--- -- Simple DNS library supporting packet creation, encoding, decoding, -- and querying. -- -- The most common interface to this module are the query and -- reverse functions. query performs a DNS query, -- and reverse prepares an ip address to have a reverse query -- performed. -- -- query takes two options - a domain name to look up and an -- optional table of options. For more information on the options table, -- see the documentation for query. -- -- Example usage: -- -- -- After this call, status is true and result is "72.14.204.104" -- local status, result = dns.query('www.google.ca') -- -- -- After this call, status is false and result is "No such name" -- local status, result = dns.query('www.google.abc') -- -- -- After this call, status is true and result is the table {"72.14.204.103", "72.14.204.104", "72.14.204.147", "72.14.204.99"} -- local status, result = dns.query('www.google.ca', {retAll=true}) -- -- -- After this call, status is true and result is the "2001:19f0:0:0:0:dead:beef:cafe" -- local status, result = dns.query('irc.ipv6.efnet.org', {dtype='AAAA'}) -- -- -- -- @copyright Same as Nmap--See http://nmap.org/book/man-legal.html module(... or "dns", package.seeall) require("bit") require("ipOps") require("stdnse") get_servers = nmap.get_dns_servers --- -- Table of DNS resource types. -- @name types -- @class table types = { A = 1, NS = 2, SOA = 6, CNAME = 5, PTR = 12, HINFO = 13, MX = 15, TXT = 16, AAAA = 28, SRV = 33, OPT = 41, SSHFP = 44, NSEC = 47, AXFR = 252, ANY = 255 } CLASS = { IN = 1, ANY = 255 } --- -- Repeatedly sends UDP packets to host, waiting for an answer. -- @param data Data to be sent. -- @param host Host to connect to. -- @param port Port to connect to. -- @param timeout Number of ms to wait for a response. -- @param cnt Number of tries. -- @param multiple If true, keep reading multiple responses until timeout. -- @return Status (true or false). -- @return Response (if status is true). local function sendPackets(data, host, port, timeout, cnt, multiple) local socket = nmap.new_socket("udp") local responses = {} socket:set_timeout(timeout) if ( not(multiple) ) then socket:connect( host, port, "udp" ) end for i = 1, cnt do local status, err if ( multiple ) then status, err = socket:sendto(host, port, data) else status, err = socket:send(data) end if (not(status)) then return false, err end local response if ( multiple ) then while(true) do status, response = socket:receive() if( not(status) ) then break end local status, _, _, ip, _ = socket:get_info() table.insert(responses, { data = response, peer = ip } ) end else status, response = socket:receive() if ( status ) then local status, _, _, ip, _ = socket:get_info() table.insert(responses, { data = response, peer = ip } ) end end if (#responses>0) then socket:close() return true, responses end end socket:close() return false end --- -- Checks if a DNS response packet contains a useful answer. -- @param rPkt Decoded DNS response packet. -- @return True if useful, false if not. local function gotAnswer(rPkt) -- have we even got answers? if #rPkt.answers > 0 then -- some MDNS implementation incorrectly return an empty question section -- if this is the case return true if rPkt.questions[1] == nil then return true end -- are those answers not just cnames? if rPkt.questions[1].dtype == types.A then for _, v in ipairs(rPkt.answers) do -- if at least one answer is an A record, it's an answer if v.dtype == types.A then return true end end -- if none was an A record, it's not really an answer return false else -- there was no A request, CNAMEs are not of interest return true end -- no such name is the answer elseif rPkt.flags.RC3 and rPkt.flags.RC4 then return true -- really no answer else return false end end --- -- Tries to find the next nameserver with authority to get a result for -- query. -- @param rPkt Decoded DNS response packet -- @return String or table of next server(s) to query, or false. local function getAuthDns(rPkt) if #rPkt.auth == 0 then if #rPkt.answers == 0 then return false else if rPkt.answers[1].dtype == types.CNAME then return {cname = rPkt.answers[1].domain} end end end if rPkt.auth[1].dtype == types.NS then if #rPkt.add > 0 then local hosts = {} for _, v in ipairs(rPkt.add) do if v.dtype == types.A then table.insert(hosts, v.ip) end end if #hosts > 0 then return hosts end end local status, next = query(rPkt.auth[1].domain, {dtype = "A" }) return next end return false end local function processResponse( response, dname, dtype, options ) local rPkt = decode(response) -- is it a real answer? if gotAnswer(rPkt) then if (options.retPkt) then return true, rPkt else return findNiceAnswer(dtype, rPkt, options.retAll) end else -- if not, ask the next server in authority local next_server = getAuthDns(rPkt) -- if we got a CNAME, ask for the CNAME if type(next_server) == 'table' and next_server.cname then options.tries = options.tries - 1 return query(next_server.cname, options) end -- only ask next server in authority, if -- we got an auth dns and -- it isn't the one we just asked if next_server and next_server ~= options.host and options.tries > 1 then options.host = next_server options.tries = options.tries - 1 return query(dname, options) end end -- nothing worked stdnse.print_debug(1, "dns.query() failed to resolve the requested query%s%s", dname and ": " or ".", dname or "") return false, "No Answers" end --- -- Query DNS servers for a DNS record. -- @param dname Desired domain name entry. -- @param options A table containing any of the following fields: -- * dtype: Desired DNS record type (default: "A"). -- * host: DNS server to be queried (default: DNS servers known to Nmap). -- * port: Port of DNS server to connect to (default: 53). -- * tries: How often should query try to contact another server (for non-recursive queries). -- * retAll: Return all answers, not just the first. -- * retPkt: Return the packet instead of using the answer-fetching mechanism. -- * norecurse: If true, do not set the recursion (RD) flag. -- * multiple: If true, expects multiple hosts to respond to multicast request -- * flags: numeric value to set flags in the DNS query to a specific value -- * id: numeric value to use for the DNS transaction id -- @return true if a dns response was received and contained an answer of the requested type, -- or the decoded dns response was requested (retPkt) and is being returned - or false otherwise. -- @return String answer of the requested type, table of answers or a String error message of one of the following: -- "No Such Name", "No Servers", "No Answers", "Unable to handle response" function query(dname, options) if not options then options = {} end local dtype, host, port = options.dtype, options.host, options.port if not options.tries then options.tries = 10 end -- don't get into an infinite loop if not options.sendCount then options.sendCount = 2 end if type( options.timeout ) ~= "number" then options.timeout = get_default_timeout() end if type(dtype) == "string" then dtype = types[dtype] end if not dtype then dtype = types.A end local srv local srvI = 1 if not port then port = 53 end if not host then srv = get_servers() if srv and srv[1] then host = srv[1] else return false, "No Servers" end elseif type(host) == "table" then srv = host host = srv[1] end local pkt = newPacket() addQuestion(pkt, dname, dtype) if options.norecurse then pkt.flags.RD = false end if options.dnssec then addOPT(pkt, {DO = true}) end if ( options.flags ) then pkt.flags.raw = options.flags end if ( options.id ) then pkt.id = options.id end local data = encode(pkt) local status, response = sendPackets(data, host, port, options.timeout, options.sendCount, options.multiple) -- if working with know nameservers, try the others while((not status) and srv and srvI < #srv) do srvI = srvI + 1 host = srv[srvI] status, response = sendPackets(data, host, port, options.timeout, options.sendCount) end -- if we got any response: if status then if ( options.multiple ) then local multiresponse = {} for _, r in ipairs( response ) do local status, presponse = processResponse( r.data, dname, dtype, options ) if( status ) then table.insert( multiresponse, { ['output']=presponse, ['peer']=r.peer } ) end end return true, multiresponse else return processResponse( response[1].data, dname, dtype, options) end else stdnse.print_debug(1, "dns.query() got zero responses attempting to resolve query%s%s", dname and ": " or ".", dname or "") return false, "No Answers" end end --- -- Formats an IP address for reverse lookup. -- @param ip IP address string. -- @return "Domain"-style representation of IP as subdomain of in-addr.arpa or -- ip6.arpa. function reverse(ip) ip = ipOps.expand_ip(ip) if type(ip) ~= "string" then return nil end local delim = "%." local arpa = ".in-addr.arpa" if ip:match(":") then delim = ":" arpa = ".ip6.arpa" end local ipParts = stdnse.strsplit(delim, ip) if #ipParts == 8 then -- padding local mask = "0000" for i, part in ipairs(ipParts) do ipParts[i] = mask:sub(1, #mask - #part) .. part end -- 32 parts from 8 local temp = {} for i, hdt in ipairs(ipParts) do for part in hdt:gmatch("%x") do temp[#temp+1] = part end end ipParts = temp end local ipReverse = {} for i = #ipParts, 1, -1 do table.insert(ipReverse, ipParts[i]) end return table.concat(ipReverse, ".") .. arpa end -- Table for answer fetching functions. local answerFetcher = {} -- Answer fetcher for TXT records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns TXT record or Table of TXT records or String Error message. answerFetcher[types.TXT] = function(dec, retAll) local answers = {} if not retAll and dec.answers[1].data then return string.sub(dec.answers[1].data, 2) elseif not retAll then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: TXT") return