stack trace during nearby ip sweep about fierce HOT 9 CLOSED

Do you happen to have a public domain I could test this out on?

Alternatively, it looks like adding dns.resolver.NoAnswer to the caught exceptions here (https://github.com/mschwager/fierce/blob/master/fierce.py#L34) should fix it.

Let me know what you think and I can update the code!

from fierce.

Thanks for the info! I think I've identified the issue and a possible fix. I won't be able to work on this for a few hours though, so I'll get back to you then.

from fierce.

sadly I cant share the domain I was using as it's part of an engagement,
but if you put in the exception handler, I can tell you if that fixes
the problem! :D

On 5/3/16 5:34 PM, mschwager wrote:

Do you happen to have a public domain I could test this out on?

Alternatively, it looks like adding |dns.resolver.NoAnswer| to the
caught exceptions here
(https://github.com/mschwager/fierce/blob/master/fierce.py#L34) should
fix it.

Let me know what you think and I can update the code!

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#1 (comment)

from fierce.

it breaks on microsoft.com!
breaks on google.com..
breaks on yahoo.com

./fierce.py --domain microsoft.com
NS: ns1.msft.net. ns3.msft.net. ns2.msft.net. ns4.msft.net.
SOA: ns1.msft.net. (208.84.0.53)
Zone: failure
Wildcard: failure
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 126, in init
rdclass, rdtype)
File "/usr/local/lib/python3.5/site-packages/dns/message.py", line 340, in find_rrset
raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 136, in init
dns.rdatatype.CNAME)
File "/usr/local/lib/python3.5/site-packages/dns/message.py", line 340, in find_rrset
raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "./fierce.py", line 210, in
main()
File "./fierce.py", line 207, in main
fierce(**vars(args))
File "./fierce.py", line 134, in fierce
record = query(resolver, url, record_type='A')
File "./fierce.py", line 33, in query
return resolver.query(domain, record_type)
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 910, in query
raise_on_no_answer)
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 145, in init
raise NoAnswer
dns.resolver.NoAnswer

./fierce.py --domain google.com
NS: ns2.google.com. ns3.google.com. ns4.google.com. ns1.google.com.
SOA: ns2.google.com. (216.239.34.10)
Zone: failure
Wildcard: failure
Found: academico.google.com (172.217.1.228)
Nearby:
{'172.217.1.223': 'iad23s26-in-f31.1e100.net.',
'172.217.1.224': 'lax17s02-in-f0.1e100.net.',
'172.217.1.225': 'lax17s02-in-f1.1e100.net.',
'172.217.1.226': 'lax17s02-in-f2.1e100.net.',
'172.217.1.227': 'lax17s02-in-f3.1e100.net.',
'172.217.1.228': 'lax17s02-in-f4.1e100.net.',
'172.217.1.229': 'lax17s02-in-f5.1e100.net.',
'172.217.1.230': 'lax17s02-in-f6.1e100.net.',
'172.217.1.231': 'lax17s02-in-f7.1e100.net.',
'172.217.1.232': 'lax17s02-in-f8.1e100.net.',
'172.217.1.233': 'lax17s02-in-f9.1e100.net.'}
Found: accounts.google.com (172.217.1.237)
Nearby:
{'172.217.1.234': 'lax17s02-in-f10.1e100.net.',
'172.217.1.235': 'lax17s02-in-f11.1e100.net.',
'172.217.1.236': 'lax17s02-in-f12.1e100.net.',
'172.217.1.237': 'lax17s02-in-f13.1e100.net.',
'172.217.1.238': 'lax17s02-in-f14.1e100.net.',
'172.217.1.239': 'lax17s02-in-f15.1e100.net.',
'172.217.1.240': 'lax17s02-in-f16.1e100.net.',
'172.217.1.241': 'lax17s02-in-f17.1e100.net.',
'172.217.1.242': 'lax17s02-in-f18.1e100.net.'}
Found: admin.google.com (172.217.1.238)
Nearby:
{'172.217.1.243': 'lax17s02-in-f19.1e100.net.'}
Found: ads.google.com (172.217.1.238)
Found: alerts.google.com (172.217.1.238)
Found: ap.google.com (172.217.1.228)
Found: apps.google.com (172.217.1.238)
Found: asia.google.com (172.217.1.228)
Found: billing.google.com (172.217.1.238)
Found: blog.google.com (172.217.1.233)
Found: business.google.com (172.217.1.238)
Found: calendar.google.com (172.217.1.238)
Found: catalog.google.com (172.217.1.238)
Found: classroom.google.com (172.217.1.238)
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 126, in init
rdclass, rdtype)
File "/usr/local/lib/python3.5/site-packages/dns/message.py", line 340, in find_rrset
raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 136, in init
dns.rdatatype.CNAME)
File "/usr/local/lib/python3.5/site-packages/dns/message.py", line 340, in find_rrset
raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "./fierce.py", line 210, in
main()
File "./fierce.py", line 207, in main
fierce(**vars(args))
File "./fierce.py", line 134, in fierce
record = query(resolver, url, record_type='A')
File "./fierce.py", line 33, in query
return resolver.query(domain, record_type)
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 910, in query
raise_on_no_answer)
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 145, in init
raise NoAnswer
dns.resolver.NoAnswer

