Metasploit-framework: auxiliary/gather/enum_dns - Auxiliary failed: NoMethodError undefined method `port' for #<Dnsruby::RR::IN::CNAME:0x000055891929efa8>
Steps to reproduce
How'd you do it?
- use auxiliary/gather/enum_dns
- set DOMAIN digi.ninja
- run
Against my domain it fails with an error at the SVR step. Change it to github.com and it fails with a similar, but at zone transfer.
Point it at zonetransfer.me and the zone transfer works, but there are a bunch of warning about parsing RR packets.
Expected behaviour
DNS entries should be displayed without errors.
Current behaviour
Against digi.ninja
msf6 auxiliary(gather/enum_dns) > set DOMAIN digi.ninja
DOMAIN => digi.ninja
msf6 auxiliary(gather/enum_dns) > run
[!] dns wildcard is enable OR fake dns server
[*] Querying DNS NS records for digi.ninja
[+] digi.ninja NS: dns2.zoneedit.com
[+] digi.ninja NS: dns1.zoneedit.com
[*] Attempting DNS AXFR for digi.ninja from dns2.zoneedit.com
[*] Attempting DNS AXFR for digi.ninja from dns1.zoneedit.com
[*] Querying DNS CNAME records for digi.ninja
[*] Querying DNS NS records for digi.ninja
[+] digi.ninja NS: dns1.zoneedit.com
[+] digi.ninja NS: dns2.zoneedit.com
[*] Querying DNS MX records for digi.ninja
[+] digi.ninja MX: alt1.aspmx.l.google.com
[+] digi.ninja MX: alt3.aspmx.l.google.com
[+] digi.ninja MX: aspmx.l.google.com
[+] digi.ninja MX: alt2.aspmx.l.google.com
[+] digi.ninja MX: alt4.aspmx.l.google.com
[*] Querying DNS SOA records for digi.ninja
[+] digi.ninja SOA: dns0.zoneedit.com
[*] Querying DNS TXT records for digi.ninja
[+] digi.ninja TXT: v=spf1 include:_spf.google.com ~all
[+] digi.ninja TXT: keybase-site-verification=RlBQzB0npOVxkoAwBYJJuWxT8xMVqLPQ1NuBwA30Dq4
[*] Querying DNS SRV records for digi.ninja
[-] Auxiliary failed: NoMethodError undefined method `port' for #<Dnsruby::RR::IN::CNAME:0x000055891929efa8>
[-] Call stack:
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:222:in `block (3 levels) in dns_get_srv'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:218:in `each'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:218:in `block (2 levels) in dns_get_srv'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:213:in `each'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:213:in `block in dns_get_srv'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:212:in `each'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:212:in `dns_get_srv'
[-] /home/robin/tools/network/metasploit-framework/modules/auxiliary/gather/enum_dns.rb:76:in `run'
[*] Auxiliary module execution completed
A different error from github.com
[*] Attempting DNS AXFR for github.com from dns1.p08.nsone.net
[*] Attempting DNS AXFR for github.com from dns2.p08.nsone.net
[*] Attempting DNS AXFR for github.com from dns3.p08.nsone.net
[*] Attempting DNS AXFR for github.com from dns4.p08.nsone.net
[*] Attempting DNS AXFR for github.com from ns-1283.awsdns-32.org
[-] Auxiliary failed: Errno::ECONNRESET Connection reset by peer - recvfrom(2)
[-] Call stack:
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:224:in `recv'
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:224:in `block (4 levels) in send_tcp'
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:222:in `loop'
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:222:in `block (3 levels) in send_tcp'
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:198:in `catch'
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:198:in `block (2 levels) in send_tcp'
[-] /home/robin/tools/network/metasploit-framework/lib/net/dns/resolver/timeouts.rb:53:in `block in timeout'
[-] /usr/share/rvm/rubies/ruby-2.7.0/lib/ruby/2.7.0/timeout.rb:95:in `block in timeout'
[-] /usr/share/rvm/rubies/ruby-2.7.0/lib/ruby/2.7.0/timeout.rb:33:in `block in catch'
[-] /usr/share/rvm/rubies/ruby-2.7.0/lib/ruby/2.7.0/timeout.rb:33:in `catch'
[-] /usr/share/rvm/rubies/ruby-2.7.0/lib/ruby/2.7.0/timeout.rb:33:in `catch'
[-] /usr/share/rvm/rubies/ruby-2.7.0/lib/ruby/2.7.0/timeout.rb:110:in `timeout'
[-] /home/robin/tools/network/metasploit-framework/lib/net/dns/resolver/timeouts.rb:52:in `timeout'
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:197:in `block in send_tcp'
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:194:in `each'
[-] /home/robin/tools/network/metasploit-framework/lib/rex/proto/dns/resolver.rb:194:in `send_tcp'
[-] /home/robin/tools/network/metasploit-framework/lib/net/dns/resolver.rb:1030:in `axfr'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:53:in `block in dns_axfr'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:40:in `each'
[-] /home/robin/tools/network/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:40:in `dns_axfr'
[-] /home/robin/tools/network/metasploit-framework/modules/auxiliary/gather/enum_dns.rb:68:in `run'
[*] Auxiliary module execution completed
Pointing at zonetransfer.me
[*] Querying DNS NS records for zonetransfer.me
[+] zonetransfer.me NS: nsztm1.digi.ninja
[+] zonetransfer.me NS: nsztm2.digi.ninja
[*] Attempting DNS AXFR for zonetransfer.me from nsztm1.digi.ninja
W, [2020-08-07T09:24:27.867880 #925581] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-07T09:24:27.868028 #925581] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-07T09:24:27.868471 #925581] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-07T09:24:27.868577 #925581] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-07T09:24:27.869277 #925581] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-07T09:24:27.869317 #925581] WARN -- : Failed to parse RR packet from offset: 1598
W, [2020-08-07T09:24:57.912684 #925581] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-07T09:24:57.913029 #925581] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-07T09:24:57.914243 #925581] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-07T09:24:57.914505 #925581] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-07T09:24:57.916925 #925581] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-07T09:24:57.917109 #925581] WARN -- : Failed to parse RR packet from offset: 1598
[+] zonetransfer.me Zone Transfer: [;; Answer received from 81.4.108.41:53 (1983 bytes)
The warnings are repeated for the second name server.
