Shell is only the Beginning

Just updated DNSRecon to check if it can pull the Bind Version by doing a query for the TXT Record version.bind and it will now check if the RA Flag is set in responses from each of the NS servers it detects. If the server has recursion enabled it could be used for DDoS attacks and for performing Cache Snooping.

Example of a run where it is able to pull the Bind Version:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d zonetransfer.me -x zt.xml
[*] Performing General Enumeration of Domain: zonetransfer.me
[-] DNSSEC is not configured for zonetransfer.me
[*]      SOA ns16.zoneedit.com 69.64.68.41
[*]      NS ns12.zoneedit.com 209.62.64.46
[*]      Bind Version for 209.62.64.46 8.4.X
[*]      NS ns16.zoneedit.com 69.64.68.41
[*]      Bind Version for 69.64.68.41 8.4.X
[*]      MX ASPMX2.GOOGLEMAIL.COM 173.194.75.27
[*]      MX ASPMX3.GOOGLEMAIL.COM 173.194.66.27
[*]      MX ASPMX4.GOOGLEMAIL.COM 173.194.65.26
[*]      MX ASPMX5.GOOGLEMAIL.COM 173.194.70.26
[*]      MX ASPMX.L.GOOGLE.COM 74.125.140.27
[*]      MX ALT1.ASPMX.L.GOOGLE.COM 173.194.75.26
[*]      MX ALT2.ASPMX.L.GOOGLE.COM 173.194.66.27
[*]      MX ASPMX2.GOOGLEMAIL.COM 2607:f8b0:400c:c03::1a
[*]      MX ASPMX3.GOOGLEMAIL.COM 2a00:1450:400c:c03::1b
[*]      MX ASPMX4.GOOGLEMAIL.COM 2a00:1450:4013:c01::1b
[*]      MX ASPMX5.GOOGLEMAIL.COM 2a00:1450:4001:c02::1a
[*]      MX ASPMX.L.GOOGLE.COM 2607:f8b0:4002:c01::1a
[*]      MX ALT1.ASPMX.L.GOOGLE.COM 2607:f8b0:400c:c01::1b
[*]      MX ALT2.ASPMX.L.GOOGLE.COM 2a00:1450:400c:c03::1a
[*]      A zonetransfer.me 217.147.180.162
[*]      TXT zonetransfer.me Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes
[*]      TXT zonetransfer.me google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] Enumerating SRV Records
[*]      SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 217.147.180.162 5060 0
[*] 1 Records Found
[*] Saving records to XML file: zt.xml

The information on version and recursion are also saved in the XML as you can see: infidel02:dnsrecon carlos$ cat zt.xml <?xml version="1.0" ?> <records> <record address="69.64.68.41" mname="ns16.zoneedit.com" type="SOA"/> <record Recursive="False" Version="8.4.X" address="209.62.64.46" target="ns12.zoneedit.com" type="NS"/> <record Recursive="False" Version="8.4.X" address="69.64.68.41" target="ns16.zoneedit.com" type="NS"/> <record address="173.194.75.27" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.66.27" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.65.26" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="173.194.70.26" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="74.125.140.27" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.75.26" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="173.194.66.27" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c03::1a" exchange="ASPMX2.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:400c:c03::1b" exchange="ASPMX3.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4013:c01::1b" exchange="ASPMX4.GOOGLEMAIL.COM" type="MX"/> <record address="2a00:1450:4001:c02::1a" exchange="ASPMX5.GOOGLEMAIL.COM" type="MX"/> <record address="2607:f8b0:4002:c01::1a" exchange="ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2607:f8b0:400c:c01::1b" exchange="ALT1.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="2a00:1450:400c:c03::1a" exchange="ALT2.ASPMX.L.GOOGLE.COM" type="MX"/> <record address="217.147.180.162" name="zonetransfer.me" type="A"/> <record name="zonetransfer.me" strings="Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes" type="TXT"/> <record name="zonetransfer.me" strings="google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA" type="TXT"/> <record address="217.147.180.162" name="_sip._tcp.zonetransfer.me" port="5060" target="www.zonetransfer.me" type="SRV"/> <scaninfo arguments="./dnsrecon.py -d zonetransfer.me -x zt.xml" time="2013-05-29 11:36:06.550073"/> <domain domain_name="zonetransfer.me"/> </records>

