Dnsenum is a very robust script which was actually written by one of the Backtrack developers when Backtrack was still a Remote-Exploit Project. The author, Filip (barbsie) Waeytens is a Web Application penetration tester and has extensive experience on the topic of DNS and information gathering. Today we will look at some examples of using Dnsenum to passively gather information on a target.
The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:
1) Get the host’s addresse (A record).2) Get the namservers (threaded).
3) Get the MX record (threaded). 4) Perform axfr queries on nameservers (threaded).
5) Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
7) Calculate C class domain network ranges and perform whois queries on them (threaded).
8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
9) Write to domain_ips.txt file ip-blocks.
First lets have a look at the help menu:
- root@bt:/pentest/enumeration/dnsenum# ./dnsenum.pl
- dnsenum.pl VERSION:1.2
- Usage: dnsenum.pl [Options] <domain>
- [Options]:
- Note: the brute force -f switch must be specified to be able to continue
- the process execution.
- GENERAL OPTIONS:
- --dnsserver <server>
- Use this DNS server for A, NS and MX queries.
- --enum Shortcut option equivalent to --threads 5 -s 20 -w.
- -h, --help Print this help message.
- --noreverse Skip the reverse lookup operations.
- --private Show and save private ips at the end of the file
- domain_ips.txt.
- --subfile <file> Write all valid subdomains to this file.
- -t, --timeout <value> The tcp and udp timeout values in seconds
- (default: 10s).
- --threads <value> The number of threads that will perform different
- queries.
- -v, --verbose Be verbose: show all the progress and all the error
- messages.
- GOOGLE SCRAPING OPTIONS:
- -p, --pages <value> The number of google search pages to process when
- scraping names, the default is 20 pages,
- the -s switch must be specified.
- -s, --scrap <value> The maximum number of subdomains that will be scraped
- from google.
- BRUTE FORCE OPTIONS:
- -f, --file <file> Read subdomains from this file to perform brute force.
- -u, --update <a|g|r|z>
- Update the file specified with the -f switch with
- vaild subdomains.
- a (all) Update using all results.
- g Update using only google scraping results.
- r Update using only reverse lookup results.
- z Update using only zonetransfer results.
- -r, --recursion Recursion on subdomains, brute force all discovred
- subdomains that have an NS record.
- WHOIS NETRANGE OPTIONS:
- -d, --delay <value> The maximum value of seconds to wait between whois
- queries, the value is defined randomly, default: 3s.
- -w, --whois Perform the whois queries on c class network ranges.
- **Warning**: this can generate very large netranges
- and it will take lot of time to performe reverse
- lookups.
- REVERSE LOOKUP OPTIONS:
- -e, --exclude <regexp>
- Exclude PTR records that match the regexp expression
- from reverse lookup results, useful on invalid
- hostnames.
As you can see this is a extremely robust script with a lot of options. I will try to give some useful real world examples.
The easiest way to use dnsenum is run it with no arguments:
- root@bt:/pentest/enumeration/dnsenum# ./dnsenum.pl cnn.com
- dnsenum.pl VERSION:1.2
- ----- cnn.com -----
- -----------------
- Host's addresses:
- -----------------
- cnn.com. 5 IN A 157.166.224.26
- cnn.com. 5 IN A 157.166.226.25
- cnn.com. 5 IN A 157.166.226.26
- cnn.com. 5 IN A 157.166.255.18
- cnn.com. 5 IN A 157.166.255.19
- cnn.com. 5 IN A 157.166.224.25
- -------------
- Name servers:
- -------------
- ns1.timewarner.net. 5 IN A 204.74.108.238
- ns3.timewarner.net. 5 IN A 199.7.68.238
- ns5.timewarner.net. 5 IN A 204.74.109.238
- -----------
- MX record:
- -----------
- hkgmail1.turner.com. 5 IN A 168.161.96.115
- lonmail1.turner.com. 5 IN A 157.166.216.142
- nycmail1.turner.com. 5 IN A 157.166.157.8
- nycmail2.turner.com. 5 IN A 157.166.157.10
- atlmail3.turner.com. 5 IN A 157.166.174.56
- atlmail5.turner.com. 5 IN A 157.166.165.14
- ---------------------
- Trying Zonetransfers:
- ---------------------
- trying zonetransfer for cnn.com on ns1.timewarner.net ...
- trying zonetransfer for cnn.com on ns3.timewarner.net ...
- trying zonetransfer for cnn.com on ns5.timewarner.net ...
- Wildcards detected, all subdomains will point to the same ip address, bay.
This gives us some interesting info including host IP, nameservers and MX records.
