dns-security-mcp 0.1.0

package/dist/hijack/index.js

@@ -0,0 +1,1117 @@
+import { z } from "zod";
+import { text, json } from "../types/index.js";
+import { createResolver, resolveAll, queryRaw, reverseIp, isValidDomain } from "../utils/dns-client.js";
+import { TAKEOVER_FINGERPRINTS } from "../data/takeover-fingerprints.js";
+// ─── Helpers ───
+const DEFAULT_SUBDOMAINS = [
+    "www", "mail", "ftp", "api", "dev", "staging", "blog", "shop", "cdn", "admin",
+    "app", "portal", "test", "beta", "m", "mobile", "static", "assets", "media",
+    "vpn", "remote", "webmail", "smtp", "pop", "ns1", "ns2", "docs", "wiki",
+    "git", "ci", "auth", "login", "sso", "dashboard", "status", "monitor",
+    "search", "store", "help", "support", "forum",
+];
+async function resolveCnameTarget(fqdn) {
+    const resolver = createResolver();
+    try {
+        const cnames = await resolver.resolveCname(fqdn);
+        if (cnames.length > 0)
+            return { cname: cnames[0] };
+        return { cname: null };
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === "ENOTFOUND" || e.code === "ENODATA")
+            return { cname: null, rcode: "NODATA" };
+        return { cname: null, error: e.message, rcode: e.code ?? "ERROR" };
+    }
+}
+async function checkCnameTargetResolvable(target) {
+    const resolver = createResolver();
+    try {
+        await resolver.resolve4(target);
+        return { resolvable: true, rcode: "NOERROR" };
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === "ENOTFOUND")
+            return { resolvable: false, rcode: "NXDOMAIN" };
+        if (e.code === "ESERVFAIL")
+            return { resolvable: false, rcode: "SERVFAIL" };
+        if (e.code === "ENODATA")
+            return { resolvable: false, rcode: "NODATA" };
+        return { resolvable: false, rcode: e.code ?? "ERROR" };
+    }
+}
+function matchFingerprint(cnameTarget) {
+    const lower = cnameTarget.toLowerCase();
+    for (const fp of TAKEOVER_FINGERPRINTS) {
+        if (!fp.vulnerable)
+            continue;
+        for (const pattern of fp.cnames) {
+            const regex = new RegExp("^" + pattern.replace(/\./g, "\\.").replace(/\*/g, ".*") + "$", "i");
+            if (regex.test(lower)) {
+                return { service: fp.service, fingerprint: fp.fingerprint };
+            }
+        }
+    }
+    return null;
+}
+async function httpFingerprintCheck(fqdn, expectedText) {
+    for (const proto of ["https", "http"]) {
+        try {
+            const res = await fetch(`${proto}://${fqdn}`, {
+                signal: AbortSignal.timeout(5000),
+                redirect: "follow",
+            });
+            const body = await res.text();
+            const snippet = body.slice(0, 2000);
+            if (body.includes(expectedText)) {
+                return { confirmed: true, body: snippet };
+            }
+            return { confirmed: false, body: snippet };
+        }
+        catch {
+            // Try next protocol
+        }
+    }
+    return { confirmed: false, body: "" };
+}
+async function resolveHostname(hostname) {
+    const resolver = createResolver();
+    try {
+        const ips = await resolver.resolve4(hostname);
+        return { ips, rcode: "NOERROR" };
+    }
+    catch (err) {
+        const e = err;
+        if (e.code === "ENOTFOUND")
+            return { ips: [], rcode: "NXDOMAIN" };
+        if (e.code === "ESERVFAIL")
+            return { ips: [], rcode: "SERVFAIL" };
+        if (e.code === "ENODATA")
+            return { ips: [], rcode: "NODATA" };
+        return { ips: [], rcode: e.code ?? "ERROR" };
+    }
+}
+// ─── Tool 1: Dangling CNAME Detection ───
+const hijackDanglingCname = {
+    name: "hijack_dangling_cname",
+    description: "Detect dangling CNAME records that could allow subdomain takeover. " +
+        "Resolves CNAME for each subdomain, checks if target returns NXDOMAIN/SERVFAIL, " +
+        "and matches against known service fingerprints with HTTP confirmation.",
+    schema: {
+        domain: z.string().describe("The base domain to scan for dangling CNAMEs (e.g. example.com)"),
+        subdomains: z
+            .array(z.string())
+            .optional()
+            .describe("List of subdomain prefixes to check. Defaults to common subdomains " +
+            "(www, mail, ftp, api, dev, staging, blog, shop, cdn, admin, etc.)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const subdomains = args.subdomains ?? DEFAULT_SUBDOMAINS;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        const results = [];
+        const concurrency = 10;
+        for (let i = 0; i < subdomains.length; i += concurrency) {
+            const batch = subdomains.slice(i, i + concurrency);
+            const tasks = batch.map(async (sub) => {
+                const fqdn = `${sub}.${domain}`;
+                const result = {
+                    subdomain: sub,
+                    fqdn,
+                    cnameTarget: "",
+                    status: "alive",
+                    takeoverRisk: "none",
+                };
+                try {
+                    const { cname, error } = await resolveCnameTarget(fqdn);
+                    if (!cname) {
+                        result.status = error ? "error" : "alive";
+                        result.error = error;
+                        return result;
+                    }
+                    result.cnameTarget = cname;
+                    // Check if CNAME target resolves
+                    const targetCheck = await checkCnameTargetResolvable(cname);
+                    if (targetCheck.resolvable) {
+                        result.status = "alive";
+                        return result;
+                    }
+                    // Target doesn't resolve — dangling CNAME
+                    result.status = "dangling";
+                    result.takeoverRisk = "high";
+                    // Match against known services
+                    const match = matchFingerprint(cname);
+                    if (match) {
+                        result.matchedService = match.service;
+                        result.fingerprint = match.fingerprint;
+                        result.takeoverRisk = "critical";
+                        // HTTP fingerprint confirmation
+                        if (match.fingerprint !== "NXDOMAIN") {