System stuff
Metasploit version
Framework: 6.0.1-dev-80889b2b86
Console : 6.0.1-dev-80889b2b86
I installed Metasploit with:
- [ ] Kali package via apt
- [ ] Omnibus installer (nightly)
- [ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [x] Source install (please specify ruby version)
ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux]
Got the same errors from an older Ruby as well:
ruby 2.6.5p114 (2019-10-01 revision 67812) [x86_64-linux]
OS
What OS are you running Metasploit on?
Ubuntu 20.04
digininja
All 26 comments
Confirmed on master.
msf6 > use auxiliary/gather/enum_dns
msf6 auxiliary(gather/enum_dns) > set DOMAIN digi.ninja
DOMAIN => digi.ninja
msf6 auxiliary(gather/enum_dns) > run
[!] dns wildcard is enable OR fake dns server
[*] Querying DNS NS records for digi.ninja
[+] digi.ninja NS: dns1.zoneedit.com
[+] digi.ninja NS: dns2.zoneedit.com
[*] Attempting DNS AXFR for digi.ninja from dns1.zoneedit.com
[*] Attempting DNS AXFR for digi.ninja from dns2.zoneedit.com
[*] Querying DNS CNAME records for digi.ninja
[*] Querying DNS NS records for digi.ninja
[+] digi.ninja NS: dns2.zoneedit.com
[+] digi.ninja NS: dns1.zoneedit.com
[*] Querying DNS MX records for digi.ninja
[+] digi.ninja MX: aspmx.l.google.com
[+] digi.ninja MX: alt4.aspmx.l.google.com
[+] digi.ninja MX: alt1.aspmx.l.google.com
[+] digi.ninja MX: alt3.aspmx.l.google.com
[+] digi.ninja MX: alt2.aspmx.l.google.com
[*] Querying DNS SOA records for digi.ninja
[+] digi.ninja SOA: dns0.zoneedit.com
[*] Querying DNS TXT records for digi.ninja
[+] digi.ninja TXT: v=spf1 include:_spf.google.com ~all
[+] digi.ninja TXT: keybase-site-verification=RlBQzB0npOVxkoAwBYJJuWxT8xMVqLPQ1NuBwA30Dq4
[*] Querying DNS SRV records for digi.ninja
[-] Auxiliary failed: NoMethodError undefined method `port' for #<Dnsruby::RR::IN::CNAME:0x00005654c7d4add8>
[-] Call stack:
[-] /root/Desktop/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:222:in `block (3 levels) in dns_get_srv'
[-] /root/Desktop/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:218:in `each'
[-] /root/Desktop/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:218:in `block (2 levels) in dns_get_srv'
[-] /root/Desktop/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:213:in `each'
[-] /root/Desktop/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:213:in `block in dns_get_srv'
[-] /root/Desktop/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:212:in `each'
[-] /root/Desktop/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb:212:in `dns_get_srv'
[-] /root/Desktop/metasploit-framework/modules/auxiliary/gather/enum_dns.rb:76:in `run'
[*] Auxiliary module execution completed
msf6 auxiliary(gather/enum_dns) >
bcoles
on 7 Aug 2020
Possible patch:
diff --git a/lib/msf/core/exploit/dns/enumeration.rb b/lib/msf/core/exploit/dns/enumeration.rb
index 4c6bad8c0a..f8e84639f1 100644
--- a/lib/msf/core/exploit/dns/enumeration.rb
+++ b/lib/msf/core/exploit/dns/enumeration.rb
@@ -216,7 +216,7 @@ module Enumeration
next if resp.blank? || resp.answer.blank?
srv_record_data = []
resp.answer.each do |r|
- next if r.type == Dnsruby::RR::IN::CNAME
+ next if r.class == Dnsruby::RR::IN::CNAME
data = {
host: r.name.to_s,
port: r.port,
Patch above appears to work, although I'm not sure what caused this to stop working. Perhaps it never worked.
msf6 auxiliary(gather/enum_dns) > edit lib/msf/core/exploit/dns/enumeration.rb
[*] Reloading /root/Desktop/metasploit-framework/lib/msf/core/exploit/dns/enumeration.rb
msf6 auxiliary(gather/enum_dns) > run
[!] dns wildcard is enable OR fake dns server
[*] Querying DNS NS records for digi.ninja
[+] digi.ninja NS: dns1.zoneedit.com
[+] digi.ninja NS: dns2.zoneedit.com
[*] Attempting DNS AXFR for digi.ninja from dns1.zoneedit.com
[*] Attempting DNS AXFR for digi.ninja from dns2.zoneedit.com
[*] Querying DNS CNAME records for digi.ninja
[*] Querying DNS NS records for digi.ninja
[+] digi.ninja NS: dns2.zoneedit.com
[+] digi.ninja NS: dns1.zoneedit.com
[*] Querying DNS MX records for digi.ninja
[+] digi.ninja MX: alt2.aspmx.l.google.com
[+] digi.ninja MX: alt4.aspmx.l.google.com
[+] digi.ninja MX: alt3.aspmx.l.google.com
[+] digi.ninja MX: aspmx.l.google.com
[+] digi.ninja MX: alt1.aspmx.l.google.com
[*] Querying DNS SOA records for digi.ninja
[+] digi.ninja SOA: dns0.zoneedit.com
[*] Querying DNS TXT records for digi.ninja
[+] digi.ninja TXT: v=spf1 include:_spf.google.com ~all
[+] digi.ninja TXT: keybase-site-verification=RlBQzB0npOVxkoAwBYJJuWxT8xMVqLPQ1NuBwA30Dq4
[*] Querying DNS SRV records for digi.ninja
[*] Auxiliary module execution completed
msf6 auxiliary(gather/enum_dns) >
Does that work on all three domains?
