Backtrack 4: Information Gathering: DNS: Dnsrecon – Target enumeration

The next tool I am going to look at is a really great ruby script written by my friend Carlos (Dark operator) Perez. Its called Dnsrecon and is included in Backtrack 4. This is a simple tool written for target enumeration during authorized penetration test engagements. This tool provides different methods for enumerating targets via DNS service.

Some of the features of dnsrecon are

• Standard Record Enumeration for a given domain (A, NS, SOA and MX).
• Top Leven Domain Expansion for a given domain.
• Zone Transfer against all NS records of a given domain.
• Reverse Lookup against a given IP Range given a start and end IP.
• SRV Record enumeration, enumerating:

_gc._tcp.
_kerberos._tcp.
_kerberos._udp.
_ldap._tcp.
_test._tcp.
_sips._tcp.
_sip._udp.
_sip._tcp.
_aix._tcp.
_aix._tcp.
_finger._tcp.
_ftp._tcp.
_http._tcp.
_nntp._tcp.
_telnet._tcp.
_whois._tcp.
_h323cs._tcp.
_h323cs._udp.
_h323be._tcp.
_h323be._udp.
_h323ls._tcp.
_h323ls._udp.

• Brute force hostnames and subdomains of a given target domain using a wordlist.

First lets have a look at the options:

root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb

Dnsrecon 1.5
By Carlos Perez
Email: carlos_perez@darkoperator.com

This is a simple tool writen for target enumeration during authorized penetration test
engaments. This tool provides diferent methods for enumerating targets thru DNS service.
USAGE:
ruby dnsrecon.rb <type> <arguments> <Optional:nameserver to use>
TYPES:

*** Reverse Lookup for Range ***
ruby dnsrecon.rb -r <start ip> <end ip> <Optional:nameserver to use>

*** Top Level Domain Expanssion ***
ruby dnsrecon.rb -tld <target domain> <Optional:nameserver to use>

*** DNS Host and Domain Bruteforce ***
ruby dnsrecon.rb -b <target domain> <file> <Optional:nameserver to use>

*** General DNS Query for NS, SOA and MX Records ***
ruby dnsrecon.rb -s <target domain> <Optional:nameserver to use>

*** Execute Zone transfer on each NS server reported ***
ruby dnsrecon.rb -axfr <target domain> <Optional:nameserver to use>

*** Enumerates most common SRV Records for a given domain ***
ruby dnsrecon.rb -srv <target domain> <Optional:nameserver to use>

The first option is to do a reverse DNS lookup for a entire IP range:

root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -r 63.251.179.1 63.251.179.255
Reverse Lookup for IP Renge from 63.251.179.1 to 63.251.179.255
border8.fe2-19.arlova-3.den.pnap.net,63.251.179.76
border9.fe2-19.arlova-3.den.pnap.net,63.251.179.77
arlova-3.den.pnap.net,63.251.179.78
border8.ge3-5.den-den003-752.den.pnap.net,63.251.179.89
edge1.ge3-1.den003.pnap.net,63.251.179.90
border9.ge3-5.den-den003-753.den.pnap.net,63.251.179.93
edge2.ge3-1.den003.pnap.net,63.251.179.94
border8.3-1-vlan3502.westin-1.den.pnap.net,63.251.179.110
border6.e4-0.clearway-2.den.pnap.net,63.251.179.187
border1.e1-0.clearway-2.den.pnap.net,63.251.179.188
res-63-251-179-190.den.pnap.net,63.251.179.190

The next option finds all the top level domains for a domain name:

root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -tld cnn.com
cnn.com.af,157.166.173.157,A
cnn.com.uk,8.15.7.123,A
cnn.com.uk,63.251.179.23,A
cnn.com.net,69.164.199.155,A
cnn.com.net,74.207.231.120,A
cnn.com.net,74.207.240.60,A
cnn.com.net,97.107.142.101,A
cnn.com.net,109.74.195.184,A
cnn.com.net,203.169.164.119,A
cnn.com.al,8.15.7.123,A
cnn.com.al,63.251.179.23,A
cnn.com.dz,8.15.7.123,A
cnn.com.dz,63.251.179.23,A
cnn.com.org,216.234.246.153,A
cnn.com.ad,8.15.7.123,A
cnn.com.ad,63.251.179.23,A
cnn.com.ao,8.15.7.123,A
cnn.com.ao,63.251.179.23,A
cnn.com.aq,8.15.7.123,A
cnn.com.aq,63.251.179.23,A
cnn.com.am,8.15.7.123,A
cnn.com.am,63.251.179.23,A
cnn.com.aw,8.15.7.123,A
cnn.com.aw,63.251.179.23,A
cnn.com.ag,157.166.173.157,A
cnn.com.ar,157.166.224.184,A
cnn.com.ar,157.166.226.184,A
cnn.com.ac,8.15.7.123,A
cnn.com.ac,63.251.179.23,A
cnn.com.au,72.34.39.135,A

Obviously there are many more results but I truncated them for the sake of the article.