false, "No Answers" else for _, v in ipairs(dec.answers) do if v.TXT and v.TXT.text then for _, v in ipairs( v.TXT.text ) do table.insert(answers, v) end end end end if #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: TXT") return false, "No Answers" end return true, answers end -- Answer fetcher for A records -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns A record or Table of A records or String Error message. answerFetcher[types.A] = function(dec, retAll) local answers = {} for _, ans in ipairs(dec.answers) do if ans.dtype == types.A then if not retAll then return true, ans.ip end table.insert(answers, ans.ip) end end if not retAll or #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: A") return false, "No Answers" end return true, answers end -- Answer fetcher for CNAME records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first Domain entry or Table of domain entries or String Error message. answerFetcher[types.CNAME] = function(dec, retAll) local answers = {} if not retAll and dec.answers[1].domain then return true, dec.answers[1].domain elseif not retAll then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: NS, PTR or CNAME") return false, "No Answers" else for _, v in ipairs(dec.answers) do if v.domain then table.insert(answers, v.domain) end end end if #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: NS, PTR or CNAME") return false, "No Answers" end return true, answers end -- Answer fetcher for MX records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns MX record or Table of MX records or String Error message. -- Note that the format of a returned MX answer is "preference:hostname:IPaddress" where zero -- or more IP addresses may be present. answerFetcher[types.MX] = function(dec, retAll) local mx, ip, answers = {}, {}, {} for _, ans in ipairs(dec.answers) do if ans.MX then mx[#mx+1] = ans.MX end if not retAll then break end end if #mx == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: MX") return false, "No Answers" end for _, add in ipairs(dec.add) do if ip[add.dname] then table.insert(ip[add.dname], add.ip) else ip[add.dname] = {add.ip} end end for _, mxrec in ipairs(mx) do if ip[mxrec.server] then table.insert( answers, ("%s:%s:%s"):format(mxrec.pref or "-", mxrec.server or "-", table.concat(ip[mxrec.server], ":")) ) if not retAll then return true, answers[1] end else -- no IP ? table.insert( answers, ("%s:%s"):format(mxrec.pref or "-", mxrec.server or "-") ) if not retAll then return true, answers[1] end end end return true, answers end -- Answer fetcher for SRV records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns SRV record or Table of SRV records or String Error message. -- Note that the format of a returned SRV answer is "priority:weight:port:target" where zero -- or more IP addresses may be present. answerFetcher[types.SRV] = function(dec, retAll) local srv, ip, answers = {}, {}, {} for _, ans in ipairs(dec.answers) do if ans.dtype == types.SRV then if not retAll then return true, ("%s:%s:%s:%s"):format( ans.SRV.prio, ans.SRV.weight, ans.SRV.port, ans.SRV.target ) end table.insert( answers, ("%s:%s:%s:%s"):format( ans.SRV.prio, ans.SRV.weight, ans.SRV.port, ans.SRV.target ) ) end end if #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: SRV") return false, "No Answers" end return true, answers end -- Answer fetcher for NSEC records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns NSEC record or Table of NSEC records or String Error message. -- Note that the format of a returned NSEC answer is "name:dname:types". answerFetcher[types.NSEC] = function(dec, retAll) local nsec, answers = {}, {} for _, auth in ipairs(dec.auth) do if auth.NSEC then nsec[#nsec+1] = auth.NSEC end if not retAll then break end end if #nsec == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: NSEC") return false, "No Answers" end for _, nsecrec in ipairs(nsec) do table.insert( answers, ("%s:%s:%s"):format(nsecrec.name or "-", nsecrec.dname or "-", stdnse.strjoin(":", nsecrec.types) or "-")) end if not retAll then return true, answers[1] end return true, answers end -- Answer fetcher for NS records. -- @name answerFetcher[types.NS] -- @class function -- @param dec Decoded DNS response. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first Domain entry or Table of domain entries or String Error message. answerFetcher[types.NS] = answerFetcher[types.CNAME] -- Answer fetcher for PTR records. -- @name answerFetcher[types.PTR] -- @class function -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first Domain entry or Table of domain entries or String Error message. answerFetcher[types.PTR] = answerFetcher[types.CNAME] -- Answer fetcher for AAAA records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns AAAA record or Table of AAAA records or String Error message. answerFetcher[types.AAAA] = function(dec, retAll) local answers = {} for _, ans in ipairs(dec.answers) do if ans.dtype == types.AAAA then if not retAll then return true, ans.ipv6 end table.insert(answers, ans.ipv6) end end if not retAll or #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: AAAA") return false, "No Answers" end return true, answers end ---Calls the answer fetcher for dtype or returns an error code in -- case of a "no such name" error. -- -- @param dtype DNS resource record type. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return Answer according to the answer fetcher for dtype or an Error message. function findNiceAnswer(dtype, dec, retAll) if (#dec.answers > 0) then if answerFetcher[dtype] then return answerFetcher[dtype](dec, retAll) else stdnse.print_debug(1, "dns.findNiceAnswer() does not have an answerFetcher for dtype %s", tostring(dtype)) return false, "Unable to handle response" end elseif (dec.flags.RC3 and dec.flags.RC4) then return false, "No Such Name" else stdnse.print_debug(1, "dns.findNiceAnswer() found zero answers in a response, but got an unexpected flags.replycode") return false, "No Answers" end end -- Table for additional fetching functions. -- Some servers return their answers in the additional section. The -- findNiceAdditional function with its relevant additionalFetcher functions -- addresses this. This unfortunately involved some code duplication (because -- of current design of the dns library) from the answerFetchers to the -- additionalFetchers. local additionalFetcher = {} -- Additional fetcher for TXT records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns TXT record or Table of TXT records or String Error message. additionalFetcher[types.TXT] = function(dec, retAll) local answers = {} if not retAll and dec.add[1].data then return string.sub(dec.add[1].data, 2) elseif not retAll then stdnse.print_debug(1, "dns.aditionalFetcher found no records of the required type: TXT") return false, "No Answers" else for _, v in ipairs(dec.add) do if v.TXT and v.TXT.text then for _, v in ipairs( v.TXT.text ) do table.insert(answers, v) end end end end if #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: TXT") return false, "No Answers" end return true, answers end -- Additional fetcher for A records -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns A record or Table of A records or String Error message. additionalFetcher[types.A] = function(dec, retAll) local answers = {} for _, ans in ipairs(dec.add) do if ans.dtype == types.A then if not retAll then return true, ans.ip end table.insert(answers, ans.ip) end end if not retAll or #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: A") return false, "No Answers" end return true, answers end -- Additional fetcher for SRV records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns SRV record or Table of SRV records or String Error message. -- Note that the format of a returned SRV answer is "priority:weight:port:target" where zero -- or more IP addresses may be present. additionalFetcher[types.SRV] = function(dec, retAll) local srv, ip, answers = {}, {}, {} for _, ans in ipairs(dec.add) do if ans.dtype == types.SRV then if not retAll then return true, ("%s:%s:%s:%s"):format( ans.SRV.prio, ans.SRV.weight, ans.SRV.port, ans.SRV.target ) end table.insert( answers, ("%s:%s:%s:%s"):format( ans.SRV.prio, ans.SRV.weight, ans.SRV.port, ans.SRV.target ) ) end end if #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: SRV") return false, "No Answers" end return true, answers end -- Additional fetcher for AAAA records. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return String first dns AAAA record or Table of AAAA records or String Error message. additionalFetcher[types.AAAA] = function(dec, retAll) local answers = {} for _, ans in ipairs(dec.add) do if ans.dtype == types.AAAA then if not retAll then return true, ans.ipv6 end table.insert(answers, ans.ipv6) end end if not retAll or #answers == 0 then stdnse.print_debug(1, "dns.answerFetcher found no records of the required type: AAAA") return false, "No Answers" end return true, answers end --- -- Calls the answer fetcher for dtype or returns an error code in -- case of a "no such name" error. -- @param dtype DNS resource record type. -- @param dec Decoded DNS response. -- @param retAll If true, return all entries, not just the first. -- @return True if one or more answers of the required type were found - otherwise false. -- @return Answer according to the answer fetcher for dtype or an Error message. function findNiceAdditional(dtype, dec, retAll) if (#dec.add > 0) then if additionalFetcher[dtype] then return additionalFetcher[dtype](dec, retAll) else stdnse.print_debug(1, "dns.findNiceAdditional() does not have an additionalFetcher for dtype %s", (type(dtype) == 'string' and dtype) or type(dtype) or "nil") return false, "Unable to handle response" end elseif (dec.flags.RC3 and dec.flags.RC4) then return false, "No