digininja
on 7 Aug 2020
why don't I just try it myself instead of asking?
digininja
on 7 Aug 2020
no, just my domain, the other two are different bugs.
digininja
on 7 Aug 2020
Does that work on all three domains?
no, just my domain, the other two are different bugs.
Yeah it is still broken for the other two, although I get better results for zonetransfer.me.
msf6 auxiliary(gather/enum_dns) > run
[*] Querying DNS NS records for zonetransfer.me
[+] zonetransfer.me NS: nsztm2.digi.ninja
[+] zonetransfer.me NS: nsztm1.digi.ninja
[*] Attempting DNS AXFR for zonetransfer.me from nsztm2.digi.ninja
W, [2020-08-07T04:52:15.744616 #1725954] WARN -- : Failed to parse RR packet from offset: 657
W, [2020-08-07T04:52:15.745641 #1725954] WARN -- : Failed to parse RR packet from offset: 726
W, [2020-08-07T04:52:15.748193 #1725954] WARN -- : Failed to parse RR packet from offset: 1018
W, [2020-08-07T04:52:15.748895 #1725954] WARN -- : Failed to parse RR packet from offset: 1073
W, [2020-08-07T04:52:15.752108 #1725954] WARN -- : Failed to parse RR packet from offset: 1589
W, [2020-08-07T04:52:15.752272 #1725954] WARN -- : Failed to parse RR packet from offset: 1654
W, [2020-08-07T04:52:45.984802 #1725954] WARN -- : Failed to parse RR packet from offset: 657
W, [2020-08-07T04:52:45.985328 #1725954] WARN -- : Failed to parse RR packet from offset: 726
W, [2020-08-07T04:52:45.986725 #1725954] WARN -- : Failed to parse RR packet from offset: 1018
W, [2020-08-07T04:52:45.987217 #1725954] WARN -- : Failed to parse RR packet from offset: 1073
W, [2020-08-07T04:52:45.989867 #1725954] WARN -- : Failed to parse RR packet from offset: 1589
W, [2020-08-07T04:52:45.990139 #1725954] WARN -- : Failed to parse RR packet from offset: 1654
[+] zonetransfer.me Zone Transfer: [;; Answer received from 34.225.33.2:53 (2039 bytes)
;;
;; HEADER SECTION
;; id = 28412
;; qr = 1 opCode: QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode = NoError
;; qdCount = 1 anCount = 51 nsCount = 0 arCount = 0
;; QUESTION SECTION (1 record):
;; zonetransfer.me. IN AXFR
;; ANSWER SECTION (51 records):
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO Casio fx-700G
Windows XP�
zonetransfer.me. 301 IN TXT
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT
_acme-challenge.zonetransfer.me. 301 IN TXT
_sip._tcp.zonetransfer.me. 14000 IN SRV
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT
contact.zonetransfer.me. 2592000 IN TXT
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
DZC.zonetransfer.me. 7200 IN TXT
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 52.91.28.78
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT
sqli.zonetransfer.me. 300 IN TXT
sshock.zonetransfer.me. 7200 IN TXT
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
]
[*] Attempting DNS AXFR for zonetransfer.me from nsztm1.digi.ninja
W, [2020-08-07T04:52:47.093142 #1725954] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-07T04:52:47.093844 #1725954] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-07T04:52:47.095402 #1725954] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-07T04:52:47.095664 #1725954] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-07T04:52:47.097182 #1725954] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-07T04:52:47.097303 #1725954] WARN -- : Failed to parse RR packet from offset: 1598
W, [2020-08-07T04:53:17.329773 #1725954] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-07T04:53:17.330757 #1725954] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-07T04:53:17.331905 #1725954] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-07T04:53:17.332248 #1725954] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-07T04:53:17.333736 #1725954] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-07T04:53:17.333877 #1725954] WARN -- : Failed to parse RR packet from offset: 1598
[+] zonetransfer.me Zone Transfer: [;; Answer received from 81.4.108.41:53 (1983 bytes)
;;
;; HEADER SECTION
;; id = 52584
;; qr = 1 opCode: QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode = NoError