In the next example we can specify the -b option for bruteforcing a domain with a list of possible domains in a text file which in this example is hosts.txt:

root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -b cnn.com hosts.txt
3com.cnn.com,8.15.7.123
3com.cnn.com,63.251.179.23
a.cnn.com,8.15.7.123
a.cnn.com,63.251.179.23
a1.cnn.com,8.15.7.123
a1.cnn.com,63.251.179.23
a.auth-ns.cnn.com,8.15.7.123
a.auth-ns.cnn.com,63.251.179.23
a02.cnn.com,8.15.7.123
a02.cnn.com,63.251.179.23
a01.cnn.com,8.15.7.123
a01.cnn.com,63.251.179.23
a2.cnn.com,8.15.7.123
a2.cnn.com,63.251.179.23
about.cnn.com,8.15.7.123
about.cnn.com,63.251.179.23
ac.cnn.com,8.15.7.123
ac.cnn.com,63.251.179.23
academico.cnn.com,8.15.7.123
academico.cnn.com,63.251.179.23
acceso.cnn.com,8.15.7.123
acceso.cnn.com,63.251.179.23
accounting.cnn.com,8.15.7.123
accounting.cnn.com,63.251.179.23
access.cnn.com,64.20.247.69
activestat.cnn.com,8.15.7.123

Once again I truncated the output but you should be able to get the idea.

The next example is just a general DNS Query for NS, SOA and MX Records:

root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -s cnn.com
cnn.com,157.166.255.19,A
cnn.com,157.166.224.25,A
cnn.com,157.166.224.26,A
cnn.com,157.166.226.25,A
cnn.com,157.166.226.26,A
cnn.com,157.166.255.18,A
ns1.timewarner.net,204.74.108.238,SOA
ns3.timewarner.net,199.7.68.238,NS
ns1.timewarner.net,204.74.108.238,NS
ns5.timewarner.net,204.74.109.238,NS
nycmail2.turner.com,157.166.157.10,MX,10
atlmail3.turner.com,157.166.174.56,MX,10
atlmail5.turner.com,157.166.165.14,MX,10
hkgmail1.turner.com,168.161.96.115,MX,10
lonmail1.turner.com,157.166.216.142,MX,10
nycmail1.turner.com,157.166.157.8,MX,10

The next example will execute a zone transfer on each NS server reported:

root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -axfr cnn.com
Zone transfer failed for ns5.timewarner.net
Zone transfer failed for ns1.timewarner.net
Zone transfer failed for ns3.timewarner.net

Just as a side note, its very rare to find a name server which allows zone transfers any more however its always good to try.

The final example is enumerating most common SRV Records for a given domain:

DNS SRV records [RFC 2782] are useful for locating instances of a particular type of service when all the instances are effectively indistinguishable and provide the same service to the client.

root@666:~# ./dnsrecon.rb -srv -d cnn.com
_sip._udp.cnn.com,198.152.17.234,5060
_sip._tcp.cnn.com,198.152.17.234,5060

Dnsrecon is a really great tool for passive network fingerprinting. It’s an alternative to other discovery techniques such as whois lookups, scanning large IP ranges, etc.

See larger image Linux System Administration Black Book: The Definitive Guide to Deploying and Configuring the Leading Open Source Operating System (Paperback) By (author) Dee-Ann LeBlanc List Price: $49.99 USD New From: $199.99 In Stock Used from: $8.25 In Stock

See larger image Penetration Tester's Open Source Toolkit, Vol. 2 (Paperback) By (author) Jeremy Faircloth, Chris Hurley, Jesse Varsalone List Price: $61.95 USD New From: $42.96 In Stock Used from: $17.87 In Stock

This entry was posted on Sunday, May 23rd, 2010 at 8:50 AM and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.