Such Name" else stdnse.print_debug(1, "dns.findNiceAdditional() found zero answers in a response, but got an unexpected flags.replycode") return false, "No Answers" end end -- -- Encodes a FQDN -- @param fqdn containing the fully qualified domain name -- @return encQ containing the encoded value local function encodeFQDN(fqdn) if ( not(fqdn) or #fqdn == 0 ) then return end local parts = stdnse.strsplit("%.", fqdn) local encQ = "" for _, part in ipairs(parts) do encQ = encQ .. bin.pack("p", part) end encQ = encQ .. string.char(0) return encQ end --- -- Encodes the question part of a DNS request. -- @param questions Table of questions. -- @return Encoded question string. local function encodeQuestions(questions) if type(questions) ~= "table" then return nil end local encQ = "" for _, v in ipairs(questions) do encQ = encQ .. encodeFQDN(v.dname) encQ = encQ .. bin.pack(">SS", v.dtype, v.class) end return encQ end --- -- Encodes the zone part of a DNS request. -- @param questions Table of questions. -- @return Encoded question string. local function encodeZones(zones) return encodeQuestions(zones) end local function encodeUpdates(updates) if type(updates) ~= "table" then return nil end local encQ = "" for _, v in ipairs(updates) do encQ = encQ .. encodeFQDN(v.dname) encQ = encQ .. bin.pack(">SSISA", v.dtype, v.class, v.ttl, #v.data, v.data) end return encQ end --- -- Encodes the additional part of a DNS request. -- @param additional Table of additional records. Each must have the keys -- type, class, ttl, rdlen, -- and rdata. -- @return Encoded additional string. local function encodeAdditional(additional) if type(additional) ~= "table" then return nil end local encA = "" for _, v in ipairs(additional) do encA = encA .. bin.pack(">xSSISA", v.type, v.class, v.ttl, v.rdlen, v.rdata) end return encA end --- -- Encodes DNS flags to a binary digit string. -- @param flags Flag table, each entry representing a flag (QR, OCx, AA, TC, RD, -- RA, RCx). -- @return Binary digit string representing flags. local function encodeFlags(flags) if type(flags) == "string" then return flags end if type(flags) ~= "table" then return nil end local fb = "" if flags.QR then fb = fb .. "1" else fb = fb .. "0" end if flags.OC1 then fb = fb .. "1" else fb = fb .. "0" end if flags.OC2 then fb = fb .. "1" else fb = fb .. "0" end if flags.OC3 then fb = fb .. "1" else fb = fb .. "0" end if flags.OC4 then fb = fb .. "1" else fb = fb .. "0" end if flags.AA then fb = fb .. "1" else fb = fb .. "0" end if flags.TC then fb = fb .. "1" else fb = fb .. "0" end if flags.RD then fb = fb .. "1" else fb = fb .. "0" end if flags.RA then fb = fb .. "1" else fb = fb .. "0" end fb = fb .. "000" if flags.RC1 then fb = fb .. "1" else fb = fb .. "0" end if flags.RC2 then fb = fb .. "1" else fb = fb .. "0" end if flags.RC3 then fb = fb .. "1" else fb = fb .. "0" end if flags.RC4 then fb = fb .. "1" else fb = fb .. "0" end return fb end --- -- Encode a DNS packet. -- -- Caution: doesn't encode answer and authority part. -- @param pkt Table representing DNS packet, initialized by -- newPacket. -- @return Encoded DNS packet. function encode(pkt) if type(pkt) ~= "table" then return nil end local encFlags = encodeFlags(pkt.flags) local additional = encodeAdditional(pkt.additional) local aorplen = #pkt.answers local data, qorzlen, aorulen if ( #pkt.questions > 0 ) then data = encodeQuestions( pkt.questions ) qorzlen = #pkt.questions aorulen = 0 else -- The packet has no questions, assume we're dealing with an update data = encodeZones( pkt.zones ) .. encodeUpdates( pkt.updates ) qorzlen = #pkt.zones aorulen = #pkt.updates end local encStr if ( pkt.flags.raw ) then encStr = bin.pack(">SSS4", pkt.id, pkt.flags.raw, qorzlen, aorplen, aorulen, #pkt.additional) .. data .. additional else encStr = bin.pack(">SBS4", pkt.id, encFlags, qorzlen, aorplen, aorulen, #pkt.additional) .. data .. additional end return encStr end --- -- Decodes a domain in a DNS packet. Handles "compressed" data too. -- @param data Complete DNS packet. -- @param pos Starting position in packet. -- @return Position after decoding. -- @return Decoded domain, or nil on error. function decStr(data, pos) local function dec(data, pos, limit) local partlen local parts = {} local part -- Avoid infinite recursion on malformed compressed messages. limit = limit or 10 if limit < 0 then return pos, nil end pos, partlen = bin.unpack(">C", data, pos) while (partlen ~= 0) do if (partlen < 64) then pos, part = bin.unpack("A" .. partlen, data, pos) if part == nil then return pos end table.insert(parts, part) pos, partlen = bin.unpack(">C", data, pos) else pos, partlen = bin.unpack(">S", data, pos - 1) local _, part = dec(data, partlen - 0xC000 + 1, limit - 1) if part == nil then return pos end table.insert(parts, part) partlen = 0 end end return pos, table.concat(parts, ".") end return dec(data, pos) end --- -- Decodes