Apr 01 2012

Backtrack 5: Information Gathering: Network Analysis: DNS Analysis: reverseraider

Posted by alex in Security at 6:43 AM

So many of the DNS enumeration scripts available in backtrack focus on typical DNS but reverseraider does what it sounds like it might do which is enumerate reverse DNS names. Enumerating reverse DNS on an IP or set of IP’s can sometimes reveal information you did not previously have. It is possible to be targeting a web server that has a bunch of virtual hosts and you prefer to track down primary web site on the web server which is where reverseraider may provide the results necessary as it is more likely that the most important site on the virtual web server has reverse DNS configured on the host itself. Below I display the primary three methods of using reverseraider.

Use reverseraider To Enumerate Reverse DNS On A File Of IP’s:

root@bt:/pentest/enumeration/reverseraider# ./reverseraider -f iplist-test.txt
resolver3.opendns.com           	208.67.222.220
resolver3.opendns.com           	208.67.222.220
resolver1.opendns.com           	208.67.222.222
resolver1.opendns.com           	208.67.222.222
google-public-dns-a.google.com  	8.8.8.8
google-public-dns-a.google.com  	8.8.8.8
resolver2.opendns.com           	208.67.220.220
resolver2.opendns.com           	208.67.220.220
resolver2.opendns.com           	208.67.220.220
resolver2.opendns.com           	208.67.220.220
root@bt:/pentest/enumeration/reverseraider#

The above list of IP’s is provided with reverseraider as test list of IP’s and resolves various Google IP’s reverse DNS. The primary thing to take away from the above example is that the -f switch allows you to specificy a file that has a list of IP’s, a list of IP ranges, or a combination of the two. The next example below uses a wordlist against a specific domain looking for reverse DNS by parsing a wordlist trying each combination within.

Use reverseraider To Enumerate Reverse DNS Based On A Wordlist:

root@bt:/pentest/enumeration/reverseraider# ./reverseraider -w wordlists/fast.list -d louisville.edu
smtp.louisville.edu             	136.165.233.235
smtp.louisville.edu             	136.165.233.231
smtp.louisville.edu             	136.165.233.227
hermes.louisville.edu           	136.165.253.10
dns.louisville.edu              	136.165.253.10
smtp.louisville.edu             	136.165.233.227
mail.louisville.edu             	136.165.233.227
smtp.louisville.edu             	136.165.233.235
mail.louisville.edu             	136.165.233.235
smtp.louisville.edu             	136.165.233.231
mail.louisville.edu             	136.165.233.231
www.louisville.edu              	136.165.238.157
web.louisville.edu              	136.165.238.183
ldaplb.louisville.edu           	136.165.229.2
ldap.louisville.edu             	136.165.229.2
www.louisville.edu              	136.165.238.157
smtp.louisville.edu             	136.165.233.231
smtp.louisville.edu             	136.165.233.227
smtp.louisville.edu             	136.165.233.235
hermes.louisville.edu           	136.165.253.10
dns.louisville.edu              	136.165.253.10
smtp.louisville.edu             	136.165.233.235
mail.louisville.edu             	136.165.233.235
smtp.louisville.edu             	136.165.233.231
mail.louisville.edu             	136.165.233.231
smtp.louisville.edu             	136.165.233.227
mail.louisville.edu             	136.165.233.227
web.louisville.edu              	136.165.238.183
ldaplb.louisville.edu           	136.165.229.2
ldap.louisville.edu             	136.165.229.2
vpn.louisville.edu              	216.249.140.85
vpn.louisville.edu              	216.249.140.85
root@bt:/pentest/enumeration/reverseraider#

In the above example the smallest wordlist example was used which still turned up a ton of results. In this example with the -d switch it specifies a domain you want to enumerate reverse DNS names for however keep in mind that you must also use the -w switch to specify a wordlist. There are three wordlists located in /pentest/enumeration/reverseraider/wordlists/. You can also see how numerous reverse DNS names have multiple IP’s which is another thing to think about when thinking of the value of reverse DNS. If you knew of the IP address 136.165.233.235 above which allowed you to obtain mail.louisville.edu then you could then investigate using reverseraider and other tools to see if there are other mail servers in the same IP range. The last example below displays reverseraider using the -r switch which allows you to specify a single IP or a range of IP’s on the command line.

