From 35eaafe2034c39ee6b63ae7520b5c753319e5d41 Mon Sep 17 00:00:00 2001 From: sandeep <8293321+ehsandeep@users.noreply.github.com> Date: Mon, 14 Jun 2021 02:59:28 +0530 Subject: [PATCH] Added NS based fingerprint template --- dns/nameserver-detection.yaml | 232 ++++++++++++++++++++++++++++++++++ 1 file changed, 232 insertions(+) create mode 100644 dns/nameserver-detection.yaml diff --git a/dns/nameserver-detection.yaml b/dns/nameserver-detection.yaml new file mode 100644 index 0000000000..8d2f5c43d3 --- /dev/null +++ b/dns/nameserver-detection.yaml @@ -0,0 +1,232 @@ +id: nameserver-detection + +info: + name: NS Detection + author: pdteam + severity: info + tags: dns,ns + reference: https://github.com/indianajson/can-i-take-over-dns + +dns: + - name: "{{FQDN}}" + type: NS + class: inet + recursion: true + retries: 3 + + matchers-condition: or + matchers: + - type: word + name: 000domains + condition: or + words: + - "ns1.000domains.com" + - "ns2.000domains.com" + - "fwns1.000domains.com" + - "fwns2.000domains.com" + + - type: word + name: azure + condition: or + words: + - ".azure-dns.com" + - ".azure-dns.net" + - ".azure-dns.org" + - ".azure-dns.info" + + - type: word + name: bizland + condition: or + words: + - "ns1.bizland.com" + - "ns2.bizland.com" + + - type: word + name: cloudflare + words: + - "ns.cloudflare.com" + + - type: word + name: digitalocean + condition: or + words: + - "ns1.digitalocean.com" + - "ns2.digitalocean.com" + - "ns2.digitalocean.com" + + - type: word + name: dnsmadeeasy + words: + - ".dnsmadeeasy.com" + + - type: word + name: dnsimple + condition: or + words: + - "ns1.dnsimple.com" + - "ns2.dnsimple.com" + - "ns3.dnsimple.com" + - "ns4.dnsimple.com" + + - type: word + name: domain + condition: or + words: + - "ns1.domain.com" + - "ns2.domain.com" + + - type: word + name: dotster + condition: or + words: + - "ns1.dotster.com" + - "ns2.dotster.com" + + - type: word + name: easydns + condition: or + words: + - "dns1.easydns.com" + - "dns2.easydns.com" + - "dns3.easydns.com" + - "dns4.easydns.com" + + - type: word + name: googledomains + words: + - ".googledomains.com" + + - type: word + name: hurricane-electric + condition: or + words: + - "ns1.he.net" + - "ns2.he.net" + - "ns3.he.net" + - "ns4.he.net" + - "ns5.he.net" + + - type: word + name: linode + condition: or + words: + - "ns1.linode.com" + - "ns1.linode.com" + + - type: word + name: mediatemple + condition: or + words: + - "ns1.mediatemple.net" + - "ns2.mediatemple.net" + + - type: word + name: mydomain + condition: or + words: + - "ns1.mydomain.com" + - "ns2.mydomain.com" + + - type: word + name: name + words: + - ".name.com" + + - type: word + name: nsone + words: + - ".nsone.net" + + - type: word + name: tierranet + condition: or + words: + - "ns1.domaindiscover.com" + - "ns2.domaindiscover.com" + + - type: word + name: yahoo + condition: or + words: + - "yns1.yahoo.com" + - "yns2.yahoo.com" + + - type: word + name: domainpeople + condition: or + words: + - "ns1.domainpeople.com" + - "ns2.domainpeople.com" + + - type: word + name: hover + condition: or + words: + - "ns1.hover.com" + - "ns2.hover.com" + + - type: word + name: networksolutions + words: + - ".worldnic.com" + + - type: word + name: activision + words: + - ".activision.com" + + - type: word + name: aws-route53 + words: + - ".awsdns-" + + - type: word + name: apple + condition: or + words: + - "a.ns.apple.com" + - "b.ns.apple.com" + - "c.ns.apple.com" + - "d.ns.apple.com" + + - type: word + name: capitalone + condition: or + words: + - "ns1.capitalone.com" + - "ns2.capitalone.com" + - "ns3.capitalone.com" + + - type: word + name: csust + condition: or + words: + - "0xd0a1.csust.netm" + - "0xd0a2.csust.net" + - "0xd0a3.csust.net" + - "0xd0a4.csust.net" + + - type: word + name: disney + condition: or + words: + - "ns1.twdcns.com" + - "ns2.twdcns.com" + - "ns3.twdcns.info" + - "ns4.twdcns.info" + - "ns5.twdcns.co.uk" + - "ns6.twdcns.co.uk" + + - type: word + name: lowes + condition: or + words: + - "authns1.lowes.com" + - "authns2.lowes.com" + + - type: word + name: tmobile + condition: or + words: + - "ns10.tmobileus.com" + - "ns10.tmobileus.net"