;; qdCount = 1 anCount = 50 nsCount = 0 arCount = 0
;; QUESTION SECTION (1 record):
;; zonetransfer.me. IN AXFR
;; ANSWER SECTION (50 records):
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO Casio fx-700G
Windows XP�
zonetransfer.me. 301 IN TXT
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT
_sip._tcp.zonetransfer.me. 14000 IN SRV
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT
contact.zonetransfer.me. 2592000 IN TXT
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
DZC.zonetransfer.me. 7200 IN TXT
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT
sqli.zonetransfer.me. 300 IN TXT
sshock.zonetransfer.me. 7200 IN TXT
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
]
[*] Querying DNS CNAME records for zonetransfer.me
[*] Querying DNS NS records for zonetransfer.me
[+] zonetransfer.me NS: nsztm2.digi.ninja
[+] zonetransfer.me NS: nsztm1.digi.ninja
[*] Querying DNS MX records for zonetransfer.me
[+] zonetransfer.me MX: ASPMX2.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ASPMX4.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ALT2.ASPMX.L.GOOGLE.COM
[+] zonetransfer.me MX: ASPMX3.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ASPMX.L.GOOGLE.COM
[+] zonetransfer.me MX: ASPMX5.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ALT1.ASPMX.L.GOOGLE.COM
[*] Querying DNS SOA records for zonetransfer.me
[+] zonetransfer.me SOA: nsztm1.digi.ninja
[*] Querying DNS TXT records for zonetransfer.me
[+] zonetransfer.me TXT: google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Querying DNS SRV records for zonetransfer.me
[+] _sip._tcp.zonetransfer.me SRV: {:host=>"_sip._tcp.zonetransfer.me", :port=>5060, :priority=>0}
[*] Auxiliary module execution completed
msf6 auxiliary(gather/enum_dns) >
Disabling ENUM_AXFR "fixes" the issue for github.com:
msf6 auxiliary(gather/enum_dns) > set enum_axfr false
enum_axfr => false
msf6 auxiliary(gather/enum_dns) > run
[!] dns wildcard is enable OR fake dns server
[*] Querying DNS CNAME records for github.com
[*] Querying DNS NS records for github.com
[+] github.com NS: dns1.p08.nsone.net
[+] github.com NS: dns2.p08.nsone.net
[+] github.com NS: dns3.p08.nsone.net
[+] github.com NS: dns4.p08.nsone.net
[+] github.com NS: ns-1283.awsdns-32.org
[+] github.com NS: ns-1707.awsdns-21.co.uk
[+] github.com NS: ns-421.awsdns-52.com
[+] github.com NS: ns-520.awsdns-01.net
[*] Querying DNS MX records for github.com
[+] github.com MX: aspmx.l.google.com
[+] github.com MX: alt3.aspmx.l.google.com
[+] github.com MX: alt4.aspmx.l.google.com
[+] github.com MX: alt1.aspmx.l.google.com
[+] github.com MX: alt2.aspmx.l.google.com
[*] Querying DNS SOA records for github.com
[+] github.com SOA: ns-1707.awsdns-21.co.uk
[*] Querying DNS TXT records for github.com
[+] github.com TXT: MS=6BF03E6AF5CB689E315FB6199603BABF2C88D805
[+] github.com TXT: MS=ms44452932
[+] github.com TXT: MS=ms58704441
[+] github.com TXT: docusign=087098e3-3d46-47b7-9b4e-8a23028154cd
[+] github.com TXT: v=spf1 ip4:192.30.252.0/22 ip4:208.74.204.0/22 ip4:46.19.168.0/23 include:_spf.google.com include:esp.github.com include:_spf.createsend.com include:servers.mcsv.net ~all
[*] Querying DNS SRV records for github.com
[*] Auxiliary module execution completed
msf6 auxiliary(gather/enum_dns) >
Patch:
msf6 auxiliary(gather/enum_dns) > git diff modules/auxiliary/gather/enum_dns.rb
[*] exec: git diff modules/auxiliary/gather/enum_dns.rb
diff --git a/modules/auxiliary/gather/enum_dns.rb b/modules/auxiliary/gather/enum_dns.rb
index 71ef39a983..0ee27b5e7a 100644
--- a/modules/auxiliary/gather/enum_dns.rb
+++ b/modules/auxiliary/gather/enum_dns.rb
@@ -65,7 +65,7 @@ class MetasploitModule < Msf::Auxiliary
domain = datastore['DOMAIN']
is_wildcard = dns_wildcard_enabled?(domain)
- dns_axfr(domain) if datastore['ENUM_AXFR']
+ axfr(domain) if datastore['ENUM_AXFR']
dns_get_a(domain) if datastore['ENUM_A']
dns_get_cname(domain) if datastore['ENUM_CNAME']
dns_get_ns(domain) if datastore['ENUM_NS']
This module contains a axfr method that isn't used (dead code), instead opting to use dns_axfr. I have no idea why.