+                            const httpCheck = await httpFingerprintCheck(fqdn, match.fingerprint);
+                            result.httpConfirmed = httpCheck.confirmed;
+                            result.httpBody = httpCheck.body.slice(0, 500);
+                        }
+                    }
+                }
+                catch (err) {
+                    result.status = "error";
+                    result.error = err.message;
+                }
+                return result;
+            });
+            const batchResults = await Promise.allSettled(tasks);
+            for (const r of batchResults) {
+                if (r.status === "fulfilled")
+                    results.push(r.value);
+            }
+        }
+        const dangling = results.filter((r) => r.status === "dangling");
+        const summary = {
+            domain,
+            totalChecked: results.length,
+            danglingCount: dangling.length,
+            criticalCount: dangling.filter((r) => r.takeoverRisk === "critical").length,
+            highCount: dangling.filter((r) => r.takeoverRisk === "high").length,
+            dangling,
+            alive: results.filter((r) => r.status === "alive").length,
+            errors: results.filter((r) => r.status === "error").length,
+        };
+        return json(summary);
+    },
+};
+// ─── Tool 2: Dangling NS Detection ───
+const hijackDanglingNs = {
+    name: "hijack_dangling_ns",
+    description: "Detect dangling NS records that could allow full domain takeover. " +
+        "If an NS hostname resolves to NXDOMAIN, an attacker can register that domain " +
+        "and serve arbitrary DNS responses for the target zone — a critical vulnerability.",
+    schema: {
+        domain: z.string().describe("The domain to check for dangling NS records (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        const resolver = createResolver();
+        let nsRecords;
+        try {
+            nsRecords = await resolver.resolveNs(domain);
+        }
+        catch (err) {
+            return text(`Error resolving NS for ${domain}: ${err.message}`);
+        }
+        if (nsRecords.length === 0) {
+            return text(`No NS records found for ${domain}.`);
+        }
+        const nsChecks = await Promise.allSettled(nsRecords.map(async (ns) => {
+            const resolved = await resolveHostname(ns);
+            const isDangling = resolved.rcode === "NXDOMAIN";
+            const nsDomain = ns.split(".").slice(-2).join(".");
+            return {
+                nameserver: ns,
+                ips: resolved.ips,
+                rcode: resolved.rcode,
+                isDangling,
+                nsDomain,
+                severity: isDangling ? "critical" : "info",
+                note: isDangling
+                    ? `NS hostname ${ns} is NXDOMAIN. Register ${nsDomain} to take over the entire zone for ${domain}.`
+                    : `NS ${ns} resolves to ${resolved.ips.join(", ")}`,
+            };
+        }));
+        const results = nsChecks
+            .filter((r) => r.status === "fulfilled")
+            .map((r) => r.value);
+        const danglingNs = results.filter((r) => r.isDangling);
+        return json({
+            domain,
+            totalNs: nsRecords.length,
+            danglingCount: danglingNs.length,
+            severity: danglingNs.length > 0 ? "critical" : "safe",
+            description: danglingNs.length > 0
+                ? "CRITICAL: Dangling NS records detected. An attacker can register the dangling NS domain and serve arbitrary DNS for the target zone."
+                : "All NS records resolve successfully. No dangling NS delegation found.",
+            nameservers: results,
+        });
+    },
+};
+// ─── Tool 3: Dangling MX Detection ───
+const hijackDanglingMx = {
+    name: "hijack_dangling_mx",
+    description: "Detect dangling MX records that could allow email hijacking. " +
+        "If an MX hostname resolves to NXDOMAIN, an attacker can register it " +
+        "to intercept all email for the domain.",
+    schema: {
+        domain: z.string().describe("The domain to check for dangling MX records (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        const resolver = createResolver();
+        let mxRecords;
+        try {
+            mxRecords = await resolver.resolveMx(domain);
+        }
+        catch (err) {
+            return text(`Error resolving MX for ${domain}: ${err.message}`);
+        }
+        if (mxRecords.length === 0) {
+            return text(`No MX records found for ${domain}.`);
+        }
+        // Sort by priority ascending (lower number = higher priority)
+        mxRecords.sort((a, b) => a.priority - b.priority);
+        const mxChecks = await Promise.allSettled(mxRecords.map(async (mx) => {
+            const resolved = await resolveHostname(mx.exchange);
+            const isDangling = resolved.rcode === "NXDOMAIN";
+            const mxDomain = mx.exchange.split(".").slice(-2).join(".");
+            return {
+                exchange: mx.exchange,
+                priority: mx.priority,
+                ips: resolved.ips,
+                rcode: resolved.rcode,
+                isDangling,
+                mxDomain,
+                severity: isDangling ? "critical" : "info",
+                note: isDangling
+                    ? `MX ${mx.exchange} (priority ${mx.priority}) is NXDOMAIN. Register ${mxDomain} to intercept email for ${domain}.`
+                    : `MX ${mx.exchange} (priority ${mx.priority}) resolves to ${resolved.ips.join(", ")}`,
+            };
+        }));
+        const results = mxChecks
+            .filter((r) => r.status === "fulfilled")
+            .map((r) => r.value);
+        const danglingMx = results.filter((r) => r.isDangling);
+        const lowestPriorityDangling = danglingMx.some((r) => r.priority === mxRecords[0].priority);
+        return json({
+            domain,
+            totalMx: mxRecords.length,
+            danglingCount: danglingMx.length,
+            severity: danglingMx.length > 0 ? (lowestPriorityDangling ? "critical" : "high") : "safe",
+            description: danglingMx.length > 0
+                ? lowestPriorityDangling
+                    ? "CRITICAL: Primary MX record is dangling. All email can be intercepted."
