Appendix B. Cache_Snoop.pl

Cache_snoop.pl is a script to aid in exploiting DNS servers that are susceptible to DNS cache snooping. The script enumerates a list of domain names, obtained from a text file, and verifies whether the remote DNS server contains a record for any given domain name. In addition, the script compares the TTL value obtained from the authoritative name server to see when the record was originally requested.

#!/usr/bin/perl # cache_snoop.pl # Developed by: Brett Hardin $version = "1.0"; use Getopt::Long; my $options = GetOptions ( "help" => \$help, "save" => \$save, "dns=s" => \$dns_server, "ttl" => \$ttl_option, "queries=s" => \$queries ); if($help ne "") { &Help; } if($dns_server eq "") { die "Usage: cache_snoop.pl -dns <DNS IP> -queries <QUERY FILE>\n"; } open(FILE, $queries) or die "Usage: cache_snoop.pl -dns <DNS IP> -queries <QUERY FILE>\n"; @sites = <FILE>; #FIRST RUN IS FOR FINDING OUT DEFAULT TTL if($ttl_option ne "") { print "Finding Default TTL's...\n"; &default_TTL; } for $site (@sites) { chomp($site); $default_TTL = $TTL_list{$site}; if($site =~ /^\#/) { print $site . "\n"; next; } if($site =~ /^$/) { print "\n"; next;} $results = `dig \@$dns_server $site A +norecurse`; if ($results =~ /ANSWER: 0,/) { print "[NO] " . $site . " not visited\n"; } else { @edited_result = split(/\n/, $results); @greped_result = grep(/^$site\./, @edited_result); @A_Broke = split(/\s+/, $greped_result[0]); $TTL = $A_Broke[1]; print "[YES] " . $site . " ($TTL"; if($ttl_option ...

Get Hacking: The Next Generation now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.