metasploit-framework/modules/post/multi/gather/dns_reverse_lookup.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Post

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Multi Gather DNS Reverse Lookup Scan',
        'Description' => %q{
          Performs DNS reverse lookup using the OS included DNS query command.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
        'Platform' => %w[bsd linux osx solaris win],
        'SessionTypes' => [ 'meterpreter', 'shell' ]
      )
    )
    register_options(
      [

        OptAddressRange.new('RHOSTS', [true, 'IP Range to perform reverse lookup against.'])

      ]
    )
  end

  # Run Method for when run command is issued
  def run
    iprange = datastore['RHOSTS']
    print_status("Performing DNS Reverse Lookup for IP range #{iprange}")
    iplst = []

    a = []
    ipadd = Rex::Socket::RangeWalker.new(iprange)
    numip = ipadd.num_ips
    while (iplst.length < numip)
      ipa = ipadd.next_ip
      if !ipa
        break
      end

      iplst << ipa
    end

    case session.platform
    when 'windows'
      cmd = 'nslookup'
    when 'solaris'
      cmd = '/usr/sbin/host'
    else
      cmd = '/usr/bin/host'
    end

    while !iplst.nil? && !iplst.empty?
      1.upto session.max_threads do
        a << framework.threads.spawn("Module(#{refname})", false, iplst.shift) do |ip_add|
          next if ip_add.nil?

          r = cmd_exec(cmd, " #{ip_add}")
          case session.platform
          when 'windows'
            if r =~ /(Name)/
              r.scan(/Name:\s*\S*\s/) do |n|
                hostname = n.split(':    ')
                print_good "\t #{ip_add} is #{hostname[1].chomp("\n")}"
                report_host({
                  host: ip_add,
                  name: hostname[1].strip
                })
              end
            else
              vprint_status("#{ip_add} does not have a Reverse Lookup Record")
            end
          else
            if r !~ /not found/i
              hostname = r.scan(/domain name pointer (\S*)\./).join
              print_good "\t #{ip_add} is #{hostname}"
              report_host({
                host: ip_add,
                name: hostname.strip
              })
            else
              vprint_status("#{ip_add} does not have a Reverse Lookup Record")
            end
          end
        end
        a.map(&:join)
      end
    end
  end
end