Feb 03 2013

dnsenum – Backtrack 5 – Information Gathering – Network Analysis – DNS Analysis – dnsenum

Posted by alex in Insights at 1:16 AM

The dnsenum.pl Perl script as described in its Perl documentation is a multithreaded script to enumerate information on a domain and to discover non-contiguous IP blocks. So the gist of dnsenum is to gather information about a specific domain using various sources. Information gathered about a domain includes sub domains, associated IP ranges, name servers, mx records, reverse DNS records, hostname IP addresses, and potential vulnerabilities via zone transfers. Below we go into detail regarding the switches available with dnsenum as well as what the command returns by default without and CLI switches.

dnsenum – DNS & IP Block Enumeration On Backtrack Linux

Click on the dnsenum Perl Documentation link below to expand out the dnsenum docs.

dnsenum Perl Documentation


DNSENUM(1) User Contributed Perl Documentation DNSENUM(1)

NAME
dnsenum.pl: multithread script to enumerate information on a domain and to discover non-contiguous IP blocks.

VERSION
dnsenum.pl version 1.2.2

SYNOPSIS
dnsenum.pl [options]

DESCRIPTION
Supported operations: nslookup, zonetransfer, google scraping, domain brute force (support also recursion), whois ip and reverse lookups.

Operations:

¬∑ 1) Get the host’s addresse (A record).

· 2) Get the nameservers (threaded).

· 3) Get the MX record (threaded).

· 4) Perform AXFR queries on nameservers (threaded).

¬∑ 5) Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).

· 6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).

· 7) Calculate Class C IP network ranges from the results and perform whois queries on them (threaded).

· 8) Perform reverse lookups on netranges (class C or/and whois netranges)(threaded).

· 9) Write to domain_ips.txt file non-contiguous ip-blocks results.

OPTIONS
The brute force -f switch is obligatory.

GENERAL OPTIONS:
–dnsserver Use this DNS server to perform all A, NS and MX queries,
the AXFR and PTR queries are sent to the domain’s NS servers.

–enum Shortcut option equivalent to –threads 5 -s 20 -w.

-h, –help Print the help message.

–noreverse Skip the reverse lookup operations.
Reverse lookups can take long time on big netranges.

–private Show and save private ips at the end of the file domain_ips.txt.

–subfile Write all valid subdomains to this file.
Subdomains are taken from NS and MX records, zonetransfer,
google scraping, brute force and reverse lookup hostnames.

-t, –timeout The tcp and udp timeout values in seconds (default: 10s).

–threads The number of threads that will perform different queries.

-v, –verbose Be verbose (show all the progress and all the error messages).

Notes: neither the default domain nor the resolver search list are appended to domains that don’t contain any dots.

GOOGLE SCRAPING OPTIONS:
This function will scrap subdomains from google search, using query: allinurl: -www site:domain.

-p, –pages The number of google search pages to process when scraping names,
the -s switch must be specified, (default: 20 pages).

-s, –scrap The maximum number of subdomains that will be scraped from google.

NOTES: Google can block our queries with the malware detection. Http proxy options for google scraping are automatically loaded from the environment if the vars http_proxy or
HTTP_PROXY are present. “http_proxy=http://127.0.0.1:8118/” or “HTTP_PROXY=http://127.0.0.1:8118/”. On IO errors the mechanize browser object will automatically call die.

BRUTE FORCE OPTIONS:
-f, –file Read subdomains from this file to perform brute force.

-u, –update <a|g|r|z> Update the file specified with the -f switch with vaild subdomains.

-u a Update using all results.

-u g Update using only google scraping results.

-u r Update using only reverse lookup results.

-u z Update using only zonetransfer results.

-r, –recursion Recursion on subdomains, brute force all discovred subdomains
that have an NS record.

NOTES: To perform recursion first we must check previous subdomains results (zonetransfer, google scraping and brute force) for NS records after that we perform brute force on
valid subdomains that have NS records and so on. NS, MX and reverse lookup results are not concerned.

WHOIS IP OPTIONS:
Perform whois ip queries on c class netanges discovred from previous operations.

-d, –delay The maximum value of seconds to wait between whois queries,
the value is defined randomly, (default: 3s).

NOTES: whois servers will limit the number of connections.

-w, –whois Perform the whois queries on c class network ranges.
Warning: this can generate very large netranges and it
will take lot of time to performe reverse lookups.

NOTES: The whois query should recursively query the various whois providers untile it gets the more detailed information including either TechPhone or OrgTechPhone by default.
See: perldoc Net::Whois::IP. On errors the netrange will be a default c class /24.