Use reverseraider To Enumerate Reverse DNS Entries By IP Address:

root@bt:/pentest/enumeration/reverseraider# ./reverseraider -r 2.1.1.1-10
ANantes-551-1-154-1.w2-1.abo.wanadoo.fr	2.1.1.1
ANantes-551-1-154-1.w2-1.abo.wanadoo.fr	2.1.1.1
ANantes-551-1-154-2.w2-1.abo.wanadoo.fr	2.1.1.2
ANantes-551-1-154-2.w2-1.abo.wanadoo.fr	2.1.1.2
ANantes-551-1-154-3.w2-1.abo.wanadoo.fr	2.1.1.3
ANantes-551-1-154-3.w2-1.abo.wanadoo.fr	2.1.1.3
ANantes-551-1-154-4.w2-1.abo.wanadoo.fr	2.1.1.4
ANantes-551-1-154-4.w2-1.abo.wanadoo.fr	2.1.1.4
ANantes-551-1-154-5.w2-1.abo.wanadoo.fr	2.1.1.5
ANantes-551-1-154-5.w2-1.abo.wanadoo.fr	2.1.1.5
ANantes-551-1-154-6.w2-1.abo.wanadoo.fr	2.1.1.6
ANantes-551-1-154-6.w2-1.abo.wanadoo.fr	2.1.1.6
ANantes-551-1-154-7.w2-1.abo.wanadoo.fr	2.1.1.7
ANantes-551-1-154-7.w2-1.abo.wanadoo.fr	2.1.1.7
ANantes-551-1-154-8.w2-1.abo.wanadoo.fr	2.1.1.8
ANantes-551-1-154-8.w2-1.abo.wanadoo.fr	2.1.1.8
ANantes-551-1-154-9.w2-1.abo.wanadoo.fr	2.1.1.9
ANantes-551-1-154-9.w2-1.abo.wanadoo.fr	2.1.1.9
ANantes-551-1-154-10.w2-1.abo.wanadoo.fr	2.1.1.10
ANantes-551-1-154-10.w2-1.abo.wanadoo.fr	2.1.1.10
root@bt:/pentest/enumeration/reverseraider#

That is pretty much it. There is not a lot to reverseraider though I believe it to be a valuable to specifically for reverse DNS enumeration.

Support Question Defense & Purchase From Amazon
See larger image

The Domain Name Registration System: Liberalisation, Consumer Protection and Growth (Routledge Research in Information Technology and E-Commerce Law) (Hardcover)

By (author) Jenny Ng

List Price: $135.00 USD
New From: $101.21 In Stock
Used from: $152.42 In Stock
Support Question Defense & Purchase From Amazon

Related posts:

  1. Backtrack 5: Information Gathering: Network Analysis: DNS Analysis: dnsdict6 Awhile back purehate and myself started writing articles related to...
  2. Backtrack 5 : Information Gathering : Network Analysis : Identify Live Hosts : pbnj PBNJ is made ip of two commands which are scanpbnj...
  3. Backtrack 5: Information Gathering: Network Analysis: Identify Live Hosts: 0trace I remember being so happy about 0trace when I started...
  4. Backtrack 5 : Information Gathering : Web Application Analysis : CMS Identification : wpscan One of my favorite apps in Backtrack Linux that I...
  5. Backtrack 5: Information Gathering: Network Analysis: OS Fingerprinting: xprobe2 The xprobe2 application was built specifically for OS Fingerprinting or...
Tags: , , , , , , , , , , , , , , , ,

This entry was posted on Sunday, April 1st, 2012 at 6:43 AM and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

« 
 »
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

CAPTCHA Image
*