Now lets try a little bit more advanced query on a site I know has lots of subdomains:
- root@666:/pentest/enumeration/dnsenum# ./dnsenum.pl --enum -f dns.txt --update a -r remote-exploit.org
- dnsenum.pl VERSION:1.2
- ----- remote-exploit.org -----
- -----------------
- Host's addresses:
- -----------------
- remote-exploit.org. 14400 IN A 97.74.188.5
- -------------
- Name servers:
- -------------
- ns1.icehosting.com. 26006 IN A 78.159.102.208
- ns2.icehosting.com. 26006 IN A 78.159.105.254
- -----------
- MX record:
- -----------
- mail2.remote-exploit.org. 14400 IN A 147.87.98.225
- mail.remote-exploit.org. 14400 IN A 147.87.98.225
- ---------------------
- Trying Zonetransfers:
- ---------------------
- trying zonetransfer for remote-exploit.org on ns1.icehosting.com ...
- remote-exploit.org. 14400 IN SOA ns1.icehosting.com. root.remote-exploit.org. (
- 2010030203 ; Serial
- 14400 ; Refresh
- 3600 ; Retry
- 1209600 ; Expire
- 86400 ) ; Minimum TTL
- remote-exploit.org. 14400 IN MX 10 mail2.remote-exploit.org.
- remote-exploit.org. 14400 IN MX 20 mail.remote-exploit.org.
- remote-exploit.org. 14400 IN A 97.74.188.5
- remote-exploit.org. 14400 IN NS ns1.icehosting.com.
- remote-exploit.org. 14400 IN NS ns2.icehosting.com.
- balkan.remote-exploit.org. 14400 IN A 208.68.234.113
- beta.remote-exploit.org. 14400 IN A 78.159.102.208
- de.remote-exploit.org. 14400 IN A 208.68.234.113
- es.remote-exploit.org. 14400 IN A 208.68.234.113
- foo.remote-exploit.org. 14400 IN A 208.68.234.113
- forum.remote-exploit.org. 14400 IN CNAME forums.remote-exploit.org.
- forums.remote-exploit.org. 14400 IN A 208.68.234.113
- fr.remote-exploit.org. 14400 IN A 208.68.234.113
- ftp.remote-exploit.org. 14400 IN A 78.159.102.208
- it.remote-exploit.org. 14400 IN A 208.68.234.113
- localhost.remote-exploit.org. 14400 IN A 127.0.0.1
- mail.remote-exploit.org. 14400 IN A 147.87.98.225
- mail2.remote-exploit.org. 14400 IN A 147.87.98.225
- new.remote-exploit.org. 14400 IN A 78.159.102.208
- oldwiki.remote-exploit.org. 14400 IN A 78.159.102.208
- pop.remote-exploit.org. 14400 IN A 78.159.102.208
- smtp.remote-exploit.org. 14400 IN A 78.159.102.208
- www.remote-exploit.org. 14400 IN A 97.74.188.5
- trying zonetransfer for remote-exploit.org on ns2.icehosting.com ...
- remote-exploit.org. 14400 IN SOA ns1.icehosting.com. root.remote-exploit.org. (
- 2010030203 ; Serial
- 14400 ; Refresh
- 3600 ; Retry
- 1209600 ; Expire
- 86400 ) ; Minimum TTL
- remote-exploit.org. 14400 IN MX 10 mail2.remote-exploit.org.
- remote-exploit.org. 14400 IN MX 20 mail.remote-exploit.org.
- remote-exploit.org. 14400 IN A 97.74.188.5
- remote-exploit.org. 14400 IN NS ns1.icehosting.com.
- remote-exploit.org. 14400 IN NS ns2.icehosting.com.
- balkan.remote-exploit.org. 14400 IN A 208.68.234.113
- beta.remote-exploit.org. 14400 IN A 78.159.102.208
- de.remote-exploit.org. 14400 IN A 208.68.234.113
- es.remote-exploit.org. 14400 IN A 208.68.234.113
- foo.remote-exploit.org. 14400 IN A 208.68.234.113
- forum.remote-exploit.org. 14400 IN CNAME forums.remote-exploit.org.
- forums.remote-exploit.org. 14400 IN A 208.68.234.113
- fr.remote-exploit.org. 14400 IN A 208.68.234.113
- ftp.remote-exploit.org. 14400 IN A 78.159.102.208
- it.remote-exploit.org. 14400 IN A 208.68.234.113
- localhost.remote-exploit.org. 14400 IN A 127.0.0.1
- mail.remote-exploit.org. 14400 IN A 147.87.98.225
- mail2.remote-exploit.org. 14400 IN A 147.87.98.225
- new.remote-exploit.org. 14400 IN A 78.159.102.208
- oldwiki.remote-exploit.org. 14400 IN A 78.159.102.208
- pop.remote-exploit.org. 14400 IN A 78.159.102.208
- smtp.remote-exploit.org. 14400 IN A 78.159.102.208
- www.remote-exploit.org. 14400 IN A 97.74.188.5
- Wildcards detected, all subdomains will point to the same ip address, bay.
At this point if we were attacking the company remote-exploit.org we would have increased our attack surface by about 10 with all the new subdomains we have discovered.
Dnsenum is a great tool and should be in any hackers toolkit.
1 Comment