questions in a DNS packet. -- @param data Complete DNS packet. -- @param count Value of question counter in header. -- @param pos Starting position in packet. -- @return Position after decoding. -- @return Table of decoded questions. local function decodeQuestions(data, count, pos) local q = {} for i = 1, count do local currQ = {} pos, currQ.dname = decStr(data, pos) pos, currQ.dtype, currQ.class = bin.unpack(">SS", data, pos) table.insert(q, currQ) end return pos, q end --- -- Table of functions to decode resource records local decoder = {} -- Decodes IP of A record, puts it in entry.ip. -- @param entry RR in packet. decoder[types.A] = function(entry) local ip = {} local _ _, ip[1], ip[2], ip[3], ip[4] = bin.unpack(">C4", entry.data) entry.ip = table.concat(ip, ".") end -- Decodes IP of AAAA record, puts it in entry.ipv6. -- @param entry RR in packet. decoder[types.AAAA] = function(entry) local ip = {} local pos = 1 local num for i = 1, 8 do pos, num = bin.unpack(">S", entry.data, pos) table.insert(ip, string.format('%x', num)) end entry.ipv6 = table.concat(ip, ":") end -- Decodes SSH fingerprint record, puts it in entry.SSHFP as -- defined in RFC 4255. -- -- entry.SSHFP has the fields algorithm, -- fptype, and fingerprint. -- @param entry RR in packet. decoder[types.SSHFP] = function(entry) local _ entry.SSHFP = {} _, entry.SSHFP.algorithm, entry.SSHFP.fptype, entry.SSHFP.fingerprint = bin.unpack(">C2H" .. (#entry.data - 2), entry.data) end -- Decodes SOA record, puts it in entry.SOA. -- -- entry.SOA has the fields mname, rname, -- serial, refresh, retry, -- expire, and minimum. -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. decoder[types.SOA] = function(entry, data, pos) local np = pos - #entry.data entry.SOA = {} np, entry.SOA.mname = decStr(data, np) np, entry.SOA.rname = decStr(data, np) np, entry.SOA.serial, entry.SOA.refresh, entry.SOA.retry, entry.SOA.expire, entry.SOA.minimum = bin.unpack(">I5", data, np) end -- An iterator that returns the positions of nonzero bits in the given binary -- string. local function bit_iter(bits) return coroutine.wrap(function() for i = 1, #bits do local n = string.byte(bits, i) local j = 0 local mask = 0x80 while mask > 0 do if bit.band(n, mask) ~= 0 then coroutine.yield((i - 1) * 8 + j) end j = j + 1 mask = bit.rshift(mask, 1) end end end) end -- Decodes NSEC records, puts result in entry.NSEC. See RFC 4034, -- section 4. -- -- entry.NSEC has the fields dname, -- next_dname, and types. -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. decoder[types.NSEC] = function (entry, data, pos) local np = pos - #entry.data entry.NSEC = {} entry.NSEC.dname = entry.dname np, entry.NSEC.next_dname = decStr(data, np) while np < pos do local block_num, type_bitmap np, block_num, type_bitmap = bin.unpack(">Cp", data, np) entry.NSEC.types = {} for i in bit_iter(type_bitmap) do entry.NSEC.types[(block_num - 1) * 256 + i] = true end end end -- Decodes records that consist only of one domain, for example CNAME, NS, PTR. -- Puts result in entry.domain. -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. local function decDomain(entry, data, pos) local np = pos - #entry.data local _ _, entry.domain = decStr(data, np) end -- Decodes CNAME records. -- Puts result in entry.domain. -- @name decoder[types.CNAME] -- @class function -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. decoder[types.CNAME] = decDomain -- Decodes NS records. -- Puts result in entry.domain. -- @name decoder[types.NS] -- @class function -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. decoder[types.NS] = decDomain -- Decodes PTR records. -- Puts result in entry.domain. -- @name decoder[types.PTR] -- @class function -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. decoder[types.PTR] = decDomain -- Decodes TXT records. -- Puts result in entry.domain. -- @name decoder[types.TXT] -- @class function -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. decoder[types.TXT] = function (entry, data, pos) local len = entry.data:len() local np = pos - #entry.data local txt_len local txt if len > 0 then entry.TXT = {} entry.TXT.text = {} end while len > 0 do np, txt_len = bin.unpack("C", data, np) np, txt = bin.unpack("A" .. txt_len, data, np ) len = len - txt_len - 1 table.insert( entry.TXT.text, txt ) end end -- Decodes MX record, puts it in entry.MX. -- -- entry.MX has the fields pref and -- server. -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. decoder[types.MX] = function(entry, data, pos) local np = pos - #entry.data + 2 local _ entry.MX = {} _, entry.MX.pref = bin.unpack(">S", entry.data) _, entry.MX.server = decStr(data, np) end -- Decodes SRV record, puts it in entry.SRV. -- -- entry.SRV has the fields prio, -- weight, port and -- target. -- @param entry RR in packet. -- @param data Complete encoded DNS packet. -- @param pos Position in packet after