REVERSE LOOKUP OPTIONS:
-e, –exclude Exclude PTR records that match the regexp expression from reverse
lookup results, useful on invalid hostnames.

NOTES: PTR records that not match the domain are also excluded. Verbose mode will show all results.

OUTPUT FILES
Final non-contiguous ip blocks are writen to domain_ips.txt file.

NOTES: Final non-contiguous ip blocks are calculated :

· 1) From reverse lookups that were performed on netranges ( c class network ranges or whois netranges ).

· 2) If the noreverse switch is used then they are calculated from previous operations results (nslookups, zonetransfers, google scraping and brute forcing).

README
dnsenum.pl: multithread script to enumerate information on a domain and to discover non-contiguous ip blocks.

PREREQUISITES
Modules that are included in perl 5.10.0:
Getopt::Long, IO::File, Thread::Queue.

Other Necessary modules:
Must have: Net::DNS, Net::IP, Net::Netmask.
Optional: Net::Whois::IP, HTML::Parser, WWW::Mechanize.

Perl ithreads modules (perl must be compiled with ithreads support):
threads, threads::shared.

AUTHORS
Filip Waeytens <filip.waeytens[at]gmail.com>

tix tixxDZ <tixxdz[at]gmail.com>

COPYRIGHT
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.

SCRIPT CATEGORIES
Networking DNS

perl v5.10.1 2011-06-16 DNSENUM(1)

dnsenum Perl Script: Default Output Against cnn.com

root@bt:/pentest/enumeration/dns/dnsenum# perl dnsenum.pl cnn.com
dnsenum.pl VERSION:1.2.2

-----   cnn.com   -----

Host's addresses:
__________________

cnn.com                                  198      IN    A        157.166.255.19
cnn.com                                  198      IN    A        157.166.226.25
cnn.com                                  198      IN    A        157.166.226.26
cnn.com                                  198      IN    A        157.166.255.18

Name Servers:
______________

ns1.p42.dynect.net                       159347   IN    A        208.78.70.42
ns1.timewarner.net                       169183   IN    A        204.74.108.238
ns3.timewarner.net                       169183   IN    A        199.7.68.238
ns2.p42.dynect.net                       169183   IN    A        204.13.250.42

Mail (MX) Servers:
___________________

atlmail3.turner.com                      40       IN    A        157.166.174.56
atlmail5.turner.com                      40       IN    A        157.166.165.14
hkgmail1.turner.com                      40       IN    A        168.161.96.115
lonmail1.turner.com                      107      IN    A        157.166.216.142
nycmail1.turner.com                      107      IN    A        157.166.157.8
nycmail2.turner.com                      107      IN    A        157.166.157.10

Trying Zone Transfers and getting Bind Versions:
_________________________________________________

Trying Zone Transfer for cnn.com on ns1.p42.dynect.net ...
AXFR record query failed: NOERROR

9.6-ESV-R7-P3t.net Bind Version:

Trying Zone Transfer for cnn.com on ns1.timewarner.net ...
AXFR record query failed: NOERROR

ns1.timewarner.net Bind Version: UltraDNS Resolver

Trying Zone Transfer for cnn.com on ns3.timewarner.net ...
AXFR record query failed: NOERROR

ns3.timewarner.net Bind Version: UltraDNS Resolver

Trying Zone Transfer for cnn.com on ns2.p42.dynect.net ...
AXFR record query failed: NOERROR

9.6-ESV-R7-P3t.net Bind Version:
 Wildcards detected, all subdomains will point to the same IP address, bye.
root@bt:/pentest/enumeration/dns/dnsenum#

I think the output of dnsenum is pretty slick! You can quickly grab a bunch of info about a specific domain that provide a great starting point to begin for information gathering. It will be highly unlikely that you will have any success with AXFR record queries or zone transfers but it definitely doesn’t hurt anything to attempt these unless you are trying to be stealth. If you do come across a successful AXFR record query it will be a major finding as you could potentially obtain details about a domain that should not be public. With a successful zone transfer you will also potentially gain access to every DNS record associated to the domain.

