So many of the DNS enumeration scripts available in backtrack focus on typical DNS but reverseraider does what it sounds like it might do which is enumerate reverse DNS names. Enumerating reverse DNS on an IP or set of IP’s can sometimes reveal information you did not previously have. It is possible to be targeting a web server that has a bunch of virtual hosts and you prefer to track down primary web site on the web server which is where reverseraider may provide the results necessary as it is more likely that the most important site on the virtual web server has reverse DNS configured on the host itself. Below I display the primary three methods of using reverseraider.
Use reverseraider To Enumerate Reverse DNS On A File Of IP’s:
- root@bt:/pentest/enumeration/reverseraider# ./reverseraider -f iplist-test.txt
- resolver3.opendns.com 208.67.222.220
- resolver3.opendns.com 208.67.222.220
- resolver1.opendns.com 208.67.222.222
- resolver1.opendns.com 208.67.222.222
- google-public-dns-a.google.com 8.8.8.8
- google-public-dns-a.google.com 8.8.8.8
- resolver2.opendns.com 208.67.220.220
- resolver2.opendns.com 208.67.220.220
- resolver2.opendns.com 208.67.220.220
- resolver2.opendns.com 208.67.220.220
- root@bt:/pentest/enumeration/reverseraider#
The above list of IP’s is provided with reverseraider as test list of IP’s and resolves various Google IP’s reverse DNS. The primary thing to take away from the above example is that the -f switch allows you to specificy a file that has a list of IP’s, a list of IP ranges, or a combination of the two. The next example below uses a wordlist against a specific domain looking for reverse DNS by parsing a wordlist trying each combination within.
Use reverseraider To Enumerate Reverse DNS Based On A Wordlist:
- root@bt:/pentest/enumeration/reverseraider# ./reverseraider -w wordlists/fast.list -d louisville.edu
- smtp.louisville.edu 136.165.233.235
- smtp.louisville.edu 136.165.233.231
- smtp.louisville.edu 136.165.233.227
- hermes.louisville.edu 136.165.253.10
- dns.louisville.edu 136.165.253.10
- smtp.louisville.edu 136.165.233.227
- mail.louisville.edu 136.165.233.227
- smtp.louisville.edu 136.165.233.235
- mail.louisville.edu 136.165.233.235
- smtp.louisville.edu 136.165.233.231
- mail.louisville.edu 136.165.233.231
- www.louisville.edu 136.165.238.157
- web.louisville.edu 136.165.238.183
- ldaplb.louisville.edu 136.165.229.2
- ldap.louisville.edu 136.165.229.2
- www.louisville.edu 136.165.238.157
- smtp.louisville.edu 136.165.233.231
- smtp.louisville.edu 136.165.233.227
- smtp.louisville.edu 136.165.233.235
- hermes.louisville.edu 136.165.253.10
- dns.louisville.edu 136.165.253.10
- smtp.louisville.edu 136.165.233.235
- mail.louisville.edu 136.165.233.235
- smtp.louisville.edu 136.165.233.231
- mail.louisville.edu 136.165.233.231
- smtp.louisville.edu 136.165.233.227
- mail.louisville.edu 136.165.233.227
- web.louisville.edu 136.165.238.183
- ldaplb.louisville.edu 136.165.229.2
- ldap.louisville.edu 136.165.229.2
- vpn.louisville.edu 216.249.140.85
- vpn.louisville.edu 216.249.140.85
- root@bt:/pentest/enumeration/reverseraider#
In the above example the smallest wordlist example was used which still turned up a ton of results. In this example with the -d switch it specifies a domain you want to enumerate reverse DNS names for however keep in mind that you must also use the -w switch to specify a wordlist. There are three wordlists located in /pentest/enumeration/reverseraider/wordlists/. You can also see how numerous reverse DNS names have multiple IP’s which is another thing to think about when thinking of the value of reverse DNS. If you knew of the IP address 136.165.233.235 above which allowed you to obtain mail.louisville.edu then you could then investigate using reverseraider and other tools to see if there are other mail servers in the same IP range. The last example below displays reverseraider using the -r switch which allows you to specify a single IP or a range of IP’s on the command line.
Use reverseraider To Enumerate Reverse DNS Entries By IP Address:
- root@bt:/pentest/enumeration/reverseraider# ./reverseraider -r 2.1.1.1-10
- ANantes-551-1-154-1.w2-1.abo.wanadoo.fr 2.1.1.1
- ANantes-551-1-154-1.w2-1.abo.wanadoo.fr 2.1.1.1
- ANantes-551-1-154-2.w2-1.abo.wanadoo.fr 2.1.1.2
- ANantes-551-1-154-2.w2-1.abo.wanadoo.fr 2.1.1.2
- ANantes-551-1-154-3.w2-1.abo.wanadoo.fr 2.1.1.3
- ANantes-551-1-154-3.w2-1.abo.wanadoo.fr 2.1.1.3
- ANantes-551-1-154-4.w2-1.abo.wanadoo.fr 2.1.1.4
- ANantes-551-1-154-4.w2-1.abo.wanadoo.fr 2.1.1.4
- ANantes-551-1-154-5.w2-1.abo.wanadoo.fr 2.1.1.5
- ANantes-551-1-154-5.w2-1.abo.wanadoo.fr 2.1.1.5
- ANantes-551-1-154-6.w2-1.abo.wanadoo.fr 2.1.1.6
- ANantes-551-1-154-6.w2-1.abo.wanadoo.fr 2.1.1.6
- ANantes-551-1-154-7.w2-1.abo.wanadoo.fr 2.1.1.7
- ANantes-551-1-154-7.w2-1.abo.wanadoo.fr 2.1.1.7
- ANantes-551-1-154-8.w2-1.abo.wanadoo.fr 2.1.1.8
- ANantes-551-1-154-8.w2-1.abo.wanadoo.fr 2.1.1.8
- ANantes-551-1-154-9.w2-1.abo.wanadoo.fr 2.1.1.9
- ANantes-551-1-154-9.w2-1.abo.wanadoo.fr 2.1.1.9
- ANantes-551-1-154-10.w2-1.abo.wanadoo.fr 2.1.1.10
- ANantes-551-1-154-10.w2-1.abo.wanadoo.fr 2.1.1.10
- root@bt:/pentest/enumeration/reverseraider#
That is pretty much it. There is not a lot to reverseraider though I believe it to be a valuable to specifically for reverse DNS enumeration.