233 lines
4.7 KiB
YAML
233 lines
4.7 KiB
YAML
id: nameserver-detection
|
|
|
|
info:
|
|
name: NS Detection
|
|
author: pdteam
|
|
severity: info
|
|
tags: dns,ns
|
|
reference: https://github.com/indianajson/can-i-take-over-dns
|
|
|
|
dns:
|
|
- name: "{{FQDN}}"
|
|
type: NS
|
|
class: inet
|
|
recursion: true
|
|
retries: 3
|
|
|
|
matchers-condition: or
|
|
matchers:
|
|
- type: word
|
|
name: 000domains
|
|
condition: or
|
|
words:
|
|
- "ns1.000domains.com"
|
|
- "ns2.000domains.com"
|
|
- "fwns1.000domains.com"
|
|
- "fwns2.000domains.com"
|
|
|
|
- type: word
|
|
name: azure
|
|
condition: or
|
|
words:
|
|
- ".azure-dns.com"
|
|
- ".azure-dns.net"
|
|
- ".azure-dns.org"
|
|
- ".azure-dns.info"
|
|
|
|
- type: word
|
|
name: bizland
|
|
condition: or
|
|
words:
|
|
- "ns1.bizland.com"
|
|
- "ns2.bizland.com"
|
|
|
|
- type: word
|
|
name: cloudflare
|
|
words:
|
|
- "ns.cloudflare.com"
|
|
|
|
- type: word
|
|
name: digitalocean
|
|
condition: or
|
|
words:
|
|
- "ns1.digitalocean.com"
|
|
- "ns2.digitalocean.com"
|
|
- "ns2.digitalocean.com"
|
|
|
|
- type: word
|
|
name: dnsmadeeasy
|
|
words:
|
|
- ".dnsmadeeasy.com"
|
|
|
|
- type: word
|
|
name: dnsimple
|
|
condition: or
|
|
words:
|
|
- "ns1.dnsimple.com"
|
|
- "ns2.dnsimple.com"
|
|
- "ns3.dnsimple.com"
|
|
- "ns4.dnsimple.com"
|
|
|
|
- type: word
|
|
name: domain
|
|
condition: or
|
|
words:
|
|
- "ns1.domain.com"
|
|
- "ns2.domain.com"
|
|
|
|
- type: word
|
|
name: dotster
|
|
condition: or
|
|
words:
|
|
- "ns1.dotster.com"
|
|
- "ns2.dotster.com"
|
|
|
|
- type: word
|
|
name: easydns
|
|
condition: or
|
|
words:
|
|
- "dns1.easydns.com"
|
|
- "dns2.easydns.com"
|
|
- "dns3.easydns.com"
|
|
- "dns4.easydns.com"
|
|
|
|
- type: word
|
|
name: googledomains
|
|
words:
|
|
- ".googledomains.com"
|
|
|
|
- type: word
|
|
name: hurricane-electric
|
|
condition: or
|
|
words:
|
|
- "ns1.he.net"
|
|
- "ns2.he.net"
|
|
- "ns3.he.net"
|
|
- "ns4.he.net"
|
|
- "ns5.he.net"
|
|
|
|
- type: word
|
|
name: linode
|
|
condition: or
|
|
words:
|
|
- "ns1.linode.com"
|
|
- "ns1.linode.com"
|
|
|
|
- type: word
|
|
name: mediatemple
|
|
condition: or
|
|
words:
|
|
- "ns1.mediatemple.net"
|
|
- "ns2.mediatemple.net"
|
|
|
|
- type: word
|
|
name: mydomain
|
|
condition: or
|
|
words:
|
|
- "ns1.mydomain.com"
|
|
- "ns2.mydomain.com"
|
|
|
|
- type: word
|
|
name: name
|
|
words:
|
|
- ".name.com"
|
|
|
|
- type: word
|
|
name: nsone
|
|
words:
|
|
- ".nsone.net"
|
|
|
|
- type: word
|
|
name: tierranet
|
|
condition: or
|
|
words:
|
|
- "ns1.domaindiscover.com"
|
|
- "ns2.domaindiscover.com"
|
|
|
|
- type: word
|
|
name: yahoo
|
|
condition: or
|
|
words:
|
|
- "yns1.yahoo.com"
|
|
- "yns2.yahoo.com"
|
|
|
|
- type: word
|
|
name: domainpeople
|
|
condition: or
|
|
words:
|
|
- "ns1.domainpeople.com"
|
|
- "ns2.domainpeople.com"
|
|
|
|
- type: word
|
|
name: hover
|
|
condition: or
|
|
words:
|
|
- "ns1.hover.com"
|
|
- "ns2.hover.com"
|
|
|
|
- type: word
|
|
name: networksolutions
|
|
words:
|
|
- ".worldnic.com"
|
|
|
|
- type: word
|
|
name: activision
|
|
words:
|
|
- ".activision.com"
|
|
|
|
- type: word
|
|
name: aws-route53
|
|
words:
|
|
- ".awsdns-"
|
|
|
|
- type: word
|
|
name: apple
|
|
condition: or
|
|
words:
|
|
- "a.ns.apple.com"
|
|
- "b.ns.apple.com"
|
|
- "c.ns.apple.com"
|
|
- "d.ns.apple.com"
|
|
|
|
- type: word
|
|
name: capitalone
|
|
condition: or
|
|
words:
|
|
- "ns1.capitalone.com"
|
|
- "ns2.capitalone.com"
|
|
- "ns3.capitalone.com"
|
|
|
|
- type: word
|
|
name: csust
|
|
condition: or
|
|
words:
|
|
- "0xd0a1.csust.netm"
|
|
- "0xd0a2.csust.net"
|
|
- "0xd0a3.csust.net"
|
|
- "0xd0a4.csust.net"
|
|
|
|
- type: word
|
|
name: disney
|
|
condition: or
|
|
words:
|
|
- "ns1.twdcns.com"
|
|
- "ns2.twdcns.com"
|
|
- "ns3.twdcns.info"
|
|
- "ns4.twdcns.info"
|
|
- "ns5.twdcns.co.uk"
|
|
- "ns6.twdcns.co.uk"
|
|
|
|
- type: word
|
|
name: lowes
|
|
condition: or
|
|
words:
|
|
- "authns1.lowes.com"
|
|
- "authns2.lowes.com"
|
|
|
|
- type: word
|
|
name: tmobile
|
|
condition: or
|
|
words:
|
|
- "ns10.tmobileus.com"
|
|
- "ns10.tmobileus.net"
|