Edit: log:
msf6 auxiliary(gather/enum_dns) > set enum_axfr
enum_axfr => true
msf6 auxiliary(gather/enum_dns) > git diff modules/auxiliary/gather/enum_dns.rb
[*] exec: git diff modules/auxiliary/gather/enum_dns.rb
diff --git a/modules/auxiliary/gather/enum_dns.rb b/modules/auxiliary/gather/enum_dns.rb
index 71ef39a983..0ee27b5e7a 100644
--- a/modules/auxiliary/gather/enum_dns.rb
+++ b/modules/auxiliary/gather/enum_dns.rb
@@ -65,7 +65,7 @@ class MetasploitModule < Msf::Auxiliary
domain = datastore['DOMAIN']
is_wildcard = dns_wildcard_enabled?(domain)
- dns_axfr(domain) if datastore['ENUM_AXFR']
+ axfr(domain) if datastore['ENUM_AXFR']
dns_get_a(domain) if datastore['ENUM_A']
dns_get_cname(domain) if datastore['ENUM_CNAME']
dns_get_ns(domain) if datastore['ENUM_NS']
msf6 auxiliary(gather/enum_dns) > run
[!] dns wildcard is enable OR fake dns server
[*] querying DNS NS records for github.com
[*] Querying DNS CNAME records for github.com
[*] Querying DNS NS records for github.com
[+] github.com NS: dns1.p08.nsone.net
[+] github.com NS: dns2.p08.nsone.net
[+] github.com NS: dns3.p08.nsone.net
[+] github.com NS: dns4.p08.nsone.net
[+] github.com NS: ns-1283.awsdns-32.org
[+] github.com NS: ns-1707.awsdns-21.co.uk
[+] github.com NS: ns-421.awsdns-52.com
[+] github.com NS: ns-520.awsdns-01.net
[*] Querying DNS MX records for github.com
[+] github.com MX: aspmx.l.google.com
[+] github.com MX: alt1.aspmx.l.google.com
[+] github.com MX: alt2.aspmx.l.google.com
[+] github.com MX: alt3.aspmx.l.google.com
[+] github.com MX: alt4.aspmx.l.google.com
[*] Querying DNS SOA records for github.com
[+] github.com SOA: ns-1707.awsdns-21.co.uk
[*] Querying DNS TXT records for github.com
[+] github.com TXT: MS=6BF03E6AF5CB689E315FB6199603BABF2C88D805
[+] github.com TXT: MS=ms44452932
[+] github.com TXT: MS=ms58704441
[+] github.com TXT: docusign=087098e3-3d46-47b7-9b4e-8a23028154cd
[+] github.com TXT: v=spf1 ip4:192.30.252.0/22 ip4:208.74.204.0/22 ip4:46.19.168.0/23 include:_spf.google.com include:esp.github.com include:_spf.createsend.com include:servers.mcsv.net ~all
[*] Querying DNS SRV records for github.com
[*] Auxiliary module execution completed
msf6 auxiliary(gather/enum_dns) >
Agreed, that works for me
digininja
on 7 Aug 2020
but that breaks zonetransfer.me which doesn't do a transfer any more
digininja
on 7 Aug 2020
but that breaks zonetransfer.me which doesn't do a transfer any more
lol I guess that explains why it's dead code.
bcoles
on 7 Aug 2020
Do you mind creating a separate issue for the AXFR issues? Else I'll create one and reference this issue.
If I had to guess, I'd presume the unrelated Failed to parse RR packet warnings are due to the deliberately malformed data in your DNS records, but they should still be investigated.
[*] Attempting DNS AXFR for zonetransfer.me from nsztm1.digi.ninja
W, [2020-08-07T09:24:27.867880 #925581] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-07T09:24:27.868028 #925581] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-07T09:24:27.868471 #925581] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-07T09:24:27.868577 #925581] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-07T09:24:27.869277 #925581] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-07T09:24:27.869317 #925581] WARN -- : Failed to parse RR packet from offset: 1598
W, [2020-08-07T09:24:57.912684 #925581] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-07T09:24:57.913029 #925581] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-07T09:24:57.914243 #925581] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-07T09:24:57.914505 #925581] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-07T09:24:57.916925 #925581] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-07T09:24:57.917109 #925581] WARN -- : Failed to parse RR packet from offset: 1598
I didn't know anything was malformed, but it doesn't surprise me. It would be nice to know which bits are wrong so I can patch up some of them.
If the error could show the record it was parsing when it got the error, that would be useful.
digininja
on 7 Aug 2020
I didn't know anything was malformed, but it doesn't surprise me. It would be nice to know which bits are wrong so I can patch up some of them.
I presumed, as I've used your service before and know the records are full of injections.
Clearly I haven't looked into this thoroughly.
If the error could show the record it was parsing when it got the error, that would be useful.
Agreed.
bcoles
on 7 Aug 2020
My intention was to have any malicious stuff formatted correctly so that it didn't break things.
I've not had errors from any other AXFR tools so they must be parsing things in a different way. I'm happy to tweak the entries, or add new ones, to help debug things. As long as bind will restart, I can put anything that is needed into any type of record.
digininja
on 7 Aug 2020
This was closed automatically via #13953, if you're still running into the issue just let us know and we can reopen the ticket.
smcintyre-r7
on 7 Aug 2020
Can we reopen this please as that fix only covers one of the issues.
Or I could open two new tickets for the remaining two problems.
digininja
on 7 Aug 2020
This could be relevant to the RR issue and might help track down the offending records, in #13406 I added some exception handling (see point 4) to skip malformed records so we could at least process all of the properly formed ones instead of losing them all.
Updates Net::DNS::Packet#new_from_data to ignore unknown RRs and move on. Without this, the zone transfer fails to process any data when the presence of a single RR is not understood causing a NoResponseError2 to be raised from #axfr. For example, this would break on the "AFSDB" RR from the public zonetransfer.me example, causing no data to be returned.
IIRC some of the record types from zonetransfer.me just aren't defined in the Ruby lib like "AFSDB" so they're not necessarily malformed we just can't handle them so they're skipped.
smcintyre-r7
on 7 Aug 2020
If I read that link right, it was merged into master already so if it were working correctly it would prevent these issues, is that right?
I'll try adding the two lines of debug and try to work out what is causing the problems. Won't be today though.
Do you want me to do the remaining two as separate tickets just in case they have different solutions?
digininja
on 7 Aug 2020
At the time, I'm pretty sure warning messages like these were present, because of the lack of record support.
W, [2020-08-07T04:52:47.093142 #1725954] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-07T04:52:47.093844 #1725954] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-07T04:52:47.095402 #1725954] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-07T04:52:47.095664 #1725954] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-07T04:52:47.097182 #1725954] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-07T04:52:47.097303 #1725954] WARN -- : Failed to parse RR packet from offset: 1598
If we do think they're different bugs with different solutions and you don't mind opening a new ticket that would be a great help for us to stay organized and on top of it.
smcintyre-r7
on 7 Aug 2020
Can we reopen this please as that fix only covers one of the issues.