./fierce.py --domain yahoo.com
NS: ns3.yahoo.com. ns5.yahoo.com. ns2.yahoo.com. ns6.yahoo.com. ns1.yahoo.com. ns4.yahoo.com.
SOA: ns1.yahoo.com. (68.180.131.16)
Zone: failure
Wildcard: failure
Found: about.yahoo.com (206.190.61.107)
Nearby:
{'206.190.61.102': 'sjbdlv19-fms.atlas.cdn.sjb.yimg.com.',
'206.190.61.103': 'sjbdlv20-fms.atlas.cdn.sjb.yimg.com.',
'206.190.61.104': 'sjbdlv09-fms.atlas.cdn.sjb.yimg.com.',
'206.190.61.105': 'sjbldap01.atlas.cdn.sjb.yimg.com.',
'206.190.61.106': 'r1.ycpi.vip.sjb.yahoo.net.',
'206.190.61.107': 'r2.ycpi.vip.sjb.yahoo.net.',
'206.190.61.108': 'UNKNOWN-206-190-61-X.yahoo.com.',
'206.190.61.109': 'UNKNOWN-206-190-61-X.yahoo.com.',
'206.190.61.110': 'UNKNOWN-206-190-61-X.yahoo.com.',
'206.190.61.111': 'UNKNOWN-206-190-61-X.yahoo.com.',
'206.190.61.112': 'r17.ycpi.sjb.yahoo.net.'}
Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 126, in init
rdclass, rdtype)
File "/usr/local/lib/python3.5/site-packages/dns/message.py", line 340, in find_rrset
raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 136, in init
dns.rdatatype.CNAME)
File "/usr/local/lib/python3.5/site-packages/dns/message.py", line 340, in find_rrset
raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "./fierce.py", line 210, in
main()
File "./fierce.py", line 207, in main
fierce(**vars(args))
File "./fierce.py", line 134, in fierce
record = query(resolver, url, record_type='A')
File "./fierce.py", line 33, in query
return resolver.query(domain, record_type)
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 910, in query
raise_on_no_answer)
File "/usr/local/lib/python3.5/site-packages/dns/resolver.py", line 145, in init
raise NoAnswer
dns.resolver.NoAnswer

from fierce.

awesome :D

from fierce.

I've identified the issue here. The behavior we're seeing is expected, but perhaps we should be handling it better. This stackoverflow post is particularly enlightening. Basically, it looks like the DNS nameservers we're using are authoritative instead of recursive, which is yielding unexpected results.

We can reproduce the issue with the following command:

$ python3 fierce.py --domain stackoverflow.com --subdomains test --dns-servers 192.48.79.30
Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/dns/resolver.py", line 126, in __init__
    rdclass, rdtype)
  File "/usr/local/lib/python3.5/dist-packages/dns/message.py", line 340, in find_rrset
    raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.5/dist-packages/dns/resolver.py", line 136, in __init__
    dns.rdatatype.CNAME)
  File "/usr/local/lib/python3.5/dist-packages/dns/message.py", line 340, in find_rrset
    raise KeyError
KeyError

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "fierce.py", line 238, in <module>
    main()
  File "fierce.py", line 235, in main
    fierce(**vars(args))
  File "fierce.py", line 132, in fierce
    ns = query(resolver, domain, record_type='NS')
  File "fierce.py", line 42, in query
    return resolver.query(domain, record_type)
  File "/usr/local/lib/python3.5/dist-packages/dns/resolver.py", line 910, in query
    raise_on_no_answer)
  File "/usr/local/lib/python3.5/dist-packages/dns/resolver.py", line 145, in __init__
    raise NoAnswer
dns.resolver.NoAnswer

If we create a similar query with dig we see the following:

$ dig @192.48.79.30 test.stackoverflow.com a

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.48.79.30 test.stackoverflow.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53556
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.stackoverflow.com.        IN  A

;; AUTHORITY SECTION:
stackoverflow.com.  172800  IN  NS  cf-dns02.stackoverflow.com.
stackoverflow.com.  172800  IN  NS  cf-dns01.stackoverflow.com.

;; ADDITIONAL SECTION:
cf-dns02.stackoverflow.com. 172800 IN   A   173.245.59.4
cf-dns01.stackoverflow.com. 172800 IN   A   173.245.58.53

;; Query time: 256 msec
;; SERVER: 192.48.79.30#53(192.48.79.30)
;; WHEN: Wed May 04 19:39:26 EDT 2016
;; MSG SIZE  rcvd: 129

We get an authoritative answer, as opposed to an actual answered A record. Now notice what happens if we perform a known good query:

$ dig @8.8.8.8 stackoverflow.com a

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 stackoverflow.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21767
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;stackoverflow.com.     IN  A

;; ANSWER SECTION:
stackoverflow.com.  142 IN  A   104.16.33.249
stackoverflow.com.  142 IN  A   104.16.36.249
stackoverflow.com.  142 IN  A   104.16.35.249
stackoverflow.com.  142 IN  A   104.16.37.249
stackoverflow.com.  142 IN  A   104.16.34.249

;; Query time: 30 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May 04 19:40:59 EDT 2016
;; MSG SIZE  rcvd: 126

We received an ANSWER SECTION. In the above query that fails we get AUTHORITY SECTION and ADDITIONAL SECTION. The missing ANSWER SECTION manifests itself as dns.resolver.NoAnswer in our program. I believe we can resolve this during our query by checking if no answer section exists, but we did receive an authority section. We can then use those nameservers to perform the query again.

I'll fix it up, then let me know if it solves your issue.

from fierce.

Should be fixed in 0677d60. Keep me posted.

from fierce.

It appears to work now!
Thanks a ton! \o/

from fierce.

Great!

from fierce.