• Home »
  • Security »
  • Backtrack 4: Information Gathering: DNS: Dnsmap – Subdomain brute-forcing

Backtrack 4: Information Gathering: DNS: Dnsmap – Subdomain brute-forcing

Today I will be reviewing Dnsmap from the Backtrack 4 Distribution. Dnsmap was originally released back in 2006 and has become a standard tool included is every backtrack release. There are other tools which preform the same tasks but I am a firm believer that a pentester/hacker should have the choice of as many tools as possible. My only small issue with this tool is speed, meaning it is not multi threaded however the author says in the readme.txt that he is addressing that issue. Dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target
company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work.

Here are some things that Dnsmap can be used for:

1. Finding interesting remote access servers (e.g.: https://extranet.example.com)

2. Finding badly configured and/or unpatched servers (e.g.: test.example.com)

3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks

4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
(RFC 1918). This is great as sometimes they are real up-to-date “A” records which means
that it *is* possible to enumerate internal servers of a target organization from the
Internet by only using standard DNS resolving (as oppossed to zone transfers for instance).

5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com).
This method is an alternative to finding devices via Google hacking techniques

Bruteforcing can be done either with dnsmap’s built-in wordlist or a user-supplied wordlist. Results can be saved in CSV and human-readable format for further processing. dnsmap does NOT require root privileges to be run.

Most of the preceding information came from the README.txt that the author supplied with the tool, I didn’t think there was any reason to rewrite it all and reinvent the wheel. I will just be showing you a sample session of how I would use Dnsmap in a penetration test.

First lets check out the usage:

bash

  1. root@666:/pentest/enumeration/dns/dnsmap# ./dnsmap
  2. dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
  3.  
  4. usage: dnsmap <target-domain> [options]
  5. options:
  6. -w <wordlist-file>
  7. -r <regular-results-file>
  8. -c <csv-results-file>
  9. -d <delay-millisecs>
  10. -i <ips-to-ignore> (useful if you're obtaining false positives)
  11.  
  12. e.g.:
  13. dnsmap target-domain.foo
  14. dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
  15. dnsmap target-fomain.foo -r /tmp/ -d 3000
  16. dnsmap target-fomain.foo -r ./domainbf_results.txt

Pretty simple tool so lets show a example session:

bash

  1. root@666:/pentest/enumeration/dns/dnsmap# ./dnsmap cnn.com -r results.txt
  2. dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
  3.  
  4. [+] searching (sub)domains for cnn.com using built-in wordlist
  5. [+] using maximum random delay of 10 millisecond(s) between requests
  6.  
  7. a.cnn.com
  8. IP address #1: 8.15.7.123
  9. IP address #2: 63.251.179.23
  10.  
  11. aa.cnn.com
  12. IP address #1: 8.15.7.123
  13. IP address #2: 63.251.179.23
  14.  
  15. ab.cnn.com
  16. IP address #1: 8.15.7.123
  17. IP address #2: 63.251.179.23
  18.  
  19. ac.cnn.com
  20. IP address #1: 8.15.7.123
  21. IP address #2: 63.251.179.23
  22.  
  23. access.cnn.com
  24. IP address #1: 64.20.247.69
  25.  
  26. accounting.cnn.com
  27. IP address #1: 8.15.7.123
  28. IP address #2: 63.251.179.23
  29.  
  30. accounts.cnn.com
  31. IP address #1: 8.15.7.123
  32. IP address #2: 63.251.179.23

What we are doing here is attempting to bruteforce all of the subdomains of cnn.com and saving them to a file called results.txt. I have truncated the output since its very long.

If you have a custom wordlist of subdomains you can use that as well simply by specifying the -w argument and then the path to the wordlist.

Once Dnsmap has completed its run we can look in the file and see all the subdomains and IPs in the list:

bash

  1. root@666:/pentest/enumeration/dns/dnsmap# head results.txt
  2. a.cnn.com
  3. IP address #1: 8.15.7.123
  4. IP address #2: 63.251.179.23
  5.  
  6. aa.cnn.com
  7. IP address #1: 8.15.7.123
  8. IP address #2: 63.251.179.23
  9.  
  10. ab.cnn.com
  11. IP address #1: 8.15.7.123

Now, for you this may be a good format but what I want is a list of IPs to add to my list of possible targets when I move on to a more active scanning phase of the pentest.

So lets apply a little bashfoo to clean up this list:

bash

  1. root@666:/pentest/enumeration/dns/dnsmap# cat results.txt | sed '/^$/d' | sed '/cnn.com/d' | cut -d ':' -f 2 | sort -u | sed '$d' > ips.txt

And now we have a nice tidy list of IP addresses for the next phase of our attack:

bash

  1. root@666:/pentest/enumeration/dns/dnsmap# cat ips.txt
  2.  1.1.1.1
  3.  127.0.0.1
  4.  157.166.173.183
  5.  157.166.217.28
  6.  157.166.224.104
  7.  157.166.224.105
  8.  157.166.224.111
  9.  157.166.224.164
  10.  157.166.224.172
  11.  157.166.224.184
  12.  157.166.224.186
  13.  157.166.224.25
  14.  157.166.224.26
  15.  157.166.226.104
  16.  157.166.226.105
  17.  157.166.226.111
  18.  157.166.226.164
  19.  157.166.226.184
  20.  157.166.226.186
  21.  157.166.226.25
  22.  157.166.226.26
  23.  157.166.236.106
  24.  157.166.255.172
  25.  157.166.255.18
  26.  157.166.255.19
  27.  157.166.255.22
  28.  157.166.255.23
  29.  205.188.146.88
  30.  207.25.71.114
  31.  207.25.71.230
  32.  207.25.71.91
  33.  207.25.71.97
  34.  207.25.79.134
  35.  207.25.79.135
  36.  6.9.6.9
  37.  63.251.179.23
  38.  64.20.247.69
  39.  64.236.16.20
  40.  64.236.17.108
  41.  64.236.18.7
  42.  64.236.22.11
  43.  64.236.22.12
  44.  64.236.24.12
  45.  64.236.24.4
  46.  64.236.26.21
  47.  64.236.29.11
  48.  64.236.29.12
  49.  66.9.53.137
  50.  8.15.7.123

There is also a script to bruteforce a list of domains if you are looking at a very large attack surface:

bash

  1. usage: dnsmap-bulk.sh <domains-file> [results-path]
  2. e.g.:
  3. dnsmap-bulk.sh domains.txt
  4. dnsmap-bulk.sh domains.txt /tmp/

I hope this review of dnsmap is helpful and I would like to give a big thanks to GNUCitizen for Dnsmap and all the rest of the stuff they do for the opensource community.

Penetration Tester’s Open Source Toolkit, Vol. 2 (Paperback)


List Price: $61.95
New From: $14.95 USD In Stock
Used from: $0.01 USD In Stock

Share