Here is an example where recursion is enabled, you will see that the message is shown differently since this information is crucial during an engagement:

infidel02:dnsrecon carlos$ ./dnsrecon.py -d acmelab.com -n 192.168.1.80
[*] Performing General Enumeration of Domain: acmelab.com
[*] DNSSEC is configured for acmelab.com
[*] DNSKEYs:
[*]     NSEC KSk RSASHA256 ...
[*]     NSEC ZSK RSASHA256 ...
[*]     NSEC ZSK RSASHA256 ...
[*]     NSEC KSk RSASHA256 ...
[*]      SOA labns1.acmelab.com 192.168.1.80
[*]      NS labns1.acmelab.com 192.168.1.80
[-]      Recursion enabled on NS Server 192.168.1.80
[*]      MX mail1.acmelab.com 192.168.1.4
[*]      A acmelab.com 192.168.1.2
[*]      TXT acmelab.com v=spf1 192.168.1.0/24
[*]      TXT _domainkey.acmelab.com o=~; r=postmaster@acmelab.com
[*] Enumerating SRV Records
[*]      SRV _finger._tcp.acmelab.com web1.acmelab.com 192.168.1.2 79 0
[*]      SRV _http._tcp.acmelab.com web2.acmelab.com 192.168.1.3 80 0
[*]      SRV _http._tcp.acmelab.com web1.acmelab.com 192.168.1.2 80 0
[*]      SRV _sip._tls.acmelab.com chat.acmelab.com 192.168.1.5 443 0
[*]      SRV _sipinternaltls._tcp.acmelab.com chat.acmelab.com 192.168.1.5 5061 0
[*]      SRV _https._tcp.acmelab.com web1.acmelab.com 192.168.1.2 443 0
[*]      SRV _https._tcp.acmelab.com web2.acmelab.com 192.168.1.3 443 0
[*] 7 Records Found

Hope you guys find it as useful as I have :)

Recently I got 2 Raspberry Pi Camera modules for my Raspberry Pi boards for some projects I have in mind. I was sad to find out I could not stream unless I had a monitor connected to the Pi and after some additional digging I found out that the initial version of the tools Raspistill and Raspivid the no preview option was broken causing it to not work. After some digging in the forums and trial and error I found how to fix it while the tools are updated and added to the package repo. Plus it was a good exercise in compiling files for ARM.

Update your system applications and download the required software to compile userland:

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install git gcc build-essential cmake vlc

Download and configure sources

Create a folder to hold development files and clone the latest userland for raspian.

cd ~
mkdir Development
git clone git://github.com/raspberrypi/userland.git
cd userland

Create the proper make files:

sed -i 's/if (DEFINED CMAKE_TOOLCHAIN_FILE)/if (NOT DEFINED CMAKE_TOOLCHAIN_FILE)/g' makefiles/cmake/arm-linux.cmake

Fix Raspistill

Open Raspistill command source file at line 1034:

nano +1034 host_applications/linux/apps/raspicam/RaspiStill.c

Modify the line from:

MMAL_STATUS_T status = -1;

to:

MMAL_STATUS_T status = MMAL_SUCCESS;

Fix Raspivid

Open the raspivid source file at line 852:

nano +852 host_applications/linux/apps/raspicam/RaspiVid.c

Modify the line from:

MMAL_STATUS_T status = -1;

to:

MMAL_STATUS_T status = MMAL_SUCCESS;

Build and Install the Latest Userland

Configure a build folder and build and install the userland binaries. This should take around 30 to 45 minutes:

mkdir build
cd build
sudo cmake -DCMAKE_BUILD_TYPE=Release ..
sudo make
sudo make install

You should now be able to create a steam with VLC and connect to it on a headless system using the -n parameter for no preview:

raspivid -o - -t -1 -w 920 -h 540  -n | cvlc -vvv --network-caching=0 stream:///dev/stdin --sout '#rtp{sdp=rtsp://:8554/}' :demux=h264