Notice how in the documentation there are nine items that dnsenum notes it will provide. Unfortunately this is not entirely true on Backtrack Linux 5 as a couple of the outputs seems to be not working correctly. I hope to look at this in more detail in the future but for now we will note each of the nine items and provide examples where possible. I have cut only the output pertaining to the piece of data noted so for example when the default command is used by only specifying a domain and without any switches there is still a bunch of information output to the screen.

dnsenum Functionality And Output On Backtrack Linux 5 R3:

Output Data: Output Hostname – ONE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl example.com

Hostname Example Output:

Host's addresses:
__________________

example.com                              103059   IN    A        192.0.43.10

Output Data: Output Name Servers – TWO

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl example.com

Name Servers Example Output:

Name Servers:
______________

a.iana-servers.net                       1143     IN    A        199.43.132.53
b.iana-servers.net                       1143     IN    A        199.43.133.53

Output Data: Output MX Records – THREE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl SomeDomain.com

MX Records Example Output:

Mail (MX) Servers:
___________________

ASPMX.L.GOOGLE.com                       9        IN    A        74.125.142.27
ALT1.ASPMX.L.GOOGLE.com                  84       IN    A        173.194.74.26
ALT2.ASPMX.L.GOOGLE.com                  147      IN    A        74.125.131.27
ASPMX2.GOOGLEMAIL.com                    282      IN    A        173.194.74.26
ASPMX3.GOOGLEMAIL.com                    286      IN    A        74.125.131.26

Output Data: Zone/AXFR Queries To Name Servers – FOUR

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl SomeDomain.com

Zone Transfer/AFXR Query Example Output:

Trying Zone Transfer for example.com on a.iana-servers.net ...
AXFR record query failed: NOERROR

a.iana-servers.net Bind Version: )You shouldn't ask a lady about her age :)

Trying Zone Transfer for example.com on b.iana-servers.net ...
AXFR record query failed: NOERROR

b.iana-servers.net Bind Version: 9.8.3-vjs197.16-P3

Output Data: Scrape Sub Domains From Google – FIVE

Status: Not Functional

Command Example/Necessary Switches: perl dnsenum.pl -s 5 -p 5 SomeDomain.com

Google Sub Domain Scrape Example Output:

 ----   Google search page: 1   ----

 ----   Google search page: 2   ----

 ----   Google search page: 3   ----

 ----   Google search page: 4   ----

 ----   Google search page: 5   ----

Google Results:
________________

  perhaps Google is blocking our queries.
 Check manually.

Notes: Since this is not functional you can manually run the command in a Google search: “allinurl: -www site:DOMAIN-NAME-HERE”

Output Data: Bruteforce Sub Domains From File – SIX

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f somefile.txt –dnsserver 8.8.8.8 example.com

Bruteforced Sub Domains Example Output:

Brute forcing with subdomains.txt:
___________________________________

access.cnn.com                           2066     IN    A        64.20.247.69
ads.cnn.com                              96       IN    A        157.166.255.216
asia.cnn.com                             300      IN    CNAME
edition.cnn.com                          3600     IN    CNAME
www.edition.cnn.com                      3600     IN    CNAME
www.edition.cnn.com.vgtf.net             28       IN    CNAME
cnnintl-56m.gslb.vgtf.net                156      IN    A        157.166.249.13
cnnintl-56m.gslb.vgtf.net                156      IN    A        157.166.248.13
avatar.cnn.com                           3300     IN    CNAME
ireport.com                              3300     IN    A        157.166.224.6
ireport.com                              3300     IN    A        157.166.255.213
ireport.com                              3300     IN    A        157.166.224.4
channel.cnn.com                          2075     IN    A        207.25.71.117
election.cnn.com                         2675     IN    CNAME
reflector2.turner.com                    2675     IN    A        157.166.246.219

Notes: We are using the Google public DNS server of 8.8.8.8 however you can replace this with any DNS server that you like. It may be beneficial to use the companies DNS server or a DNS server you have setup a specific way.

Output Data: Calculate Network Blocks – SEVEN

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f somefile.txt –dnsserver 8.8.8.8 example.com

Network Blocks Example Output:

question-defense.com class C netranges:
________________________________________

 192.168.54.0/24
 10.11.54.0/24

Notes: In the example we show RFC 1918 IP space or private IP’s however in real output you would only see public IP ranges unless you specified the –private switch and then the private networks would display at the bottom of the output file.

Output Data: Perform Reverse Lookups On IP Ranges – EIGHT

Status: Not Functional

Command Example/Necessary Switches: Default Command, No Switches Required

IP Range Reverse Lookup Results Example Output:

Performing reverse lookup on 512 ip addresses:
_______________________________________________

0 results out of 512 IP addresses.

