net. ipv4only.arpa. ip6.arpa. ip6-servers.arpa. mcast.net."
+
+output_dir="output/icann_axfr"
+
+mkdir -p $output_dir
+
+for zone in $zones_served; do
+    for ns in $nameservers; do
+        ips=$(host $ns | awk '/has (IPv6 )?address/ { print $NF }')
+        for ip in $ips; do
+            echo "Attempting AXFR for $zone from $ns ($ip)"
+            dig @$ip $zone AXFR > $output_dir/$zone.$ns.$ip.txt
+        done
+    done
+done
+
+for i in seq 224 239; do
+    for ns in $nameservers; do
+        ips=$(host $ns | awk '/has (IPv6 )?address/ { print $NF }')
+        for ip in $ips; do
+            echo "Attempting AXFR for $zone from $ns ($ip)"
+            dig @$ip $i.in-addr.arpa. AXFR > $output_dir/$i.in-addr.arpa.$ns.$ip.txt
+        done
+    done
+done