dert 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 4c1b1ce81e63f6e8a3104b069a7a856caec7c954
+  data.tar.gz: bcdc9478389314610cbe928e02fa0547a2c05898
+SHA512:
+  metadata.gz: 56e24913f9651a1215325d6bc0f095b5da40eaca04053be545ea041a62b3540cfc80f1914d8171de10ede27ca3a06403639f7eb1c6a306d2747ad20ff0318667
+  data.tar.gz: 973bb735065cef74220a53dedfb536e54d63ba03c5cf77844e979dfe4ea4c450ec79a1f3d9d0acd5ffac9d0e243ba775b0c66dcccca8fd6e917c1ec8ed3caa76

data/.gitignore

@@ -0,0 +1,24 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+test/*.txt
+.idea/*

data/.ruby-gemset

@@ -0,0 +1 @@
+dert

data/.ruby-version

@@ -0,0 +1 @@
+ruby-2.1.2

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in dert.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Coleton Pierson
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,39 @@
+# Dert
+
+Tool used to enumerate hosts and domains for reconnaissance during a penetration test.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'dert'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install dert
+
+## Usage
+
+    require 'dert'
+
+    Dert.run(options)
+
+or
+
+    cd bin
+
+    chmod +x ./dert
+
+    ./dert
+
+## Contributing
+
+1. Fork it ( https://github.com/coleton/dert/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+

data/bin/dert

@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+###########################################################################
+# Author:                                                 Coleton Pierson #
+# Company:                                                     Praetorian #
+# Date:                                                    August 7, 2014 #
+# Project:                 DERT - DNS Enumeration and Reconnaissance Tool #
+# Description:                  Small DNS Recon tool created to integrate #
+#                               into Project Mercury.                     #
+###########################################################################
+path = File.dirname(__FILE__)
+require 'optparse'
+require 'dert'
+
+if __FILE__ == $0
+  options = {}
+
+  optparse = OptionParser.new do|opts|
+
+    # Banner
+    opts.banner = "Usage: #{File.basename($0)} [options]"
+
+    # Options
+    the_break = "\n\t\t\t\t\t"
+    dns_string = ''
+    dns_string = dns_string + the_break + 'ARIN: "arin"'
+    dns_string = dns_string + the_break + 'AXFR: "zonetransfer"'
+    dns_string = dns_string + the_break + 'BRT: "ipv4 bruteforce (A records)"'
+    dns_string = dns_string + the_break + 'IPV6: "ipv6 bruteforce (AAAA records)"'
+    dns_string = dns_string + the_break + 'RVL: "rvl (PRT records)"'
+    dns_string = dns_string + the_break + 'SRV: "srv (SRV records)"'
+    dns_string = dns_string + the_break + 'STD: "std (SOA, A, MX, NS, TXT records)"'
+    dns_string = dns_string + the_break + 'TDL: "tdl (Bruteforce, A records)"'
+    opts.on( '-e enumeration', '--enumeration type', String, 'DNS Enumeration Types:' + dns_string) do |type|
+      options[:type] = type
+    end
+
+    opts.on( '-t thread', '--thread number', Integer, 'Number of threads') do |thread|
+      options[:threads] = thread
+    end
+
+    opts.on( '-d domain', '--domain domain', String, 'Domain to enumerate' ) do |domain|
+      options[:domain] = domain
+    end
+
+    opts.on( '-w wordlist', '--wordlist path', String, 'Wordlist for bruteforce (ipv6 and brt)' ) do |wordlist|
+      options[:wordlist] = wordlist
+    end
+
+    opts.on( '-s', '--silent', 'Do not print any output' ) do
+      options[:silent] = true
+    end
+
+    options[:logfile] = nil
+    opts.on( '-o', '--output file', 'Write output to a file' ) do |file|
+      options[:output] = file
+    end
+
+    # Help
+    opts.on( '-h', '--help', 'Display this screen' ) do
+      puts opts
+      exit
+    end
+  end
+
+  begin
+    optparse.parse!
+    Dert.run(options)
+  rescue => e
+    puts 'Error'
+    puts "Usage: #{File.basename($0)} [options]"
+  end
+
+end