+                    : "HIGH: Non-primary MX record(s) dangling. Email may be intercepted if primary MX is unavailable."
+                : "All MX records resolve successfully. No dangling MX found.",
+            priorityOrder: mxRecords.map((mx) => `${mx.priority} ${mx.exchange}`),
+            mailExchangers: results,
+        });
+    },
+};
+// ─── Tool 4: NS Delegation Chain Verification ───
+const hijackNsDelegation = {
+    name: "hijack_ns_delegation",
+    description: "Walk the DNS delegation chain and verify consistency. Checks for lame delegation " +
+        "(NS doesn't have zone data), missing glue records, and NS mismatch between parent and child zones.",
+    schema: {
+        domain: z.string().describe("The domain to verify delegation chain for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        const parts = domain.split(".");
+        const tld = parts.slice(-1)[0];
+        const findings = [];
+        // Step 1: Get NS for TLD from root
+        let tldNs = [];
+        try {
+            const resolver = createResolver("198.41.0.4"); // a.root-servers.net
+            tldNs = await resolver.resolveNs(tld);
+        }
+        catch {
+            // Fallback: use default resolver
+            try {
+                const resolver = createResolver();
+                tldNs = await resolver.resolveNs(tld);
+            }
+            catch (err) {
+                return text(`Error resolving TLD NS for .${tld}: ${err.message}`);
+            }
+        }
+        // Step 2: Query parent zone for NS delegation of our domain
+        let parentNs = [];
+        let parentNsIps = {};
+        if (tldNs.length > 0) {
+            try {
+                const tldNsResolved = await resolveHostname(tldNs[0]);
+                if (tldNsResolved.ips.length > 0) {
+                    const result = await queryRaw(domain, "NS", tldNsResolved.ips[0]);
+                    // NS records may be in answers or authorities section
+                    const nsAnswers = [...result.answers, ...result.authorities].filter((a) => a.type === "NS");
+                    parentNs = nsAnswers.map((a) => a.data.replace(/\.$/, ""));
+                    // Extract glue records from additionals
+                    for (const add of result.additionals) {
+                        if (add.type === "A") {
+                            const name = add.name?.replace(/\.$/, "") ?? "";
+                            if (!parentNsIps[name])
+                                parentNsIps[name] = [];
+                            parentNsIps[name].push(add.data);
+                        }
+                    }
+                }
+            }
+            catch {
+                // Fallback: use default resolver
+                try {
+                    const resolver = createResolver();
+                    parentNs = await resolver.resolveNs(domain);
+                }
+                catch {
+                    // Will be flagged below
+                }
+            }
+        }
+        // Step 3: Get authoritative NS from the domain itself (child NS)
+        let childNs = [];
+        try {
+            const resolver = createResolver();
+            childNs = await resolver.resolveNs(domain);
+        }
+        catch (err) {
+            findings.push({
+                severity: "critical",
+                title: "Cannot resolve domain NS records",
+                description: `Failed to resolve NS for ${domain}: ${err.message}`,
+                remediation: "Verify the domain has proper NS records configured.",
+            });
+        }
+        // Step 4: Compare parent and child NS
+        if (parentNs.length > 0 && childNs.length > 0) {
+            const parentSet = new Set(parentNs.map((n) => n.toLowerCase()));
+            const childSet = new Set(childNs.map((n) => n.toLowerCase()));
+            const onlyInParent = [...parentSet].filter((n) => !childSet.has(n));
+            const onlyInChild = [...childSet].filter((n) => !parentSet.has(n));
+            if (onlyInParent.length > 0 || onlyInChild.length > 0) {
+                findings.push({
+                    severity: "high",
+                    title: "NS mismatch between parent and child zone",
+                    description: `Parent zone lists: ${[...parentSet].join(", ")}. ` +
+                        `Child zone lists: ${[...childSet].join(", ")}. ` +
+                        (onlyInParent.length > 0 ? `Only in parent: ${onlyInParent.join(", ")}. ` : "") +
+                        (onlyInChild.length > 0 ? `Only in child: ${onlyInChild.join(", ")}. ` : ""),
+                    remediation: "Ensure parent and child zone NS records match exactly. " +
+                        "Update the registrar/parent zone or the authoritative zone file.",
+                });
+            }
+        }
+        // Step 5: Check each NS for lame delegation
+        const allNs = [...new Set([...parentNs, ...childNs].map((n) => n.toLowerCase()))];
+        const nsResults = await Promise.allSettled(allNs.map(async (ns) => {
+            const resolved = await resolveHostname(ns);
+            let isLame = false;
+            let hasGlue = !!parentNsIps[ns] && parentNsIps[ns].length > 0;
+            if (resolved.ips.length > 0) {
+                // Check if NS actually has zone data (authoritative answer)
+                try {
+                    const soaResult = await queryRaw(domain, "SOA", resolved.ips[0]);
+                    isLame = !soaResult.flags.authoritative && soaResult.answers.length === 0;
+                }
+                catch {
+                    isLame = true;
+                }
+            }
+            return {
+                nameserver: ns,
+                ips: resolved.ips,
+                rcode: resolved.rcode,
+                isDangling: resolved.rcode === "NXDOMAIN",
+                isLame,
+                hasGlue,
+            };
+        }));