Or I could open two new tickets for the remaining two problems.
I've already opened two new tickets for the remaining problems #13955 #13956
bcoles
on 7 Aug 2020
@bcoles thanks, just subscribed to those.
@smcintyre-r7 I'll have a play and see if I can get some better debug or warning out of it. It would be nice if it showed the record it couldn't handle in some way.
digininja
on 7 Aug 2020
A friend has just pointed out that on his internal test system, it now taking a long time to run a zone transfer (says 10 minutes+). For me against zonetransfer.me it is taking about 30 seconds. I doubt it is the fix that this ticket is connected to as that really shouldn't slow things down. Can someone else check and see if they are getting slow transfers now or if it is just something at our end.
digininja
on 10 Aug 2020
A friend has just pointed out that on his internal test system, it now taking a long time to run a zone transfer (says 10 minutes+). For me against zonetransfer.me it is taking about 30 seconds. I doubt it is the fix that this ticket is connected to as that really shouldn't slow things down. Can someone else check and see if they are getting slow transfers now or if it is just something at our end.
This took approximately 2:45:
msf6 > use auxiliary/gather/enum_dns
msf6 auxiliary(gather/enum_dns) > set domain zonetransfer.me
domain => zonetransfer.me
msf6 auxiliary(gather/enum_dns) > run
[*] Querying DNS NS records for zonetransfer.me
[+] zonetransfer.me NS: nsztm2.digi.ninja
[+] zonetransfer.me NS: nsztm1.digi.ninja
[*] Attempting DNS AXFR for zonetransfer.me from nsztm2.digi.ninja
W, [2020-08-10T11:54:26.507265 #1964130] WARN -- : Failed to parse RR packet from offset: 657
W, [2020-08-10T11:54:26.507701 #1964130] WARN -- : Failed to parse RR packet from offset: 726
W, [2020-08-10T11:54:26.508509 #1964130] WARN -- : Failed to parse RR packet from offset: 1018
W, [2020-08-10T11:54:26.508769 #1964130] WARN -- : Failed to parse RR packet from offset: 1073
W, [2020-08-10T11:54:26.510319 #1964130] WARN -- : Failed to parse RR packet from offset: 1589
W, [2020-08-10T11:54:26.510511 #1964130] WARN -- : Failed to parse RR packet from offset: 1654
W, [2020-08-10T11:54:56.739115 #1964130] WARN -- : Failed to parse RR packet from offset: 657
W, [2020-08-10T11:54:56.739597 #1964130] WARN -- : Failed to parse RR packet from offset: 726
W, [2020-08-10T11:54:56.740576 #1964130] WARN -- : Failed to parse RR packet from offset: 1018
W, [2020-08-10T11:54:56.740893 #1964130] WARN -- : Failed to parse RR packet from offset: 1073
W, [2020-08-10T11:54:56.742733 #1964130] WARN -- : Failed to parse RR packet from offset: 1589
W, [2020-08-10T11:54:56.742891 #1964130] WARN -- : Failed to parse RR packet from offset: 1654
[+] zonetransfer.me Zone Transfer: [;; Answer received from 34.225.33.2:53 (2039 bytes)
;;
;; HEADER SECTION
;; id = 41051
;; qr = 1 opCode: QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode = NoError
;; qdCount = 1 anCount = 51 nsCount = 0 arCount = 0
;; QUESTION SECTION (1 record):
;; zonetransfer.me. IN AXFR
;; ANSWER SECTION (51 records):
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO Casio fx-700G
Windows XP�
zonetransfer.me. 301 IN TXT
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT
_acme-challenge.zonetransfer.me. 301 IN TXT
_sip._tcp.zonetransfer.me. 14000 IN SRV
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT
contact.zonetransfer.me. 2592000 IN TXT
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
DZC.zonetransfer.me. 7200 IN TXT
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 52.91.28.78
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT
sqli.zonetransfer.me. 300 IN TXT
sshock.zonetransfer.me. 7200 IN TXT
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
]
[*] Attempting DNS AXFR for zonetransfer.me from nsztm1.digi.ninja
W, [2020-08-10T11:54:57.679372 #1964130] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-10T11:54:57.679737 #1964130] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-10T11:54:57.680409 #1964130] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-10T11:54:57.680612 #1964130] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-10T11:54:57.681699 #1964130] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-10T11:54:57.681867 #1964130] WARN -- : Failed to parse RR packet from offset: 1598
W, [2020-08-10T11:55:27.917207 #1964130] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-10T11:55:27.917520 #1964130] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-10T11:55:27.918485 #1964130] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-10T11:55:27.918852 #1964130] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-10T11:55:27.920681 #1964130] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-10T11:55:27.920857 #1964130] WARN -- : Failed to parse RR packet from offset: 1598
[+] zonetransfer.me Zone Transfer: [;; Answer received from 81.4.108.41:53 (1983 bytes)
;;
;; HEADER SECTION
;; id = 53755
;; qr = 1 opCode: QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode = NoError
;; qdCount = 1 anCount = 50 nsCount = 0 arCount = 0
;; QUESTION SECTION (1 record):
;; zonetransfer.me. IN AXFR
;; ANSWER SECTION (50 records):
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO Casio fx-700G
Windows XP�
zonetransfer.me. 301 IN TXT
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja.