data/dert.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'dert/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'dert'
+  spec.version       = Dert::VERSION
+  spec.authors       = ['Coleton Pierson']
+  spec.email         = ['coleton.pierson@gmail.com']
+  spec.summary       = %q{DNS Enumeration and Reconnaissance Tool}
+  spec.description   = %q{Tool used to enumerate hosts and domains for reconnaissance during a penetration test.}
+  spec.homepage      = 'https://github.com/coleton/dert'
+  spec.license       = 'MIT'
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.6'
+  spec.add_development_dependency 'rake', '~> 10'
+  spec.add_runtime_dependency 'dnsruby', '~> 1'
+  spec.add_runtime_dependency 'librex', '~> 0'
+end

data/lib/dert/dns.rb

@@ -0,0 +1,278 @@
+###########################################################################
+# Author:                                                 Coleton Pierson #
+# Company:                                                     Praetorian #
+# Date:                                                    August 7, 2014 #
+# Project:                 Dert - DNS Enumeration and Reconnaissance Tool #
+# Description:                  Small DNS Recon tool created to integrate #
+#                               into Project Mercury.                     #
+###########################################################################
+require 'dnsruby'
+require 'rex'
+require 'resolv'
+require 'socket'
+require 'timeout'
+require 'json'
+
+path = File.dirname(__FILE__)
+require "#{path}/methods/init"
+
+module Dert
+
+  #############
+  # Constants #
+  #############
+  module CONSTANTS
+    ARIN = 1
+    AXFR = 2
+    BRT = 3
+    IPV6 = 4
+    RVL = 5
+    SRV = 6
+    STD = 7
+    TDL = 8
+    WILDCARD = 9
+  end
+
+
+  ###########################################################################
+  # @method                                     query(domain, method, list) #
+  # @param domain:                                   [String] Target Domain #
+  # @param method:                                    [Integer] Enum Method #
+  # @param list:                                  [String] Path to Wordlist #
+  # @description                                         Start DNS queries. #
+  ###########################################################################
+  def self.query(domain, method, list=nil)
+    case method
+      when CONSTANTS::ARIN
+        return ARIN.query(domain)
+      when CONSTANTS::AXFR
+        return AXFR.query(domain)
+      when CONSTANTS::BRT
+        return BRT.query(domain, list, Dnsruby::Types.A)
+      when CONSTANTS::IPV6
+        return BRT.query(domain, list, Dnsruby::Types.AAAA)
+      when CONSTANTS::RVL
+        return RVL.query(domain)
+      when CONSTANTS::SRV
+        return SRV.query(domain)
+      when CONSTANTS::STD
+        return STD.query(domain)
+      when CONSTANTS::TDL
+        return TDL.query(domain)
+    end
+  end
+
+
+  ###########################################################################
+  # @method               start(domain, method, threads, word_list, output) #
+  # @param domain:                                   [String] Target Domain #
+  # @param method:                                    [Integer] Enum Method #
+  # @param threads:                            [Integer] Bruteforce Threads #
+  # @param word_list:                             [String] Path to Wordlist #
+  # @description                           Threaded DNS Enumeration method. #
+  ###########################################################################
+  def self.start(domain, method, threads = nil, word_list = nil, output = nil)
+
+    results = []
+
+    # Process for Brute Force DNS Enumeration
+    if method == CONSTANTS::BRT or method == CONSTANTS::IPV6 or method == CONSTANTS::RVL
+
+      # Count words/ips in list.
+      count = File.foreach(word_list).inject(0) { |c, line| c+1 }
+      # Words/IPs per thread
+      per = (count / threads) + 1
+      # Array of words/ips
+      arr = []
+      # Array of sets of words/ips per thread
+      lists_per_thread = []
+
+      thread_container = []
+
+      # Parse words/ips from word list
+      File.open(word_list).each_line do |x|
+        if method == CONSTANTS::RVL
+          tmp = Rex::Socket::RangeWalker.new(x.chomp.strip)
+          if tmp.valid?
+            tmp.each do |y|
+              arr << y
+            end
+          end
+        else
+          arr << x.chomp
+        end
+      end
+
+      # If word list count is greater than 50, use multiple threads.
+      if arr.count > 50
+        arr.each_slice(per) { |a| lists_per_thread << a }