+        const nsDetails = nsResults
+            .filter((r) => r.status === "fulfilled")
+            .map((r) => r.value);
+        // Step 6: Flag issues
+        for (const ns of nsDetails) {
+            if (ns.isDangling) {
+                findings.push({
+                    severity: "critical",
+                    title: `Dangling NS: ${ns.nameserver}`,
+                    description: `NS ${ns.nameserver} resolves to NXDOMAIN. An attacker can register this domain to hijack DNS.`,
+                    remediation: `Remove ${ns.nameserver} from NS records or ensure the domain is registered.`,
+                });
+            }
+            if (ns.isLame && !ns.isDangling) {
+                findings.push({
+                    severity: "high",
+                    title: `Lame delegation: ${ns.nameserver}`,
+                    description: `NS ${ns.nameserver} does not return authoritative answers for ${domain}. This causes resolution failures.`,
+                    remediation: `Configure ${ns.nameserver} as authoritative for ${domain} or remove it from NS records.`,
+                });
+            }
+            if (!ns.hasGlue && parentNs.includes(ns.nameserver)) {
+                // Check if the NS hostname is within the domain (in-bailiwick)
+                if (ns.nameserver.endsWith(`.${domain}`)) {
+                    findings.push({
+                        severity: "medium",
+                        title: `Missing glue record: ${ns.nameserver}`,
+                        description: `In-bailiwick NS ${ns.nameserver} has no glue record in the parent zone. This may cause resolution loops.`,
+                        remediation: `Add glue A/AAAA records for ${ns.nameserver} at the registrar/parent zone.`,
+                    });
+                }
+            }
+        }
+        return json({
+            domain,
+            tld,
+            tldNameservers: tldNs.slice(0, 5),
+            parentNs,
+            childNs,
+            glueRecords: parentNsIps,
+            nameserverDetails: nsDetails,
+            findings,
+            overallStatus: findings.some((f) => f.severity === "critical")
+                ? "critical"
+                : findings.some((f) => f.severity === "high")
+                    ? "degraded"
+                    : findings.length > 0
+                        ? "warnings"
+                        : "healthy",
+        });
+    },
+};
+// ─── Tool 5: DNS Rebinding Detection ───
+const hijackDnsRebinding = {
+    name: "hijack_dns_rebinding",
+    description: "Detect DNS rebinding candidates by resolving a domain multiple times and checking for IP changes " +
+        "combined with very low TTL values. DNS rebinding attacks exploit short TTLs to switch from a " +
+        "public IP to a private/internal IP after initial browser security checks.",
+    schema: {
+        domain: z.string().describe("The domain to test for DNS rebinding indicators (e.g. evil.example.com)"),
+        samples: z
+            .number()
+            .optional()
+            .describe("Number of DNS resolution samples to collect (default: 5)"),
+        delay_ms: z
+            .number()
+            .optional()
+            .describe("Delay in milliseconds between resolution attempts (default: 1000)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const samples = args.samples ?? 5;
+        const delayMs = args.delay_ms ?? 1000;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        const resolutions = [];
+        for (let i = 0; i < samples; i++) {
+            if (i > 0) {
+                await new Promise((resolve) => setTimeout(resolve, delayMs));
+            }
+            const resolver = createResolver();
+            const timestamp = new Date().toISOString();
+            try {
+                const records = await resolver.resolve4(domain, { ttl: true });
+                resolutions.push({
+                    attempt: i + 1,
+                    timestamp,
+                    ips: records.map((r) => r.address),
+                    ttl: records.map((r) => r.ttl),
+                });
+            }
+            catch (err) {
+                resolutions.push({
+                    attempt: i + 1,
+                    timestamp,
+                    ips: [],
+                    ttl: [],
+                    error: err.message,
+                });
+            }
+        }
+        // Analyze results
+        const allIps = new Set();
+        const allTtls = [];
+        for (const r of resolutions) {
+            for (const ip of r.ips)
+                allIps.add(ip);
+            for (const ttl of r.ttl)
+                allTtls.push(ttl);
+        }
+        const ipChanged = allIps.size > 1;
+        const minTtl = allTtls.length > 0 ? Math.min(...allTtls) : -1;
+        const maxTtl = allTtls.length > 0 ? Math.max(...allTtls) : -1;
+        const avgTtl = allTtls.length > 0 ? allTtls.reduce((a, b) => a + b, 0) / allTtls.length : -1;
+        const lowTtl = minTtl >= 0 && minTtl <= 60;
+        // Check for private IPs
+        const privateIpPattern = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|0\.)/;
+        const hasPrivateIp = [...allIps].some((ip) => privateIpPattern.test(ip));
+        const hasPublicIp = [...allIps].some((ip) => !privateIpPattern.test(ip));
+        const mixedIpTypes = hasPrivateIp && hasPublicIp;
+        let riskLevel;
+        let description;
+        if (ipChanged && lowTtl && mixedIpTypes) {
+            riskLevel = "critical";
+            description =
+                "CRITICAL: DNS rebinding highly likely. IP changes between resolutions include both public and private IPs with very low TTL. " +
+                    "This domain is likely configured for DNS rebinding attacks.";
+        }
+        else if (ipChanged && lowTtl) {
+            riskLevel = "high";
+            description =
+                "HIGH: DNS rebinding possible. IP changes between resolutions with low TTL detected. " +