_acme-challenge.zonetransfer.me. 301 IN TXT
_sip._tcp.zonetransfer.me. 14000 IN SRV
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT
contact.zonetransfer.me. 2592000 IN TXT
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
DZC.zonetransfer.me. 7200 IN TXT
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT
sqli.zonetransfer.me. 300 IN TXT
sshock.zonetransfer.me. 7200 IN TXT
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
]
[*] Querying DNS CNAME records for zonetransfer.me
[*] Querying DNS NS records for zonetransfer.me
[+] zonetransfer.me NS: nsztm2.digi.ninja
[+] zonetransfer.me NS: nsztm1.digi.ninja
[*] Querying DNS MX records for zonetransfer.me
[+] zonetransfer.me MX: ASPMX3.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ASPMX.L.GOOGLE.COM
[+] zonetransfer.me MX: ALT1.ASPMX.L.GOOGLE.COM
[+] zonetransfer.me MX: ASPMX2.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ASPMX5.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ALT2.ASPMX.L.GOOGLE.COM
[+] zonetransfer.me MX: ASPMX4.GOOGLEMAIL.COM
[*] Querying DNS SOA records for zonetransfer.me
[+] zonetransfer.me SOA: nsztm1.digi.ninja
[*] Querying DNS TXT records for zonetransfer.me
[+] zonetransfer.me TXT: google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Querying DNS SRV records for zonetransfer.me
[+] _sip._tcp.zonetransfer.me SRV: {:host=>"_sip._tcp.zonetransfer.me", :port=>5060, :priority=>0}
[*] Auxiliary module execution completed
msf6 auxiliary(gather/enum_dns) >
It shouldn't take that long though should it? Dig brings back the data in
seconds. Something is going wrong somewhere, just wondering if I've got
motivation to dig in to work out why.
On Mon, 10 Aug 2020, 16:56 bcoles, notifications@github.com wrote:
A friend has just pointed out that on his internal test system, it now
taking a long time to run a zone transfer (says 10 minutes+). For me
against zonetransfer.me it is taking about 30 seconds. I doubt it is the
fix that this ticket is connected to as that really shouldn't slow things
down. Can someone else check and see if they are getting slow transfers now
or if it is just something at our end.This took approximately 2:45:
msf6 > use auxiliary/gather/enum_dns
msf6 auxiliary(gather/enum_dns) > set domain zonetransfer.me
domain => zonetransfer.me
msf6 auxiliary(gather/enum_dns) > run
[*] Querying DNS NS records for zonetransfer.me
[+] zonetransfer.me NS: nsztm2.digi.ninja
[+] zonetransfer.me NS: nsztm1.digi.ninja
[*] Attempting DNS AXFR for zonetransfer.me from nsztm2.digi.ninja
W, [2020-08-10T11:54:26.507265 #1964130] WARN -- : Failed to parse RR packet from offset: 657
W, [2020-08-10T11:54:26.507701 #1964130] WARN -- : Failed to parse RR packet from offset: 726
W, [2020-08-10T11:54:26.508509 #1964130] WARN -- : Failed to parse RR packet from offset: 1018
W, [2020-08-10T11:54:26.508769 #1964130] WARN -- : Failed to parse RR packet from offset: 1073
W, [2020-08-10T11:54:26.510319 #1964130] WARN -- : Failed to parse RR packet from offset: 1589
W, [2020-08-10T11:54:26.510511 #1964130] WARN -- : Failed to parse RR packet from offset: 1654
W, [2020-08-10T11:54:56.739115 #1964130] WARN -- : Failed to parse RR packet from offset: 657
W, [2020-08-10T11:54:56.739597 #1964130] WARN -- : Failed to parse RR packet from offset: 726
W, [2020-08-10T11:54:56.740576 #1964130] WARN -- : Failed to parse RR packet from offset: 1018
W, [2020-08-10T11:54:56.740893 #1964130] WARN -- : Failed to parse RR packet from offset: 1073
W, [2020-08-10T11:54:56.742733 #1964130] WARN -- : Failed to parse RR packet from offset: 1589
W, [2020-08-10T11:54:56.742891 #1964130] WARN -- : Failed to parse RR packet from offset: 1654
[+] zonetransfer.me Zone Transfer: [;; Answer received from 34.225.33.2:53 (2039 bytes)
;;
;; HEADER SECTION
;; id = 41051
;; qr = 1 opCode: QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode = NoError
;; qdCount = 1 anCount = 51 nsCount = 0 arCount = 0
;; QUESTION SECTION (1 record):
;; zonetransfer.me. IN AXFR
;; ANSWER SECTION (51 records):
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO Casio fx-700GWindows XP�
zonetransfer.me. 301 IN TXT
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja._acme-challenge.zonetransfer.me. 301 IN TXT
_acme-challenge.zonetransfer.me. 301 IN TXT
_sip._tcp.zonetransfer.me. 14000 IN SRV
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT
contact.zonetransfer.me. 2592000 IN TXT
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
DZC.zonetransfer.me. 7200 IN TXT
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 52.91.28.78
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT
sqli.zonetransfer.me. 300 IN TXT
sshock.zonetransfer.me. 7200 IN TXT
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600]
[*] Attempting DNS AXFR for zonetransfer.me from nsztm1.digi.ninja
W, [2020-08-10T11:54:57.679372 #1964130] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-10T11:54:57.679737 #1964130] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-10T11:54:57.680409 #1964130] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-10T11:54:57.680612 #1964130] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-10T11:54:57.681699 #1964130] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-10T11:54:57.681867 #1964130] WARN -- : Failed to parse RR packet from offset: 1598
W, [2020-08-10T11:55:27.917207 #1964130] WARN -- : Failed to parse RR packet from offset: 601
W, [2020-08-10T11:55:27.917520 #1964130] WARN -- : Failed to parse RR packet from offset: 670
W, [2020-08-10T11:55:27.918485 #1964130] WARN -- : Failed to parse RR packet from offset: 962
W, [2020-08-10T11:55:27.918852 #1964130] WARN -- : Failed to parse RR packet from offset: 1017
W, [2020-08-10T11:55:27.920681 #1964130] WARN -- : Failed to parse RR packet from offset: 1533
W, [2020-08-10T11:55:27.920857 #1964130] WARN -- : Failed to parse RR packet from offset: 1598
[+] zonetransfer.me Zone Transfer: [;; Answer received from 81.4.108.41:53 (1983 bytes)
;;
;; HEADER SECTION
;; id = 53755
;; qr = 1 opCode: QUERY aa = 1 tc = 0 rd = 0
;; ra = 0 ad = 0 cd = 0 rcode = NoError
;; qdCount = 1 anCount = 50 nsCount = 0 arCount = 0
;; QUESTION SECTION (1 record):
;; zonetransfer.me. IN AXFR
;; ANSWER SECTION (50 records):
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600
zonetransfer.me. 300 IN HINFO Casio fx-700GWindows XP�
zonetransfer.me. 301 IN TXT
zonetransfer.me. 7200 IN MX 0 ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT1.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 10 ALT2.ASPMX.L.GOOGLE.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX2.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX3.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX4.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN MX 20 ASPMX5.GOOGLEMAIL.COM.