+      else
+        lists_per_thread = [arr]
+      end
+
+      # Iterate through sets of words.
+      lists_per_thread.each do |x|
+        # Create a new thread and add it to a container
+        thread_container << Thread.new {
+          # Check if RVL, else BRT or IPV
+          if method == CONSTANTS::RVL
+            # Iterate through IP addresses
+            ret = []
+            x.each do |y|
+              ret.concat(self.query(y, method))
+            end
+          else
+            # Send a single set of words to brute force
+            ret = self.query(domain, method, x)
+          end
+          # Grab thread output
+          Thread.current[:output] = ret
+        }
+      end
+
+      # Join all threads and grab their outputs
+      thread_container.each do |t|
+        t.join
+        results += t[:output] unless t[:output].empty?
+      end
+
+      # Process for Single Enumeration
+    else
+      results = self.query(domain, method)
+    end
+
+    # Write output to file if specified
+    if output
+      File.open(output, 'w') do |f|
+        f.write(JSON.pretty_generate(results))
+      end
+    end
+
+    # Return Results for Console output
+    results
+  end
+
+  ###########################################################################
+  # @method                                                   run (options) #
+  # @param options:                                 [Hash] DNS Enum Options #
+  # @description                                           Main CLI Method. #
+  ###########################################################################
+  def self.run(options)
+    type = 0
+
+    # RVL does not require a domain
+    unless options[:type] == 'rvl'
+      unless options[:domain]
+        puts 'Invalid command. Try --help to view options.'
+        exit
+      end
+
+      # remove http/https
+      options[:domain].gsub!('https://', '')
+      options[:domain].gsub!('http://', '')
+
+      # Validate Domain
+      unless options[:domain].match(/[a-zA-Z0-9\-]+\.[a-zA-z]{2,6}/)
+        puts 'Invalid domain.'
+        exit
+      end
+    end
+
+    # Validate settings for brute force
+    if %w(ipv6 brt).include? options[:type]
+      if options[:threads] == nil or options[:domain] == nil or options[:wordlist] == nil
+        puts "Usage #{File.basename($0)} -e <brt|ipv6> -d <domain> -w <wordlist> -t <threads>"
+        exit
+      end
+    end
+
+    # RVL requires threads and a word list
+    if options[:type] == 'rvl'
+      if options[:threads] == nil or options[:wordlist] == nil
+        puts "Usage #{File.basename($0)} -e rvl -w <wordlist of ips> -t <threads>"
+        exit
+      end
+    end
+
+    # Validate wordlist
+    if options[:wordlist]
+      unless File.exist?(options[:wordlist])
+        puts 'Word List not found.'
+        exit
+      end
+    end
+
+    # Validate threads
+    if options[:threads]
+      if options[:threads] > 100 or options[:threads] < 1
+        puts 'Thread count must be between 1 and 100'
+        exit
+      end
+    end
+
+    # Validate Output
+    if options[:output]
+      unless Dir.exists?(File.dirname(options[:output]))
+        puts 'Output directory does not exists.'
+        exit
+      end
+    end
+
+    # Convert string type to integer type
+    case options[:type]
+      when 'arin'
+        type = 1
+      when 'axfr'
+        type = 2
+      when 'brt'
+        type = 3
+      when 'ipv6'
+        type = 4
+      when 'rvl'
+        type = 5
+      when 'srv'
+        type = 6
+      when 'std'
+        type = 7
+      when 'tdl'
+        type = 8
+      else
+        puts 'Wrong enumeration type. Try --help to view accepted enumeration inputs.'
+        exit
+    end
+
+    # Start Enumeration
+    results = self.start(options[:domain], type, options[:threads], options[:wordlist])
+
+    # Save results to a file if specified
+    if options[:output]
+      File.open(options[:output], 'w') do |f|
+        f.write(JSON.pretty_generate(results))
+      end
+    end
+
+    # Print output to terminal unless silent
+    unless options[:silent]
+      puts 'Results:'
+      if type == 1
+        results.each do |x|
+          puts "  Range: #{x[:cidr]}"
+          puts "  Handle: #{x[:handle]}"
+          puts "  Customer: #{x[:customer]}"
+          puts "  Zip Code: #{x[:zip]}"
+          puts ''
+        end
+      else
+        results.each do |x|
+          puts "  Hostname: #{x[:hostname]}"
+          puts "    IP: #{x[:address]}"
+          puts "    Type: #{x[:type]}"
+        end
+      end
+    end
+
+    # Return results as a hash
+    results
+  end
+
+end

