The next tool I am going to look at is a really great ruby script written by my friend Carlos (Dark operator) Perez. Its called Dnsrecon and is included in Backtrack 4. This is a simple tool written for target enumeration during authorized penetration test engagements. This tool provides different methods for enumerating targets via DNS service.
Some of the features of dnsrecon are
- Standard Record Enumeration for a given domain (A, NS, SOA and MX).
- Top Leven Domain Expansion for a given domain.
- Zone Transfer against all NS records of a given domain.
- Reverse Lookup against a given IP Range given a start and end IP.
- SRV Record enumeration, enumerating:
_gc._tcp.
_kerberos._tcp.
_kerberos._udp.
_ldap._tcp.
_test._tcp.
_sips._tcp.
_sip._udp.
_sip._tcp.
_aix._tcp.
_aix._tcp.
_finger._tcp.
_ftp._tcp.
_http._tcp.
_nntp._tcp.
_telnet._tcp.
_whois._tcp.
_h323cs._tcp.
_h323cs._udp.
_h323be._tcp.
_h323be._udp.
_h323ls._tcp.
_h323ls._udp.
- Brute force hostnames and subdomains of a given target domain using a wordlist.
First lets have a look at the options:
- root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb
- Dnsrecon 1.5
- By Carlos Perez
- Email: carlos_perez@darkoperator.com
- This is a simple tool writen for target enumeration during authorized penetration test
- engaments. This tool provides diferent methods for enumerating targets thru DNS service.
- USAGE:
- ruby dnsrecon.rb <type> <arguments> <Optional:nameserver to use>
- TYPES:
- *** Reverse Lookup for Range ***
- ruby dnsrecon.rb -r <start ip> <end ip> <Optional:nameserver to use>
- *** Top Level Domain Expanssion ***
- ruby dnsrecon.rb -tld <target domain> <Optional:nameserver to use>
- *** DNS Host and Domain Bruteforce ***
- ruby dnsrecon.rb -b <target domain> <file> <Optional:nameserver to use>
- *** General DNS Query for NS, SOA and MX Records ***
- ruby dnsrecon.rb -s <target domain> <Optional:nameserver to use>
- *** Execute Zone transfer on each NS server reported ***
- ruby dnsrecon.rb -axfr <target domain> <Optional:nameserver to use>
- *** Enumerates most common SRV Records for a given domain ***
- ruby dnsrecon.rb -srv <target domain> <Optional:nameserver to use>
The first option is to do a reverse DNS lookup for a entire IP range:
- root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -r 63.251.179.1 63.251.179.255
- Reverse Lookup for IP Renge from 63.251.179.1 to 63.251.179.255
- border8.fe2-19.arlova-3.den.pnap.net,63.251.179.76
- border9.fe2-19.arlova-3.den.pnap.net,63.251.179.77
- arlova-3.den.pnap.net,63.251.179.78
- border8.ge3-5.den-den003-752.den.pnap.net,63.251.179.89
- edge1.ge3-1.den003.pnap.net,63.251.179.90
- border9.ge3-5.den-den003-753.den.pnap.net,63.251.179.93
- edge2.ge3-1.den003.pnap.net,63.251.179.94
- border8.3-1-vlan3502.westin-1.den.pnap.net,63.251.179.110
- border6.e4-0.clearway-2.den.pnap.net,63.251.179.187
- border1.e1-0.clearway-2.den.pnap.net,63.251.179.188
- res-63-251-179-190.den.pnap.net,63.251.179.190
The next option finds all the top level domains for a domain name:
- root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -tld cnn.com
- cnn.com.af,157.166.173.157,A
- cnn.com.uk,8.15.7.123,A
- cnn.com.uk,63.251.179.23,A
- cnn.com.net,69.164.199.155,A
- cnn.com.net,74.207.231.120,A
- cnn.com.net,74.207.240.60,A
- cnn.com.net,97.107.142.101,A
- cnn.com.net,109.74.195.184,A
- cnn.com.net,203.169.164.119,A
- cnn.com.al,8.15.7.123,A
- cnn.com.al,63.251.179.23,A
- cnn.com.dz,8.15.7.123,A
- cnn.com.dz,63.251.179.23,A
- cnn.com.org,216.234.246.153,A
- cnn.com.ad,8.15.7.123,A
- cnn.com.ad,63.251.179.23,A
- cnn.com.ao,8.15.7.123,A
- cnn.com.ao,63.251.179.23,A
- cnn.com.aq,8.15.7.123,A
- cnn.com.aq,63.251.179.23,A
- cnn.com.am,8.15.7.123,A
- cnn.com.am,63.251.179.23,A
- cnn.com.aw,8.15.7.123,A
- cnn.com.aw,63.251.179.23,A
- cnn.com.ag,157.166.173.157,A
- cnn.com.ar,157.166.224.184,A
- cnn.com.ar,157.166.226.184,A
- cnn.com.ac,8.15.7.123,A
- cnn.com.ac,63.251.179.23,A
- cnn.com.au,72.34.39.135,A
Obviously there are many more results but I truncated them for the sake of the article.