Notes: If you want to run reverse lookups manually against the subnets you could use something like the following command.The below command was modified from a broken command found here. It is not perfect but provides a quick and dirty way to run reverse lookups on large IP subnets quickly.

root@bt:/pentest/enumeration/dns/dnsenum# nmap -R -sL 64.20.247.69/30 | awk '{if($6=="")print"("$5") no PTR";else print$6" is "$5}'
() no PTR
) is http://nmap.org
(64.20.247.68) is mail7.access.cnn.com
(64.20.247.69) is mail8.access.cnn.com
(64.20.247.70) is mail9.access.cnn.com
(64.20.247.71) is mail10.access.cnn.com
(0 is addresses
root@bt:/pentest/enumeration/dns/dnsenum#

Output Data: Output Non-Contiguous IP-Blocks Results To File – NINE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f dns.txt –dnsserver 8.8.8.8 –noreverse cnn.com

Non-Contiguous IP-Block Example Output:

root@bt:/pentest/enumeration/dns/dnsenum# cat cnn.com_ips.txt
64.20.247.69/32
64.236.16.20/32
64.236.26.21/32
157.166.224.185/32
157.166.224.186/32
157.166.226.25/32
157.166.226.26/32
157.166.226.185/32
157.166.226.186/32
157.166.236.65/32
157.166.236.135/32
157.166.246.208/32
157.166.255.18/31
157.166.255.216/32
207.25.71.114/32
207.25.71.117/32
root@bt:/pentest/enumeration/dns/dnsenum#

Notes: Notice most of the above IP’s are not really subnets at all however I cut the results short to save output in the article. You will definitely run across larger networks when using dnsenum.

Out of all nine of the functions dnsenum describes in its man page there are only two that are not functional at this time. It appears that dnsenum has help up fairly well over time which is impressive considering it hasn’t been updated in so long. One more switch that appears to not be functional at all times but does work some of the time is the –subfile switch which writes located sub domains to a file by the name specified after the –subfile switch. I believe it either has something to do with the number od sub domains located or with the switch combinations used so you might try a couple different switch combinations if you need the –subfile switch functionality. Below we show our final example which combines a ton of the above examples into one large domain recon command that could be useful when information gathering on a specific domain!

dnsenum – Multi Switch Use Example On Backtrack Linux:

root@bt:/pentest/enumeration/dns/dnsenum# perl dnsenum.pl -f dns2.txt --dnsserver 8.8.8.8 --enum --private --subfile cnn-sub-domains.txt --noreverse cnn.com
dnsenum.pl VERSION:1.2.2

-----   cnn.com   -----

Host's addresses:
__________________

cnn.com                                  18       IN    A        157.166.226.26
cnn.com                                  18       IN    A        157.166.255.18
cnn.com                                  18       IN    A        157.166.255.19
cnn.com                                  18       IN    A        157.166.226.25

Name Servers:
______________

ns1.p42.dynect.net                       21359    IN    A        208.78.70.42
ns3.timewarner.net                       8        IN    A        199.7.68.238
ns1.timewarner.net                       238      IN    A        204.74.108.238
ns2.p42.dynect.net                       6727     IN    A        204.13.250.42

Mail (MX) Servers:
___________________

atlmail3.turner.com                      257      IN    A        157.166.174.56
atlmail5.turner.com                      257      IN    A        157.166.165.14
hkgmail1.turner.com                      77       IN    A        168.161.96.115
lonmail1.turner.com                      253      IN    A        157.166.216.142
nycmail1.turner.com                      257      IN    A        157.166.157.8
nycmail2.turner.com                      257      IN    A        157.166.157.10

Trying Zone Transfers and getting Bind Versions:
_________________________________________________

Trying Zone Transfer for cnn.com on ns1.timewarner.net ...
AXFR record query failed: NOERROR

ns1.timewarner.net Bind Version: UltraDNS Resolver

Trying Zone Transfer for cnn.com on ns1.p42.dynect.net ...
AXFR record query failed: NOERROR

9.6-ESV-R7-P3t.net Bind Version:

Trying Zone Transfer for cnn.com on ns2.p42.dynect.net ...
AXFR record query failed: NOERROR

9.6-ESV-R7-P3t.net Bind Version:

Trying Zone Transfer for cnn.com on ns3.timewarner.net ...
AXFR record query failed: no nameservers
Unable to obtain Server Version for ns3.timewarner.net : no nameservers

Scraping cnn.com subdomains from Google:
_________________________________________

 ----   Google search page: 1   ----

 ----   Google search page: 2   ----

 ----   Google search page: 3   ----

....Results Cut To Shorten Output....

 ----   Google search page: 17   ----

 ----   Google search page: 18   ----

 ----   Google search page: 19   ----

 ----   Google search page: 20   ----

Google Results:
________________

  perhaps Google is blocking our queries.
 Check manually.