data/lib/dert/methods/arin.rb

@@ -0,0 +1,71 @@
+require 'socket'
+module Dert
+  class ARIN
+
+    def self.parse(data)
+      full_results = []
+      data.each do |line|
+        net_handle = line.match(/\(\s*(NET-\d{1,3}\-\d{1,3}\-\d{1,3}\-\d{1,3}\-\d{1,3})\s*\)/)
+        range = line.match(/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\s+\-\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})/)
+        if net_handle and range
+          customer_info = self.parse_net_handle(net_handle.to_s)
+          full_results.push(customer_info)
+        end
+      end
+
+      return full_results
+    end
+
+    def self.parse_net_handle(net_handle)
+      customer_record = {}
+      net_handle = net_handle.gsub('(', '')
+      net_handle = net_handle.gsub(')', '')
+      results = self.arin_results(net_handle)
+      results.each do |line|
+        ret = line.match(/(\w+):\s+(.*)\n/)
+        if ret
+          split = ret.to_s.split(':')
+          key = split[0].strip
+          value = split[1].strip
+          if key == 'CustName' or key == 'NetHandle' or key == 'CIDR' or key == 'PostalCode'
+            case key
+              when 'CustName'
+                key = :customer
+              when 'NetHandle'
+                key = :handle
+              when 'CIDR'
+                key = :cidr
+              when 'PostalCode'
+                key = :zip
+            end
+            customer_record[key] = value.to_s
+          end
+        end
+      end
+
+      return customer_record
+    end
+
+    def self.arin_results(company)
+      client = TCPSocket.new('whois.arin.net', 43)
+      client.puts(company.to_s)
+      output = []
+
+      ret = client.gets
+      while ret != nil
+        output.push(ret)
+        ret = client.gets
+      end
+      client.close
+
+      output
+    end
+
+    def self.query(domain)
+      company = domain.gsub(/\.\w+$/, '')
+      response = self.arin_results(company)
+      self.parse(response)
+    end
+
+  end
+end

data/lib/dert/methods/axfr.rb

@@ -0,0 +1,107 @@
+module Dert
+  class AXFR
+
+    @res = Dnsruby::Resolver.new
+
+    def self.query(domain)
+      default_address = Resolv.getaddress(domain)
+      results = []
+      begin
+        ret = @res.query(domain, Dnsruby::Types.NS)
+        name_servers = []
+        ret.answer.each do |x|
+          name_servers << x.domainname.to_s
+        end
+        zt = Dnsruby::ZoneTransfer.new
+        zoneref = []
+        name_servers.each do |x|
+          begin
+            zt.server = x
+            zoneref = zt.transfer(domain)
+            break
+          rescue Dnsruby::ResolvError => e
+            #
+          end
+        end
+
+        zoneref.each do |x|
+          case x.type.to_s
+            when 'SOA'
+              results << {
+                  address: default_address,
+                  type: x.type.to_s,
+                  hostname: x.name.to_s,
+                  ttl: x.ttl.to_s,
+                  klass: x.klass.to_s
+              }
+            when 'A'
+              results << {
+                  address: x.address.to_s,
+                  type: x.type.to_s,
+                  hostname: x.name.to_s,
+                  ttl: x.ttl.to_s,
+                  klass: x.klass.to_s
+              }
+            when 'MX'
+              results << {
+                  address: default_address,
+                  type: x.type.to_s,
+                  hostname: x.exchange.to_s,
+                  ttl: x.ttl.to_s,
+                  klass: x.klass.to_s,
+                  preference: x.preference.to_s
+              }
+            when 'NS'
+              results << {
+                  address: default_address,
+                  type: x.type.to_s,
+                  hostname: x.domainname.to_s,
+                  ttl: x.ttl.to_s,
+                  klass: x.klass.to_s
+              }
+            when 'TXT'
+              results << {
+                  address: default_address,
+                  type: x.type.to_s,
+                  hostname: x.name.to_s,
+                  ttl: x.ttl.to_s,
+                  klass: x.klass.to_s
+              }
+            when 'CNAME'
+              results << {
+                  address: default_address,
+                  type: x.type.to_s,
+                  hostname: x.name.to_s,
+                  ttl: x.ttl.to_s,
+                  klass: x.klass.to_s
+              }
+            when 'SRV'
+              results << {
+                  address: default_address,
+                  type: x.type.to_s,
+                  hostname: x.name.to_s,
+                  ttl: x.ttl.to_s,
+                  klass: x.klass.to_s
+              }
+            when 'LOC'
+              results << {
+                  address: default_address,
+                  type: x.type.to_s,
+                  hostname: x.name.to_s,
+                  ttl: x.ttl.to_s,
+                  klass: x.klass.to_s
+              }
+            else
+              #
+          end
+        end
+      rescue => e
+        #
+      end
+
+      results
+    end
+
+  end
+
+end