Skip to content
/ SRVHunter Public

πŸ•΅οΈβ€β™‚οΈ A sharp DNS reconnaissance tool for uncovering SRV records with precision and flair. From LDAP servers to Kerberos guardians and certificate authorities, SRVHunter resolves hostnames, digs up IPs, and ensures no SRV is left in the shadows. Perfect for pentesters, sysadmins, and curious minds on a DNS quest. πŸŒπŸ’ΌπŸ”

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

austinzwile/SRVHunter

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

5 Commits
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 
requirements.txt
requirements.txt
Β 
Β 
srvhunter.py
srvhunter.py
Β 
Β 

Repository files navigation

SRVHunter

A DNS reconnaissance tool for uncovering SRV records with precision. From LDAP servers to Kerberos guardians and certificate authorities, SRVHunter resolves hostnames, digs up IPs, and ensures no SRV is left in the shadows. Perfect for pentesters, sysadmins, and curious minds on a DNS quest. 🌐 πŸ’Ό πŸ”

Features πŸš€

  • Queries a comprehensive list of SRV records for various services, including:
    • LDAP, Kerberos, NTP, and PKI/CA services.
  • Resolves hostnames and retrieves corresponding IP addresses.
  • Handles DNS errors gracefully, providing actionable feedback.
  • Customizable with options for specific nameservers and site names.
  • Outputs results in a clean and structured format.

Installation πŸ“¦

  1. Clone the repository:

    git clone https://github.com/yourusername/srvhunter.git
cd srvhunter

  2. Install dependencies:

    pip install -r requirements.txt

  3. Run the script:

    python srvhunter.py -d example.com

Usage πŸ”§

Run the tool with the following options:

python srvhunter.py [options] -d domain.com

Options:

Option Description
-n, --nameservers Comma-separated list of nameservers to query.
-d, --domain The target domain for SRV record lookups.
-s, --sitename Optional site name for site-specific queries.

Example:

Query SRV records for acme.local using local DNS servers:

python srvhunter.py -n "10.0.0.1,10.0.0.2" -d acme.local

Demo πŸ–ΌοΈ

Here's an example of SRVHunter in action:
image

SRV Records Queried πŸ“‹

SRVHunter queries the following SRV records:

SRV Records That Do NOT Require Site Names:

  1. _ldap._tcp
  2. _ldap._tcp.dc._msdcs
  3. _ldap._tcp.gc._msdcs
  4. _kerberos._tcp
  5. _kerberos._tcp.dc._msdcs
  6. _kerberos._udp
  7. _kpasswd._tcp
  8. _kpasswd._udp
  9. _ldap._tcp.pdc._msdcs
  10. _ldap._tcp.dfsr._msdcs
  11. _ntp._udp
  12. _certauth._tcp
  13. _certsrv._tcp
  14. _certenroll._tcp

SRV Records That DO Require Site Names:

  1. _ldap._tcp.<SiteName>._sites
  2. _ldap._tcp.<SiteName>._sites.gc._msdcs

Contributing 🀝

Contributions are welcome! If you'd like to improve SRVHunter, feel free to open an issue or submit a pull request.

License πŸ“œ

This project is licensed under the MIT License. See the LICENSE file for details.

Acknowledgments πŸ™Œ

  • Built with πŸ’» and 🧠 by azw / austinzwile.
  • Inspired by the need for effective DNS reconnaissance in pentesting.
  • The whole offensive security community which helped me get to where I am today. πŸ’•

About

πŸ•΅οΈβ€β™‚οΈ A sharp DNS reconnaissance tool for uncovering SRV records with precision and flair. From LDAP servers to Kerberos guardians and certificate authorities, SRVHunter resolves hostnames, digs up IPs, and ensures no SRV is left in the shadows. Perfect for pentesters, sysadmins, and curious minds on a DNS quest. πŸŒπŸ’ΌπŸ”

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages