Metasploit Framework

HD Moore wrote:

I believe this behavior is correct - to look for 'nl', the DOMAIN should be simply 'nl' - it supports multiple nu.nl because sometimes its useful to search for things like "company.co" which will try company.co.uk, company.co.il, etc. The module description should be more clear

The way I expected it should work is the following: Suppose you are pentesting multinational X and you want to know their websites for all GTLDs and CCTLDs. You started of with multinationalX.com and now you want do all the things the dns_enum script does with their .com domain and also expand your scope to other domains multinationalX might own. If you want to do it with a single shot the script should take the DOMAIN variable cut of the GTLD or CCTLD the user specified and iterate through the predefined list in the script. You are correct that some CCTLD use two levels, like .co.uk and com.au, which I think should be included in the script as well. We have a custom script that has quite an extensive list of those.

The way you describe it, the DOMAIN variable is not the same for all tests dns_enum performs in the majority of the cases. Maybe it is better to switch of the ENUM_TLD check by default, because it generates a lot of extra network traffic.

I think you nailed the real issue - the DOMAIN option is NOT treated the same by all tests. Carlos, any thoughts?

HD Moore wrote:

I think you nailed the real issue - the DOMAIN option is NOT treated the same by all tests. Carlos, any thoughts?

Erwin

The Module simply appends to the end of the given domain the TLD value, it does not analyse the DOMAIN Datastore variable and tests all possible combinations do to that it would take a large amount of time and each test would have to be made to each NS record just to assure proper accuracy expanding on time. I could have the DOMAIN saved in to an array, have the TLD function remove the TLD and add the .co.x, ed.x ...ect and saved those found in the array for use of the other methods, if TLD is chosen it would be tested first and then all A or AAA records found are the submitted to the other modules, is the the functionality you would be looking for?

Carlos Perez wrote:

I could have the DOMAIN saved in to an array, have the TLD function remove the TLD and add the .co.x, ed.x ...ect and saved those found in the array for use of the other methods, if TLD is chosen it would be tested first and then all A or AAA records found are the submitted to the other modules, is the the functionality you would be looking for?

Not totally, I agree with the TLD function removing the TLD, but I don't think you want to interrogate every domain the TLD function finds. In other words feed the results from the TLD function back into the other modules. For 95% of the pentest all the tests dns_enum provides except the ENUM_TLD is fine. For that other 5% you do want to enable the ENUM_TLD option and just print the found domains on screen. It should be up to the pentester is he wants to further investigate those other domains (time, scope, legal issues). Therefore it is maybe better to disable the TLD function by default. I do agree with HD Moore, all modules should treat the DOMAIN option equally.

Erwin Paternotte wrote:

Carlos Perez wrote:

I could have the DOMAIN saved in to an array, have the TLD function remove the TLD and add the .co.x, ed.x ...ect and saved those found in the array for use of the other methods, if TLD is chosen it would be tested first and then all A or AAA records found are the submitted to the other modules, is the the functionality you would be looking for?

Not totally, I agree with the TLD function removing the TLD, but I don't think you want to interrogate every domain the TLD function finds. In other words feed the results from the TLD function back into the other modules. For 95% of the pentest all the tests dns_enum provides except the ENUM_TLD is fine. For that other 5% you do want to enable the ENUM_TLD option and just print the found domains on screen. It should be up to the pentester is he wants to further investigate those other domains (time, scope, legal issues). Therefore it is maybe better to disable the TLD function by default. I do agree with HD Moore, all modules should treat the DOMAIN option equally.

Can you share your TLD list, I have been in tests where I have had clientes that do have .org.cr, .org.pr, .com.cr and .com.pr for example and others that have been .co.pr, .co.uy ...etc if you can send it to my email.