In the next example we can specify the -b option for bruteforcing a domain with a list of possible domains in a text file which in this example is hosts.txt:
- root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -b cnn.com hosts.txt
- 3com.cnn.com,8.15.7.123
- 3com.cnn.com,63.251.179.23
- a.cnn.com,8.15.7.123
- a.cnn.com,63.251.179.23
- a1.cnn.com,8.15.7.123
- a1.cnn.com,63.251.179.23
- a.auth-ns.cnn.com,8.15.7.123
- a.auth-ns.cnn.com,63.251.179.23
- a02.cnn.com,8.15.7.123
- a02.cnn.com,63.251.179.23
- a01.cnn.com,8.15.7.123
- a01.cnn.com,63.251.179.23
- a2.cnn.com,8.15.7.123
- a2.cnn.com,63.251.179.23
- about.cnn.com,8.15.7.123
- about.cnn.com,63.251.179.23
- ac.cnn.com,8.15.7.123
- ac.cnn.com,63.251.179.23
- academico.cnn.com,8.15.7.123
- academico.cnn.com,63.251.179.23
- acceso.cnn.com,8.15.7.123
- acceso.cnn.com,63.251.179.23
- accounting.cnn.com,8.15.7.123
- accounting.cnn.com,63.251.179.23
- access.cnn.com,64.20.247.69
- activestat.cnn.com,8.15.7.123
Once again I truncated the output but you should be able to get the idea.
The next example is just a general DNS Query for NS, SOA and MX Records:
- root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -s cnn.com
- cnn.com,157.166.255.19,A
- cnn.com,157.166.224.25,A
- cnn.com,157.166.224.26,A
- cnn.com,157.166.226.25,A
- cnn.com,157.166.226.26,A
- cnn.com,157.166.255.18,A
- ns1.timewarner.net,204.74.108.238,SOA
- ns3.timewarner.net,199.7.68.238,NS
- ns1.timewarner.net,204.74.108.238,NS
- ns5.timewarner.net,204.74.109.238,NS
- nycmail2.turner.com,157.166.157.10,MX,10
- atlmail3.turner.com,157.166.174.56,MX,10
- atlmail5.turner.com,157.166.165.14,MX,10
- hkgmail1.turner.com,168.161.96.115,MX,10
- lonmail1.turner.com,157.166.216.142,MX,10
- nycmail1.turner.com,157.166.157.8,MX,10
The next example will execute a zone transfer on each NS server reported:
- root@666:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -axfr cnn.com
- Zone transfer failed for ns5.timewarner.net
- Zone transfer failed for ns1.timewarner.net
- Zone transfer failed for ns3.timewarner.net
Just as a side note, its very rare to find a name server which allows zone transfers any more however its always good to try.
The final example is enumerating most common SRV Records for a given domain:
DNS SRV records [RFC 2782] are useful for locating instances of a particular type of service when all the instances are effectively indistinguishable and provide the same service to the client.
- root@666:~# ./dnsrecon.rb -srv -d cnn.com
- _sip._udp.cnn.com,198.152.17.234,5060
- _sip._tcp.cnn.com,198.152.17.234,5060
Dnsrecon is a really great tool for passive network fingerprinting. It’s an alternative to other discovery techniques such as whois lookups, scanning large IP ranges, etc.
1 Comment