Brute forcing with dns2.txt:
_____________________________

access.cnn.com                           1177     IN    A        64.20.247.69
ads.cnn.com                              249      IN    A        157.166.255.218
www.cnn.com                              3122     IN    CNAME
www.cnn.com.vgtf.net                     14       IN    CNAME
cnn-56m.gslb.vgtf.net                    164      IN    A        157.166.248.10
cnn-56m.gslb.vgtf.net                    164      IN    A        157.166.249.10
cnn-56m.gslb.vgtf.net                    164      IN    A        157.166.248.11
cnn-56m.gslb.vgtf.net                    164      IN    A        157.166.249.11
search.cnn.com                           1858     IN    CNAME
search3.turner.com                       1858     IN    A        157.166.253.205
search3.turner.com                       1858     IN    A        157.166.246.202
phone.cnn.com                            1227     IN    CNAME
rss.cnn.com                              2048     IN    CNAME
cnn.feedproxy.ghs.google.com             300      IN    CNAME
ghs.l.google.com                         300      IN    A        74.125.142.121
www.cnn.com                              1227     IN    CNAME
www.cnn.com.vgtf.net                     150      IN    CNAME
cnn-lax-tmp.gslb.vgtf.net                30       IN    A        157.166.240.13
election.cnn.com                         1789     IN    CNAME
reflector2.turner.com                    1789     IN    A        157.166.246.219
channel.cnn.com                          1187     IN    A        207.25.71.117
trends.cnn.com                           3588     IN    CNAME
trends.cnn.com.vgtf.net                  18       IN    A        157.166.246.141
trends.cnn.com.vgtf.net                  18       IN    A        157.166.246.145
xml.cnn.com                              1249     IN    CNAME
robots.cnn.com                           1249     IN    A        157.166.226.185
robots.cnn.com                           1249     IN    A        157.166.224.185
robots.cnn.com                           3600     IN    A        157.166.224.185
robots.cnn.com                           3600     IN    A        157.166.226.185

Launching Whois Queries:
_________________________

 whois ip result:   157.166.224.0      ->      157.166.0.0/16
 whois ip result:   64.20.247.0        ->      64.20.224.0/19
 whois ip result:   207.25.71.0        ->      207.25.71.0/24

cnn.com_______

 157.166.0.0/16
 207.25.71.0/24
 64.20.224.0/19

cnn.com ip blocks:
___________________

 64.20.247.69/32
 157.166.224.185/32
 157.166.226.25/32
 157.166.226.26/32
 157.166.226.185/32
 157.166.255.18/31
 157.166.255.218/32
 207.25.71.117/32

done.
root@bt:/pentest/enumeration/dns/dnsenum#

There you have it… dnsenum examples and information regarding its current status in Backtrack Linux version 5 release 3. If anyone has any additions in terms of functionality either email me or note in the comments below!

Support Question Defense & Purchase From Amazon
See larger image

Penetration Tester's Open Source Toolkit, Third Edition (Paperback)

By (author) Jeremy Faircloth

List Price: $49.95 USD
New From: $28.79 In Stock
Used from: $23.96 In Stock
Support Question Defense & Purchase From Amazon

Support Question Defense & Purchase From Amazon
See larger image

Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning (Paperback)

By (author) Gordon Fyodor Lyon

List Price: $49.95 USD
New From: $31.08 In Stock
Used from: $24.86 In Stock
Support Question Defense & Purchase From Amazon

Related posts:

  1. Backtrack 5: Information Gathering: Network Analysis: DNS Analysis: dnsdict6 Awhile back purehate and myself started writing articles related to...
  2. Backtrack 5: Information Gathering: Network Analysis: DNS Analysis: reverseraider So many of the DNS enumeration scripts available in backtrack...
  3. smbclient – Backtrack 5 – Information Gathering – Network Analysis – SMB Analysis – smbclient.py In the Backtrack menu under Information Gathering > Network Analysis...
  4. xplico – Backtrack 5 – Information Gathering – Network Analysis – Network Traffic Analysis – xplico Xplico is a NFAT or Network Forensics Analysis Tool that...
  5. Backtrack 5 : Information Gathering : Network Analysis : Identify Live Hosts : pbnj PBNJ is made ip of two commands which are scanpbnj...
Tags: , , , , , , , , , , , , , , , , , ,

This entry was posted on Sunday, February 3rd, 2013 at 1:16 AM and is filed under Insights. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

« 
 »
Leave a Reply

*Type the letter/number combination in the abvoe field before clicking submit.

CAPTCHA Image
*