zonetransfer.me. 7200 IN A 5.196.105.14
zonetransfer.me. 7200 IN NS nsztm1.digi.ninja.
zonetransfer.me. 7200 IN NS nsztm2.digi.ninja._acme-challenge.zonetransfer.me. 301 IN TXT
_sip._tcp.zonetransfer.me. 14000 IN SRV
14.105.196.5.IN-ADDR.ARPA.zonetransfer.me. 7200 IN PTR www.zonetransfer.me.
asfdbbox.zonetransfer.me. 7200 IN A 127.0.0.1
canberra-office.zonetransfer.me. 7200 IN A 202.14.81.230
cmdexec.zonetransfer.me. 300 IN TXT
contact.zonetransfer.me. 2592000 IN TXT
dc-office.zonetransfer.me. 7200 IN A 143.228.181.132
deadbeef.zonetransfer.me. 7201 IN AAAA dead:beaf::
DZC.zonetransfer.me. 7200 IN TXT
email.zonetransfer.me. 7200 IN A 74.125.206.26
Hello.zonetransfer.me. 7200 IN TXT
home.zonetransfer.me. 7200 IN A 127.0.0.1
Info.zonetransfer.me. 7200 IN TXT
internal.zonetransfer.me. 300 IN NS intns1.zonetransfer.me.
internal.zonetransfer.me. 300 IN NS intns2.zonetransfer.me.
intns1.zonetransfer.me. 300 IN A 81.4.108.41
intns2.zonetransfer.me. 300 IN A 167.88.42.94
office.zonetransfer.me. 7200 IN A 4.23.39.254
ipv6actnow.org.zonetransfer.me. 7200 IN AAAA 2001:67c:2e8:11::c100:1332
owa.zonetransfer.me. 7200 IN A 207.46.197.32
robinwood.zonetransfer.me. 302 IN TXT
sqli.zonetransfer.me. 300 IN TXT
sshock.zonetransfer.me. 7200 IN TXT
staging.zonetransfer.me. 7200 IN CNAME www.sydneyoperahouse.com.
alltcpportsopen.firewall.test.zonetransfer.me. 301 IN A 127.0.0.1
testing.zonetransfer.me. 301 IN CNAME www.zonetransfer.me.
vpn.zonetransfer.me. 4000 IN A 174.36.59.154
www.zonetransfer.me. 7200 IN A 5.196.105.14
xss.zonetransfer.me. 300 IN TXT
zonetransfer.me. 7200 IN SOA nsztm1.digi.ninja. robin.digi.ninja. 2019100801 172800 900 1209600 3600]
[*] Querying DNS CNAME records for zonetransfer.me
[*] Querying DNS NS records for zonetransfer.me
[+] zonetransfer.me NS: nsztm2.digi.ninja
[+] zonetransfer.me NS: nsztm1.digi.ninja
[*] Querying DNS MX records for zonetransfer.me
[+] zonetransfer.me MX: ASPMX3.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ASPMX.L.GOOGLE.COM
[+] zonetransfer.me MX: ALT1.ASPMX.L.GOOGLE.COM
[+] zonetransfer.me MX: ASPMX2.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ASPMX5.GOOGLEMAIL.COM
[+] zonetransfer.me MX: ALT2.ASPMX.L.GOOGLE.COM
[+] zonetransfer.me MX: ASPMX4.GOOGLEMAIL.COM
[*] Querying DNS SOA records for zonetransfer.me
[+] zonetransfer.me SOA: nsztm1.digi.ninja
[*] Querying DNS TXT records for zonetransfer.me
[+] zonetransfer.me TXT: google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Querying DNS SRV records for zonetransfer.me
[+] _sip._tcp.zonetransfer.me SRV: {:host=>"_sip._tcp.zonetransfer.me", :port=>5060, :priority=>0}
[*] Auxiliary module execution completed
msf6 auxiliary(gather/enum_dns) >
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/rapid7/metasploit-framework/issues/13952#issuecomment-671439967,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAA4SWITEPP777BAWQMVV3LSAAKEJANCNFSM4PXMUQCA
.
digininja
on 10 Aug 2020
Related issues
handsomebeast
·
3Comments
ejholmes
·
3Comments
verapex
·
3Comments
wvu-r7
·
3Comments
felipee07
·
3Comments