RR. decoder[types.SRV] = function(entry, data, pos) local np = pos - #entry.data local _ entry.SRV = {} np, entry.SRV.prio, entry.SRV.weight, entry.SRV.port = bin.unpack(">S>S>S", data, np) np, entry.SRV.target = decStr(data, np) end --- -- Decodes returned resource records (answer, authority, or additional part). -- @param data Complete encoded DNS packet. -- @param count Value of according counter in header. -- @param pos Starting position in packet. -- @return Table of RRs. local function decodeRR(data, count, pos) local ans = {} for i = 1, count do local currRR = {} pos, currRR.dname = decStr(data, pos) pos, currRR.dtype, currRR.class, currRR.ttl = bin.unpack(">SSI", data, pos) local reslen pos, reslen = bin.unpack(">S", data, pos) pos, currRR.data = bin.unpack("A" .. reslen, data, pos) -- try to be smart: decode per type if decoder[currRR.dtype] then decoder[currRR.dtype](currRR, data, pos) end table.insert(ans, currRR) end return pos, ans end --- -- Splits a string up into a table of single characters. -- @param str String to be split up. -- @return Table of characters. local function str2tbl(str) local tbl = {} for i = 1, #str do table.insert(tbl, string.sub(str, i, i)) end return tbl end --- -- Decodes DNS flags. -- @param flgStr Flags as a binary digit string. -- @return Table representing flags. local function decodeFlags(flgStr) local flags = {} local flgTbl = str2tbl(flgStr) if flgTbl[1] == '1' then flags.QR = true end if flgTbl[2] == '1' then flags.OC1 = true end if flgTbl[3] == '1' then flags.OC2 = true end if flgTbl[4] == '1' then flags.OC3 = true end if flgTbl[5] == '1' then flags.OC4 = true end if flgTbl[6] == '1' then flags.AA = true end if flgTbl[7] == '1' then flags.TC = true end if flgTbl[8] == '1' then flags.RD = true end if flgTbl[9] == '1' then flags.RA = true end if flgTbl[13] == '1' then flags.RC1 = true end if flgTbl[14] == '1' then flags.RC2 = true end if flgTbl[15] == '1' then flags.RC3 = true end if flgTbl[16] == '1' then flags.RC4 = true end return flags end --- -- Decodes a DNS packet. -- @param data Encoded DNS packet. -- @return Table representing DNS packet. function decode(data) local pos local pkt = {} local encFlags local cnt = {} pos, pkt.id, encFlags, cnt.q, cnt.a, cnt.auth, cnt.add = bin.unpack(">SB2S4", data) -- for now, don't decode the flags pkt.flags = decodeFlags(encFlags) -- -- check whether this is an update response or not -- a quick fix to allow decoding of non updates and not break for updates -- the flags are enough for the current code to determine whether an update was successful or not -- local strflags=encodeFlags(pkt.flags) if ( strflags:sub(1,4) == "1010" ) then return pkt else pos, pkt.questions = decodeQuestions(data, cnt.q, pos) pos, pkt.answers = decodeRR(data, cnt.a, pos) pos, pkt.auth = decodeRR(data, cnt.auth, pos) pos, pkt.add = decodeRR(data, cnt.add, pos) end return pkt end --- -- Creates a new table representing a DNS packet. -- @return Table representing a DNS packet. function newPacket() local pkt = {} pkt.id = 1 pkt.flags = {} pkt.flags.RD = true pkt.questions = {} pkt.zones = {} pkt.updates = {} pkt.answers = {} pkt.auth = {} pkt.additional = {} return pkt end --- -- Adds a question to a DNS packet table. -- @param pkt Table representing DNS packet. -- @param dname Domain name to be asked. -- @param dtype RR to be asked. function addQuestion(pkt, dname, dtype) if type(pkt) ~= "table" then return nil end if type(pkt.questions) ~= "table" then return nil end local q = {} q.dname = dname q.dtype = dtype q.class = CLASS.IN table.insert(pkt.questions, q) return pkt end get_default_timeout = function() local timeout = {[0] = 10000, 7000, 5000, 4000, 4000, 4000} return timeout[nmap.timing_level()] or 4000 end --- -- Adds a zone to a DNS packet table -- @param pkt Table representing DNS packet. -- @param dname Domain name to be asked. function addZone(pkt, dname) if ( type(pkt) ~= "table" ) or (type(pkt.updates) ~= "table") then return nil end table.insert(pkt.zones, { dname=dname, dtype=types.SOA, class=CLASS.IN }) return pkt end --- -- Encodes the Z bitfield of an OPT record. -- @param flags Flag table, each entry representing a flag (only DO flag implmented). -- @return Binary digit string representing flags. local function encodeOPT_Z(flags) if type(flags) == "string" then return flags end if type(flags) ~= "table" then return nil end local bits = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} for n, k in pairs({[1] = "DO"}) do if flags[k] then bits[n] = 1 end end return table.concat(bits) end --- -- Adds an OPT RR to a DNS packet's additional section. Only the table of Z -- flags is supported (i.e., not RDATA). See RFC 2671 section 4.3. -- @param pkt Table representing DNS packet. -- @param Z Table of Z flags. Only DO is supported. function addOPT(pkt, Z) if type(pkt) ~= "table" then return nil end if type(pkt.additional) ~= "table" then return nil