first commit

dns/dns-zone-transfer/README.md

@@ -0,0 +1,34 @@
+# DNS Zone Transfers (AXFR)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+DNS zone transfers using the AXFR protocol are the simplest mechanism to replicate DNS records across DNS servers. To avoid the need to edit information on multiple DNS servers, you can edit information on one server and use AXFR to copy information to other servers. However, if you do not protect your servers, malicious parties may use AXFR to get information about all your hosts.
+
+References:
+
+- https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/
+- https://nmap.org/nsedoc/scripts/dns-zone-transfer.html
+
+## Vulnerable Environment
+
+Vulhub uses [Bind9](https://wiki.debian.org/Bind9) to build the dns server, but that does not mean that only Bind9 supports AXFR records.
+
+To run the DNS server.
+
+```
+docker compose up -d
+```
+
+Once the environment is running, it will listen on port 53 of TCP and UDP, and the DNS protocol supports data transfer from both ports.
+
+## POC
+
+Under Linux, we can use the **dig** command to send AXFR record requests: `dig @your-ip -t axfr vulhub.org`
+
+![](2.png)
+
+As you can see, I got all the subdomain records of `vulhub.org`, and there is a DNS zone transfers vulnerability here.
+
+We can also use the Nmap script to scan for this vulnerability: `nmap --script dns-zone-transfer.nse --script-args "dns-zone-transfer.domain=vulhub.org" -Pn -p 53 your-ip`
+
+![](3.png)

dns/dns-zone-transfer/README.zh-cn.md

@@ -0,0 +1,34 @@
+# DNS域传送漏洞
+
+DNS协议支持使用axfr类型的记录进行区域传送，用来解决主从同步的问题。如果管理员在配置DNS服务器的时候没有限制允许获取记录的来源，将会导致DNS域传送漏洞。
+
+参考链接：
+
+- https://www.acunetix.com/blog/articles/dns-zone-transfers-axfr/
+- https://nmap.org/nsedoc/scripts/dns-zone-transfer.html
+
+## 环境搭建
+
+Vulhub使用[Bind9](https://wiki.debian.org/Bind9)来搭建dns服务器，但不代表只有Bind9支持AXFR记录。运行DNS服务器：
+
+```
+docker compose up -d
+```
+
+环境运行后，将会监听TCP和UDP的53端口，DNS协议同时支持从这两个端口进行数据传输。
+
+## 漏洞复现
+
+在Linux下，我们可以使用dig命令来发送dns请求。比如，我们可以用`dig @your-ip www.vulhub.org`获取域名`www.vulhub.org`在目标dns服务器上的A记录：
+
+![](1.png)
+
+发送axfr类型的dns请求：`dig @your-ip -t axfr vulhub.org`
+
+![](2.png)
+
+可见，我获取到了`vulhub.org`的所有子域名记录，这里存在DNS域传送漏洞。
+
+我们也可以用nmap script来扫描该漏洞：`nmap --script dns-zone-transfer.nse --script-args "dns-zone-transfer.domain=vulhub.org" -Pn -p 53 your-ip`
+
+![](3.png)

dns/dns-zone-transfer/docker-compose.yml

@@ -0,0 +1,10 @@
+version: '2'
+services:
+ dns:
+   image: vulhub/bind:latest
+   ports:
+    - "53:53/tcp"
+    - "53:53/udp"
+   volumes:
+    - ./named.conf.local:/etc/bind/named.conf.local
+    - ./vulhub.db:/etc/bind/vulhub.db

dns/dns-zone-transfer/named.conf.local

@@ -0,0 +1,4 @@
+zone "vulhub.org" {
+      type master;
+      file "/etc/bind/vulhub.db";
+};

dns/dns-zone-transfer/vulhub.db

@@ -0,0 +1,19 @@
+@   IN  SOA     ns.vulhub.org.  sa.vulhub.org. ( 
+    1            ; serial number 
+    3600         ; refresh   [1h] 
+    600          ; retry     [10m] 
+    86400        ; expire    [1d] 
+    3600 )       ; min TTL   [1h]
+
+  IN  NS   ns1
+  IN  NS   ns2
+
+ns1 IN  A   10.0.0.1
+ns2 IN  A   10.0.0.2
+www IN  A   10.1.1.1
+sa  IN  A   10.1.1.2
+cdn IN  A   10.1.1.3
+admin IN  A   10.1.1.4
+wap IN CNAME   www
+static IN CNAME www
+git IN A   10.1.1.4