• Home »
  • Security »
  • Backtrack 4: Information Gathering: DNS: Dnsrecon – Target enumeration

Backtrack 4: Information Gathering: DNS: Dnsrecon – Target enumeration

The next tool I am going to look at is a really great ruby script written by my friend Carlos (Dark operator) Perez. Its called Dnsrecon and is included in Backtrack 4. This is a simple tool written for target enumeration during authorized penetration test engagements. This tool provides different methods for enumerating targets via DNS service.

Some of the features of dnsrecon are

  • Standard Record Enumeration for a given domain (A, NS, SOA and MX).
  • Top Leven Domain Expansion for a given domain.
  • Zone Transfer against all NS records of a given domain.
  • Reverse Lookup against a given IP Range given a start and end IP.
  • SRV Record enumeration, enumerating:

_gc._tcp.
_kerberos._tcp.
_kerberos._udp.
_ldap._tcp.
_test._tcp.
_sips._tcp.
_sip._udp.
_sip._tcp.
_aix._tcp.
_aix._tcp.
_finger._tcp.
_ftp._tcp.
_http._tcp.
_nntp._tcp.
_telnet._tcp.
_whois._tcp.
_h323cs._tcp.
_h323cs._udp.
_h323be._tcp.
_h323be._udp.
_h323ls._tcp.
_h323ls._udp.

  • Brute force hostnames and subdomains of a given target domain using a wordlist.

First lets have a look at the options:

bash

  1. root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb
  2.  
  3. Dnsrecon 1.5
  4. By Carlos Perez
  5. Email: carlos_perez@darkoperator.com
  6.  
  7. This is a simple tool writen for target enumeration during authorized penetration test
  8. engaments. This tool provides diferent methods for enumerating targets thru DNS service.
  9. USAGE:
  10. ruby dnsrecon.rb <type> <arguments> <Optional:nameserver to use>
  11. TYPES:
  12.  
  13. *** Reverse Lookup for Range ***
  14. ruby dnsrecon.rb -r <start ip> <end ip> <Optional:nameserver to use>
  15.  
  16. *** Top Level Domain Expanssion ***
  17. ruby dnsrecon.rb -tld <target domain> <Optional:nameserver to use>
  18.  
  19. *** DNS Host and Domain Bruteforce ***
  20. ruby dnsrecon.rb -b <target domain> <file> <Optional:nameserver to use>
  21.  
  22. *** General DNS Query for NS, SOA and MX Records ***
  23. ruby dnsrecon.rb -s <target domain> <Optional:nameserver to use>
  24.  
  25. *** Execute Zone transfer on each NS server reported ***
  26. ruby dnsrecon.rb -axfr <target domain> <Optional:nameserver to use>
  27.  
  28. *** Enumerates most common SRV Records for a given domain ***
  29. ruby dnsrecon.rb -srv <target domain> <Optional:nameserver to use>

The first option is to do a reverse DNS lookup for a entire IP range:

bash

  1. root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -r 63.251.179.1 63.251.179.255
  2. Reverse Lookup for IP Renge from 63.251.179.1 to 63.251.179.255
  3. border8.fe2-19.arlova-3.den.pnap.net,63.251.179.76
  4. border9.fe2-19.arlova-3.den.pnap.net,63.251.179.77
  5. arlova-3.den.pnap.net,63.251.179.78
  6. border8.ge3-5.den-den003-752.den.pnap.net,63.251.179.89
  7. edge1.ge3-1.den003.pnap.net,63.251.179.90
  8. border9.ge3-5.den-den003-753.den.pnap.net,63.251.179.93
  9. edge2.ge3-1.den003.pnap.net,63.251.179.94
  10. border8.3-1-vlan3502.westin-1.den.pnap.net,63.251.179.110
  11. border6.e4-0.clearway-2.den.pnap.net,63.251.179.187
  12. border1.e1-0.clearway-2.den.pnap.net,63.251.179.188
  13. res-63-251-179-190.den.pnap.net,63.251.179.190

The next option finds all the top level domains for a domain name:

bash

  1. root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -tld cnn.com
  2. cnn.com.af,157.166.173.157,A
  3. cnn.com.uk,8.15.7.123,A
  4. cnn.com.uk,63.251.179.23,A
  5. cnn.com.net,69.164.199.155,A
  6. cnn.com.net,74.207.231.120,A
  7. cnn.com.net,74.207.240.60,A
  8. cnn.com.net,97.107.142.101,A
  9. cnn.com.net,109.74.195.184,A
  10. cnn.com.net,203.169.164.119,A
  11. cnn.com.al,8.15.7.123,A
  12. cnn.com.al,63.251.179.23,A
  13. cnn.com.dz,8.15.7.123,A
  14. cnn.com.dz,63.251.179.23,A
  15. cnn.com.org,216.234.246.153,A
  16. cnn.com.ad,8.15.7.123,A
  17. cnn.com.ad,63.251.179.23,A
  18. cnn.com.ao,8.15.7.123,A
  19. cnn.com.ao,63.251.179.23,A
  20. cnn.com.aq,8.15.7.123,A
  21. cnn.com.aq,63.251.179.23,A
  22. cnn.com.am,8.15.7.123,A
  23. cnn.com.am,63.251.179.23,A
  24. cnn.com.aw,8.15.7.123,A
  25. cnn.com.aw,63.251.179.23,A
  26. cnn.com.ag,157.166.173.157,A
  27. cnn.com.ar,157.166.224.184,A
  28. cnn.com.ar,157.166.226.184,A
  29. cnn.com.ac,8.15.7.123,A
  30. cnn.com.ac,63.251.179.23,A
  31. cnn.com.au,72.34.39.135,A

Obviously there are many more results but I truncated them for the sake of the article.

In the next example we can specify the -b option for bruteforcing a domain with a list of possible domains in a text file which in this example is hosts.txt:

bash

  1. root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -b cnn.com hosts.txt
  2. 3com.cnn.com,8.15.7.123
  3. 3com.cnn.com,63.251.179.23
  4. a.cnn.com,8.15.7.123
  5. a.cnn.com,63.251.179.23
  6. a1.cnn.com,8.15.7.123
  7. a1.cnn.com,63.251.179.23
  8. a.auth-ns.cnn.com,8.15.7.123
  9. a.auth-ns.cnn.com,63.251.179.23
  10. a02.cnn.com,8.15.7.123
  11. a02.cnn.com,63.251.179.23
  12. a01.cnn.com,8.15.7.123
  13. a01.cnn.com,63.251.179.23
  14. a2.cnn.com,8.15.7.123
  15. a2.cnn.com,63.251.179.23
  16. about.cnn.com,8.15.7.123
  17. about.cnn.com,63.251.179.23
  18. ac.cnn.com,8.15.7.123
  19. ac.cnn.com,63.251.179.23
  20. academico.cnn.com,8.15.7.123
  21. academico.cnn.com,63.251.179.23
  22. acceso.cnn.com,8.15.7.123
  23. acceso.cnn.com,63.251.179.23
  24. accounting.cnn.com,8.15.7.123
  25. accounting.cnn.com,63.251.179.23
  26. access.cnn.com,64.20.247.69
  27. activestat.cnn.com,8.15.7.123

Once again I truncated the output but you should be able to get the idea.

The next example is just a general DNS Query for NS, SOA and MX Records:

bash

  1. root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -s cnn.com
  2. cnn.com,157.166.255.19,A
  3. cnn.com,157.166.224.25,A
  4. cnn.com,157.166.224.26,A
  5. cnn.com,157.166.226.25,A
  6. cnn.com,157.166.226.26,A
  7. cnn.com,157.166.255.18,A
  8. ns1.timewarner.net,204.74.108.238,SOA
  9. ns3.timewarner.net,199.7.68.238,NS
  10. ns1.timewarner.net,204.74.108.238,NS
  11. ns5.timewarner.net,204.74.109.238,NS
  12. nycmail2.turner.com,157.166.157.10,MX,10
  13. atlmail3.turner.com,157.166.174.56,MX,10
  14. atlmail5.turner.com,157.166.165.14,MX,10
  15. hkgmail1.turner.com,168.161.96.115,MX,10
  16. lonmail1.turner.com,157.166.216.142,MX,10
  17. nycmail1.turner.com,157.166.157.8,MX,10

The next example will execute a zone transfer on each NS server reported:

bash

  1. root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -axfr cnn.com
  2. Zone transfer failed for ns5.timewarner.net
  3. Zone transfer failed for ns1.timewarner.net
  4. Zone transfer failed for ns3.timewarner.net

Just as a side note, its very rare to find a name server which allows zone transfers any more however its always good to try.

The final example is enumerating most common SRV Records for a given domain:

DNS SRV records [RFC 2782] are useful for locating instances of a particular type of service when all the instances are effectively indistinguishable and provide the same service to the client.

bash

  1. root@666:~# ./dnsrecon.rb -srv -d cnn.com
  2. _sip._udp.cnn.com,198.152.17.234,5060
  3. _sip._tcp.cnn.com,198.152.17.234,5060

Dnsrecon is a really great tool for passive network fingerprinting. It’s an alternative to other discovery techniques such as whois lookups, scanning large IP ranges, etc.

Penetration Tester’s Open Source Toolkit, Vol. 2 (Paperback)


List Price: $61.95
New From: $14.95 USD In Stock
Used from: $0.01 USD In Stock

Share