+                    "This may indicate a DNS rebinding setup or aggressive load balancing.";
+        }
+        else if (ipChanged) {
+            riskLevel = "medium";
+            description =
+                "MEDIUM: IP addresses change between resolutions but TTL is not unusually low. " +
+                    "Likely round-robin DNS or CDN. Less likely rebinding but worth monitoring.";
+        }
+        else if (lowTtl) {
+            riskLevel = "low";
+            description =
+                "LOW: Very low TTL detected but IP remains stable. Low TTL alone is not sufficient for rebinding " +
+                    "but may indicate preparation. Could also be normal for dynamic DNS.";
+        }
+        else {
+            riskLevel = "none";
+            description =
+                "No DNS rebinding indicators detected. IP is stable and TTL is within normal range.";
+        }
+        return json({
+            domain,
+            samples,
+            delayMs,
+            uniqueIps: [...allIps],
+            ipChanged,
+            hasPrivateIp,
+            hasPublicIp,
+            mixedIpTypes,
+            ttlStats: {
+                min: minTtl,
+                max: maxTtl,
+                avg: Math.round(avgTtl * 100) / 100,
+                isLow: lowTtl,
+            },
+            riskLevel,
+            description,
+            resolutions,
+        });
+    },
+};
+// ─── Tool 6: Registrar Security Check ───
+const hijackRegistrarSecurity = {
+    name: "hijack_registrar_security",
+    description: "Check domain registrar security posture via RDAP. Verifies transfer locks, delete locks, " +
+        "registration expiry, and other EPP status codes that protect against unauthorized domain hijacking.",
+    schema: {
+        domain: z.string().describe("The domain to check registrar security for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        let rdapData;
+        try {
+            const res = await fetch(`https://rdap.org/domain/${domain}`, {
+                signal: AbortSignal.timeout(10000),
+                headers: { Accept: "application/rdap+json" },
+            });
+            if (!res.ok) {
+                return text(`RDAP query failed for ${domain}: HTTP ${res.status} ${res.statusText}`);
+            }
+            rdapData = await res.json();
+        }
+        catch (err) {
+            return text(`Error querying RDAP for ${domain}: ${err.message}`);
+        }
+        // Extract status codes
+        const statusCodes = rdapData.status ?? [];
+        const findings = [];
+        // Check transfer protection
+        const hasClientTransferLock = statusCodes.some((s) => s.toLowerCase() === "client transfer prohibited");
+        const hasServerTransferLock = statusCodes.some((s) => s.toLowerCase() === "server transfer prohibited");
+        if (!hasClientTransferLock && !hasServerTransferLock) {
+            findings.push({
+                severity: "high",
+                title: "No transfer lock",
+                description: "Domain has neither clientTransferProhibited nor serverTransferProhibited. " +
+                    "An attacker with registrar access could transfer the domain to another registrar.",
+            });
+        }
+        else if (!hasClientTransferLock) {
+            findings.push({
+                severity: "medium",
+                title: "No client transfer lock",
+                description: "Domain lacks clientTransferProhibited. Only serverTransferProhibited is set. " +
+                    "Consider enabling client-side transfer lock at the registrar.",
+            });
+        }
+        // Check delete protection
+        const hasClientDeleteLock = statusCodes.some((s) => s.toLowerCase() === "client delete prohibited");
+        const hasServerDeleteLock = statusCodes.some((s) => s.toLowerCase() === "server delete prohibited");
+        if (!hasClientDeleteLock && !hasServerDeleteLock) {
+            findings.push({
+                severity: "medium",
+                title: "No delete lock",
+                description: "Domain has no delete prohibition status. The domain could be deleted through registrar abuse.",
+            });
+        }
+        // Check update protection
+        const hasClientUpdateLock = statusCodes.some((s) => s.toLowerCase() === "client update prohibited");
+        if (!hasClientUpdateLock) {
+            findings.push({
+                severity: "low",
+                title: "No client update lock",
+                description: "Domain lacks clientUpdateProhibited. DNS records and nameserver changes are not locked at the registry level.",
+            });
+        }
+        // Check expiry
+        let expirationDate = null;
+        let daysUntilExpiry = null;
+        const events = rdapData.events ?? [];
+        for (const event of events) {
+            if (event.action === "expiration" && event.date) {
+                expirationDate = event.date;
+                const expiry = new Date(event.date);
+                const now = new Date();
+                daysUntilExpiry = Math.floor((expiry.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
+                if (daysUntilExpiry <= 0) {
+                    findings.push({
+                        severity: "critical",
+                        title: "Domain expired",
+                        description: `Domain expired on ${expirationDate}. It may be available for re-registration.`,
+                    });
+                }
+                else if (daysUntilExpiry <= 30) {
+                    findings.push({
+                        severity: "high",
+                        title: "Domain expiring soon",
+                        description: `Domain expires in ${daysUntilExpiry} days (${expirationDate}). Renew immediately to prevent hijacking.`,
+                    });
+                }
+                else if (daysUntilExpiry <= 90) {
+                    findings.push({
+                        severity: "medium",
+                        title: "Domain expiring within 90 days",
+                        description: `Domain expires in ${daysUntilExpiry} days (${expirationDate}). Consider enabling auto-renewal.`,
+                    });
+                }
+                break;
+            }
+        }
+        // Extract registrar info
+        let registrar = null;
+        for (const entity of rdapData.entities ?? []) {
+            if ((entity.roles ?? []).includes("registrar")) {
+                registrar = entity.vcardArray?.[1]?.find((v) => v[0] === "fn")?.[3] ?? entity.handle ?? null;
+                break;
+            }
+        }
+        // Detect suspicious statuses
+        const holdStatuses = statusCodes.filter((s) => s.toLowerCase().includes("hold") ||
+            s.toLowerCase().includes("pending") ||
+            s.toLowerCase().includes("redemption"));
+        if (holdStatuses.length > 0) {
+            findings.push({
+                severity: "high",
+                title: "Domain has hold/pending status",
+                description: `Domain has status: ${holdStatuses.join(", ")}. This may indicate disputes, legal issues, or impending deletion.`,
+            });
+        }
+        const overallSeverity = findings.length === 0
+            ? "secure"
+            : findings.some((f) => f.severity === "critical")
+                ? "critical"
+                : findings.some((f) => f.severity === "high")
+                    ? "high"
+                    : findings.some((f) => f.severity === "medium")
+                        ? "medium"
+                        : "low";
+        return json({
+            domain,
+            registrar,
+            statusCodes,
+            expirationDate,
+            daysUntilExpiry,
+            locks: {
+                clientTransferProhibited: hasClientTransferLock,
+                serverTransferProhibited: hasServerTransferLock,
+                clientDeleteProhibited: hasClientDeleteLock,
+                serverDeleteProhibited: hasServerDeleteLock,
+                clientUpdateProhibited: hasClientUpdateLock,
+            },
+            overallSeverity,
+            findings,
+        });
+    },
+};
+// ─── Tool 7: DNS Change Monitor ───
+const hijackChangeMonitor = {
+    name: "hijack_change_monitor",
+    description: "Monitor DNS record changes by comparing current records against a stored baseline. " +
+        "On first run (no baseline), returns the current state as a JSON baseline. " +
+        "On subsequent runs, diffs against the provided baseline to detect added, removed, or changed records.",
+    schema: {
+        domain: z.string().describe("The domain to monitor for DNS changes (e.g. example.com)"),
+        baseline: z
+            .string()
+            .optional()
+            .describe("JSON string of the previous baseline (output from a prior run). " +
+            "If omitted, the tool returns the current DNS state as the initial baseline."),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const baselineStr = args.baseline;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        // Resolve all record types
+        const currentRecords = await resolveAll(domain);
+        // Normalize records for comparison: key = "TYPE|data"
+        const currentMap = new Map();
+        for (const r of currentRecords) {
+            const key = `${r.type}|${r.data}`;
+            currentMap.set(key, { type: r.type, data: r.data, ttl: r.ttl });
+        }
+        const currentState = {
+            domain,
+            timestamp: new Date().toISOString(),
+            records: currentRecords.map((r) => ({
+                type: r.type,
+                data: r.data,
+                ttl: r.ttl,
+            })),
+        };
+        // First run: no baseline provided
+        if (!baselineStr) {
+            return json({
+                mode: "baseline",
+                message: `Initial baseline captured for ${domain}. Provide this JSON as the 'baseline' parameter on the next run to detect changes.`,
+                baseline: currentState,
+                baselineJson: JSON.stringify(currentState),
+            });
+        }
+        // Parse baseline
+        let baselineData;
+        try {
+            baselineData = JSON.parse(baselineStr);
+        }
+        catch {
+            return text("Error: Could not parse baseline JSON. Ensure you pass the exact JSON from a previous run.");
+        }
+        // Build baseline map
+        const baselineMap = new Map();
+        for (const r of baselineData.records ?? []) {
+            const key = `${r.type}|${r.data}`;
+            baselineMap.set(key, { type: r.type, data: r.data, ttl: r.ttl });
+        }
+        // Compute diff
+        const added = [];
+        const removed = [];
+        const ttlChanged = [];
+        for (const [key, rec] of currentMap) {
+            if (!baselineMap.has(key)) {
+                added.push(rec);
+            }
+            else {
+                const oldRec = baselineMap.get(key);
+                if (oldRec.ttl !== rec.ttl && oldRec.ttl !== 0 && rec.ttl !== 0) {
+                    ttlChanged.push({ type: rec.type, data: rec.data, oldTtl: oldRec.ttl, newTtl: rec.ttl });
+                }
+            }
+        }
+        for (const [key, rec] of baselineMap) {
+            if (!currentMap.has(key)) {
+                removed.push(rec);
+            }
+        }
+        const hasChanges = added.length > 0 || removed.length > 0 || ttlChanged.length > 0;
+        // Assess severity of changes
+        let severity = "none";
+        if (removed.some((r) => r.type === "NS") || added.some((r) => r.type === "NS")) {
+            severity = "critical";
+        }
+        else if (removed.some((r) => r.type === "MX") || added.some((r) => r.type === "MX")) {
+            severity = "high";
