ISC BIND DNS Version Detection

Folks,
Here is a sample script which can be used to fetch remote BIND DNS Version by crafting your own DNS structured packets. Currently, this script is not a stable release. As sometimes it hangs while the code doesn’t fetch the response from the server. I am using pdb module to figure out why its happening like so. But I will fix it very soon. BTW, this happens while the target DNS Server doesn’t respond to the bind version query. Apart from that I have some other (TODO) enhancements in the pipeline. Eventually, I will add the enhancements and will make a stable release. I want to make this script a full proof DNS fingerprinting tool (even though there are other third-party tools available in web). I am just doing it because of my curiosity. And its a good learning curve as well. So I hope, its not a bad attempt at all to try it out!! I am going to upload this script into my GIT repository once I add some more enhancements as currently I am not seriously working on its development. Once I push it to my git repo, you can checkout and keep a track of it on regular basis. If you have any cool ideas/feedback then please mail me or you can post them in the comments too. Well I would like to give credits to Mr. AB too. However, you can download the same code from here too.

#!/usr/bin/python
from socket import *
import binascii, string, sys
#import pdb; pdb.set_trace()

print '[*]ISC BIND DNS Version Detection'
print '[*]Coded by Sujit Ghosal'
print '[*]Mail: x13.x37@gmail.com'
print '[*]Copyright: WikiSecure Blogs'
print '[*]All rights reserved\n'

host = raw_input('[*]Enter Target Host IP Address/Hostname: ')
port = 53
buffer = 1024
loc = (host, port)

# Creating UDP socket object
sockUDPObj = socket(AF_INET, SOCK_DGRAM)

# DNS Protocol Version Query Request
verPayload   = '\x02\xec'     # Transaction ID
verPayload  += '\x01\x00'     # Standard query flag
verPayload  += '\x00\x01'     # Questions
verPayload  += '\x00\x00'     # Number of Answers
verPayload  += '\x00\x00'     # Number of Authoritative Records
verPayload  += '\x00\x00'     # Number of Additional Records
verPayload  += '\x07\x76\x65\x72\x73\x69\x6f\x6e\x04\x62\x69\x6e\x64\x00\x00\x10\x00\x03'    # version.bind Request

while(1):
    if not verPayload:
        print '[*] No DNS Query sent to the target', host
        break
    else:
        try:
            if(sockUDPObj.sendto(verPayload, loc)):
                response = sockUDPObj.recv(1024, 0)
                sockUDPObj.close()
                if not response:
                    sys.exit(0)
                    print '[*]Error receiving DNS Response. Quiting.'
                    break
                else:
                    print '[*]DNS Response Received.'
                    hexRes = repr(response)
                    break
        except Exception, msg:
            print 'Something went wrong'
            break

sockUDPObj.close()

x = 0
for i in response:
    if (i == '\xc0'):
        x = x+ 9
        length1 = binascii.hexlify(response[x+1:x+3])
        length = string.atoi(length1, 16)
        array_bytes = response[x+3:x+3+length]
        break
    x = x+1

print '[*]Target Host DNS Version: ' + array_bytes,

Enjoy!
XyluX

Leave a comment | Trackback
Feb 28th, 2010 | Posted in Programming
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
RSS for comments on this post