nameserver: discover nameserver within environment of this host (#741)

* nameserver: discover nameserver within environment of this host * CHANGELOG.md: Update the changelog * fixit! Add CHANGELOG.md verbiage that was removed * Update CHANGELOG.md Co-authored-by: Vincent Rose <vrose04@gmail.com> * fixit! Update author name as string Seems the author name is being interpreted as byte data using the GitHub install. --------- Co-authored-by: Vincent Rose <vrose04@gmail.com>
BC-SECURITY · Sep 4, 2024 · f33c713 · f33c713
1 parent 1aad509
commit f33c713
Show file tree

Hide file tree

Showing 3 changed files with 98 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+-   Added nameserver check for linux hosts (@0x636f646f)
+
+
 ## [5.11.2] - 2024-08-08
 
 -   Added Route4Me to sponsor page on Empire (@Cx01N)

diff --git a/empire/server/data/module_source/python/discovery/nameserver.py b/empire/server/data/module_source/python/discovery/nameserver.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+"""Module for finding local nameserver
+
+Retrieve the local nameserver from resolv.conf
+Author: 0x636f646f
+"""
+
+import glob
+import re
+
+
+def check_for_resolv() -> list:
+    """Check for the resolv.conf file"""
+    resolv_conf_file = glob.glob('/etc/resolv.conf')
+    if resolv_conf_file:
+        return resolv_conf_file
+    return []
+
+
+def list_check(resolv_file) -> None:
+    """Return exception if list empty"""
+    if resolv_file:
+        return
+    if not resolv_file:
+        raise ValueError('resolv.conf not found!')
+
+
+def nameserver_regex_check(resolv_file) -> str:
+    """return the nameserver ip"""
+    pattern = re.compile(rb'^\w+\s(?P<nameserver>\d+\.\d+\.\d+\.\d+)$')
+    nameserver = None
+
+    if resolv_file:
+        with open(resolv_file[0], 'rb') as r_file:
+            for line in r_file.readlines():
+                match = pattern.match(line)
+                if match:
+                    nameserver = match.group('nameserver').decode('utf-8')
+                    break
+
+    return nameserver
+
+
+def return_nameserver_ip(nameserver_ip) -> str:
+    """Print the nameserver if found"""
+    if not nameserver_ip:
+        raise ValueError("Nameserver not found!")
+    return nameserver_ip
+
+
+def main() -> None:
+    """Execute the program"""
+    resolv_file = check_for_resolv()
+    list_check(resolv_file)
+    nameserver_ip_search = nameserver_regex_check(resolv_file)
+    nameserver_ip = return_nameserver_ip(nameserver_ip_search)
+    print(nameserver_ip)
+
+
+# Comment out the functions/variables and uncomment
+# if __name__ == '__main__' block when using as a standalone script.
+
+
+resolv_file = check_for_resolv()
+list_check(resolv_file)
+nameserver_ip_search = nameserver_regex_check(resolv_file)
+nameserver_ip = return_nameserver_ip(nameserver_ip_search)
+print(nameserver_ip)
+
+
+# if __name__ == '__main__':
+#    main()
diff --git a/empire/server/modules/python/discovery/nameserver.yaml b/empire/server/modules/python/discovery/nameserver.yaml
@@ -0,0 +1,23 @@
+name: Nameserver IP
+authors:
+  - name: '0x636f646f'
+    handle: '@BuildAndDestroy'
+    link: https://github.com/BuildAndDestroy
+description: Retrieve the nameserver IPv4 Address
+software: ''
+techniques:
+  - T1016.001
+background: false
+output_extension: ''
+needs_admin: false
+opsec_safe: false
+language: python
+min_language_version: '3.6'
+comments:
+  - https://attack.mitre.org/techniques/T1016/001/
+options:
+  - name: Agent
+    description: Agent to execute module on
+    required: true
+    value: ''
+script_path: 'python/discovery/nameserver.py'