+        }
+        else if (removed.some((r) => r.type === "A" || r.type === "AAAA") || added.some((r) => r.type === "A" || r.type === "AAAA")) {
+            severity = "high";
+        }
+        else if (hasChanges) {
+            severity = "medium";
+        }
+        return json({
+            mode: "diff",
+            domain,
+            baselineTimestamp: baselineData.timestamp,
+            currentTimestamp: currentState.timestamp,
+            hasChanges,
+            severity,
+            summary: {
+                addedCount: added.length,
+                removedCount: removed.length,
+                ttlChangedCount: ttlChanged.length,
+            },
+            added,
+            removed,
+            ttlChanged,
+            currentState,
+            currentStateJson: JSON.stringify(currentState),
+        });
+    },
+};
+// ─── Tool 8: Subdomain Takeover Scanner ───
+const hijackSubdomainTakeover = {
+    name: "hijack_subdomain_takeover",
+    description: "Full subdomain takeover scan. Optionally discovers subdomains via Certificate Transparency " +
+        "(crt.sh), then checks each for dangling CNAMEs, matches against known vulnerable service " +
+        "fingerprints, and reports takeover risk with HTTP confirmation.",
+    schema: {
+        domain: z.string().describe("The base domain to scan for subdomain takeover (e.g. example.com)"),
+        use_ct: z
+            .boolean()
+            .optional()
+            .describe("If true, query crt.sh Certificate Transparency logs to discover subdomains. " +
+            "Default: false (uses built-in common subdomain list)."),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        const useCt = args.use_ct ?? false;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        let subdomains = [];
+        // Discover subdomains
+        if (useCt) {
+            try {
+                const res = await fetch(`https://crt.sh/?q=%25.${encodeURIComponent(domain)}&output=json`, { signal: AbortSignal.timeout(15000) });
+                if (res.ok) {
+                    const certs = await res.json();
+                    const seen = new Set();
+                    for (const cert of certs) {
+                        const names = cert.name_value.split("\n");
+                        for (const name of names) {
+                            const clean = name.trim().replace(/^\*\./, "").toLowerCase();
+                            if (clean.endsWith(`.${domain}`) && clean !== domain) {
+                                seen.add(clean);
+                            }
+                        }
+                    }
+                    subdomains = [...seen];
+                }
+            }
+            catch {
+                // CT failed, fallback to wordlist
+            }
+        }
+        // If CT didn't provide results or wasn't requested, use default wordlist
+        if (subdomains.length === 0) {
+            subdomains = DEFAULT_SUBDOMAINS.map((s) => `${s}.${domain}`);
+        }
+        // Ensure subdomains are FQDNs
+        subdomains = subdomains.map((s) => (s.endsWith(`.${domain}`) ? s : `${s}.${domain}`));
+        // Deduplicate
+        subdomains = [...new Set(subdomains)];
+        // Scan each subdomain for dangling CNAME
+        const results = [];
+        const concurrency = 15;
+        for (let i = 0; i < subdomains.length; i += concurrency) {
+            const batch = subdomains.slice(i, i + concurrency);
+            const tasks = batch.map(async (fqdn) => {
+                const entry = {
+                    fqdn,
+                    hasCname: false,
+                    isDangling: false,
+                    takeoverRisk: "none",
+                };
+                try {
+                    const { cname } = await resolveCnameTarget(fqdn);
+                    if (!cname)
+                        return entry;
+                    entry.hasCname = true;
+                    entry.cnameTarget = cname;
+                    // Check if target resolves
+                    const targetCheck = await checkCnameTargetResolvable(cname);
+                    if (targetCheck.resolvable)
+                        return entry;
+                    entry.isDangling = true;
+                    entry.takeoverRisk = "high";
+                    // Match fingerprint
+                    const match = matchFingerprint(cname);
+                    if (match) {
+                        entry.matchedService = match.service;
+                        entry.fingerprint = match.fingerprint;
+                        entry.takeoverRisk = "critical";
+                        // HTTP confirmation
+                        if (match.fingerprint !== "NXDOMAIN") {
+                            try {
+                                const httpCheck = await httpFingerprintCheck(fqdn, match.fingerprint);
+                                entry.httpConfirmed = httpCheck.confirmed;
+                            }
+                            catch {
+                                entry.httpConfirmed = false;
+                            }
+                        }
+                    }
+                }
+                catch {
+                    // Skip resolution errors
+                }
+                return entry;
+            });
+            const batchResults = await Promise.allSettled(tasks);
+            for (const r of batchResults) {
+                if (r.status === "fulfilled")
+                    results.push(r.value);
+            }
+        }
+        const vulnerable = results.filter((r) => r.isDangling);
+        const critical = vulnerable.filter((r) => r.takeoverRisk === "critical");
+        const confirmed = vulnerable.filter((r) => r.httpConfirmed === true);
+        return json({
+            domain,
+            source: useCt ? "certificate_transparency" : "wordlist",
+            totalSubdomains: subdomains.length,
+            totalScanned: results.length,