end local _, Z_int = bin.unpack(">S", bin.pack("B", encodeOPT_Z(Z))) local opt = { type = types.OPT, class = 4096, -- Actually the sender UDP payload size. ttl = 0 * (0x01000000) + 0 * (0x00010000) + Z_int, rdlen = 0, rdata = "", } table.insert(pkt.additional, opt) return pkt end --- -- Adds a update to a DNS packet table -- @param pkt Table representing DNS packet. -- @param dname Domain name to be asked. -- @param dtype to be updated -- @param ttl the time-to-live of the record -- @param data type specific data function addUpdate(pkt, dname, dtype, ttl, data, class) if ( type(pkt) ~= "table" ) or (type(pkt.updates) ~= "table") then return nil end table.insert(pkt.updates, { dname=dname, dtype=dtype, class=class, ttl=ttl, data=(data or "") } ) return pkt end --- Adds a record to the Zone -- @param dname containing the hostname to add -- @param options A table containing any of the following fields: -- * dtype: Desired DNS record type (default: "A"). -- * host: DNS server to be queried (default: DNS servers known to Nmap). -- * timeout: The time to wait for a response -- * sendCount: The number of send attempts to perform -- * zone: If not supplied deduced from hostname -- * data: Table or string containing update data (depending on record type): -- A - String containing the IP address -- CNAME - String containing the FQDN -- MX - Table containing pref, mx -- SRV - Table containing prio, weight, port, target -- -- @return status true on success false on failure -- @return msg containing the error message -- -- Examples -- -- Adding different types of records to a server -- * update( "www.cqure.net", { host=host, port=port, dtype="A", data="10.10.10.10" } ) -- * update( "alias.cqure.net", { host=host, port=port, dtype="CNAME", data="www.cqure.net" } ) -- * update( "cqure.net", { host=host, port=port, dtype="MX", data={ pref=10, mx="mail.cqure.net"} }) -- * update( "_ldap._tcp.cqure.net", { host=host, port=port, dtype="SRV", data={ prio=0, weight=100, port=389, target="ldap.cqure.net" } } ) -- -- Removing the above records by setting an empty data and a ttl of zero -- * update( "www.cqure.net", { host=host, port=port, dtype="A", data="", ttl=0 } ) -- * update( "alias.cqure.net", { host=host, port=port, dtype="CNAME", data="", ttl=0 } ) -- * update( "cqure.net", { host=host, port=port, dtype="MX", data="", ttl=0 } ) -- * update( "_ldap._tcp.cqure.net", { host=host, port=port, dtype="SRV", data="", ttl=0 } ) -- function update(dname, options) local options = options or {} local pkt = newPacket() local flags = pkt.flags local host, port = options.host, options.port local timeout = ( type(options.timeout) == "number" ) and options.timeout or get_default_timeout() local sendcount = options.sendCount or 2 local dtype = ( type(options.dtype) == "string" ) and types[options.dtype] or types.A local updata = options.data local ttl = options.ttl or 86400 local zone = options.zone or dname:match("^.-%.(.+)$") local class = CLASS.IN assert(host, "dns.update needs a valid host in options") assert(port, "dns.update needs a valid port in options") if ( options.zone ) then dname = dname .. "." .. options.zone end if ( not(zone) and not( dname:match("^.-%..+") ) ) then return false, "hostname needs to be supplied as FQDN" end flags.RD = false flags.OC1, flags.OC2, flags.OC3, flags.OC4 = false, true, false, true -- If ttl is zero and updata is string and zero length or nil, assume delete record if ( ttl == 0 and ( ( type(updata) == "string" and #updata == 0 ) or not(updata) ) ) then class = CLASS.ANY updata = "" if ( types.MX == dtype and not(options.zone) ) then zone=dname end if ( types.SRV == dtype and not(options.zone) ) then zone=dname:match("^_.-%._.-%.(.+)$") end -- if not, let's try to update the zone else if ( dtype == types.A ) then updata = updata and bin.pack(">I", ipOps.todword(updata)) or "" elseif( dtype == types.CNAME ) then updata = encodeFQDN(updata) elseif( dtype == types.MX ) then assert( not( type(updata) ~= "table" ), "dns.update expected options.data to be a table") if ( not(options.zone) ) then zone = dname end local data = bin.pack(">S", updata.pref) data = data .. encodeFQDN(updata.mx) updata = data elseif ( dtype == types.SRV ) then assert( not( type(updata) ~= "table" ), "dns.update expected options.data to be a table") local data = bin.pack(">SSS", updata.prio, updata.weight, updata.port ) data = data .. encodeFQDN(updata.target) updata = data zone = options.zone or dname:match("^_.-%._.-%.(.+)$") else return false, "Unsupported record type" end end pkt = addZone(pkt, zone) pkt = addUpdate(pkt, dname, dtype, ttl, updata, class) local data = encode(pkt) local status, response = sendPackets(data, host, port, timeout, sendcount, false) if ( status ) then local decoded = decode(response[1].data) local flags=encodeFlags(decoded.flags) if (flags:sub(-4) == "0000") then return true end end return false end