+            vulnerableCount: vulnerable.length,
+            criticalCount: critical.length,
+            confirmedCount: confirmed.length,
+            summary: vulnerable.length === 0
+                ? `No subdomain takeover vulnerabilities found across ${results.length} subdomains.`
+                : `Found ${vulnerable.length} dangling CNAME(s): ${critical.length} critical, ${confirmed.length} HTTP-confirmed.`,
+            vulnerable,
+            // Only include non-vulnerable in a compact form
+            scannedSubdomains: results
+                .filter((r) => !r.isDangling)
+                .map((r) => ({
+                fqdn: r.fqdn,
+                hasCname: r.hasCname,
+                cnameTarget: r.cnameTarget,
+            })),
+        });
+    },
+};
+// ─── Tool 9: BGP Impact Assessment ───
+const hijackBgpImpact = {
+    name: "hijack_bgp_impact",
+    description: "Assess BGP-level impact of domain hijacking by querying Team Cymru's DNS interface for ASN, " +
+        "prefix, and AS owner information. Reports on the network infrastructure behind a domain " +
+        "and notes about RPKI/ROA protection.",
+    schema: {
+        domain: z.string().describe("The domain to assess BGP impact for (e.g. example.com)"),
+    },
+    execute: async (args) => {
+        const domain = args.domain;
+        if (!isValidDomain(domain)) {
+            return text(`Error: Invalid domain "${domain}"`);
+        }
+        // Step 1: Resolve domain to IPs
+        const resolver = createResolver();
+        let ips;
+        try {
+            ips = await resolver.resolve4(domain);
+        }
+        catch (err) {
+            return text(`Error resolving ${domain}: ${err.message}`);
+        }
+        if (ips.length === 0) {
+            return text(`No A records found for ${domain}.`);
+        }
+        // Step 2: For each IP, query Team Cymru DNS interface
+        const bgpResults = await Promise.allSettled(ips.map(async (ip) => {
+            const reversed = reverseIp(ip);
+            const cymruQuery = `${reversed}.origin.asn.cymru.com`;
+            let asn = null;
+            let prefix = null;
+            let country = null;
+            let registry = null;
+            let asName = null;
+            // Query origin.asn.cymru.com for ASN info
+            try {
+                const txtRecords = await resolver.resolveTxt(cymruQuery);
+                if (txtRecords.length > 0) {
+                    const parts = txtRecords[0].join("").split("|").map((s) => s.trim());
+                    // Format: ASN | IP Prefix | Country | Registry | Allocated Date
+                    asn = parts[0] ?? null;
+                    prefix = parts[1] ?? null;
+                    country = parts[2] ?? null;
+                    registry = parts[3] ?? null;
+                }
+            }
+            catch {
+                // Team Cymru query failed
+            }
+            // Query AS name
+            if (asn) {
+                // ASN may contain spaces for multi-origin; take the first
+                const primaryAsn = asn.split(/\s+/)[0];
+                try {
+                    const asTxtRecords = await resolver.resolveTxt(`AS${primaryAsn}.asn.cymru.com`);
+                    if (asTxtRecords.length > 0) {
+                        const parts = asTxtRecords[0].join("").split("|").map((s) => s.trim());
+                        // Format: ASN | Country | Registry | Allocated | AS Name
+                        asName = parts[4] ?? null;
+                    }
+                }
+                catch {
+                    // AS name lookup failed
+                }
+            }
+            return {
+                ip,
+                asn,
+                prefix,
+                country,
+                registry,
+                asName,
+            };
+        }));
+        const results = bgpResults
+            .filter((r) => r.status === "fulfilled")
+            .map((r) => r.value);
+        // Assess diversity
+        const uniqueAsns = new Set(results.map((r) => r.asn).filter(Boolean));
+        const uniquePrefixes = new Set(results.map((r) => r.prefix).filter(Boolean));
+        const rpkiNotes = [
+            "RPKI/ROA validation status cannot be determined via DNS alone.",
+            "Use RPKI validators (e.g., Cloudflare rpki.cloudflare.com, RIPE RIS) to verify ROA coverage.",
+            "If no ROA exists for the prefix, it is more vulnerable to BGP hijacking.",
+            "Domains relying on a single ASN/prefix are more susceptible to targeted BGP hijacks.",
+        ];
+        const singleAsn = uniqueAsns.size === 1;
+        const riskAssessment = singleAsn
+            ? "Domain resolves to a single ASN. A BGP hijack of this prefix would affect all traffic."
+            : `Domain resolves across ${uniqueAsns.size} ASNs, providing some resilience against BGP hijacking.`;
+        return json({
+            domain,
+            ipCount: ips.length,
+            uniqueAsns: uniqueAsns.size,
+            uniquePrefixes: uniquePrefixes.size,
+            riskAssessment,
+            bgpDetails: results,
+            rpkiNotes,
+            recommendations: [
+                singleAsn ? "Consider using a CDN or multi-homed setup for BGP diversity." : null,
+                "Verify RPKI/ROA records exist for all announced prefixes.",
+                "Monitor BGP announcements for unauthorized origin changes (e.g., BGPStream, RIPE RIS).",
+                "Consider deploying RPKI if you control the announced prefixes.",
+            ].filter(Boolean),
+        });
+    },
+};
+// ─── Export All Tools ───
+export const hijackTools = [
+    hijackDanglingCname,
+    hijackDanglingNs,
+    hijackDanglingMx,
+    hijackNsDelegation,
+    hijackDnsRebinding,
+    hijackRegistrarSecurity,
+    hijackChangeMonitor,
+    hijackSubdomainTakeover,
+    hijackBgpImpact,
+];
+//# sourceMappingURL=index.js.map