The dnsenum.pl Perl script as described in its Perl documentation is a multithreaded script to enumerate information on a domain and to discover non-contiguous IP blocks. So the gist of dnsenum is to gather information about a specific domain using various sources. Information gathered about a domain includes sub domains, associated IP ranges, name servers, mx records, reverse DNS records, hostname IP addresses, and potential vulnerabilities via zone transfers. Below we go into detail regarding the switches available with dnsenum as well as what the command returns by default without and CLI switches.

dnsenum – DNS & IP Block Enumeration On Backtrack Linux

Click on the dnsenum Perl Documentation link below to expand out the dnsenum docs.

[expand title=”dnsenum Perl Documentation”]
DNSENUM(1) User Contributed Perl Documentation DNSENUM(1)

NAME
dnsenum.pl: multithread script to enumerate information on a domain and to discover non-contiguous IP blocks.

VERSION
dnsenum.pl version 1.2.2

SYNOPSIS
dnsenum.pl [options]

DESCRIPTION
Supported operations: nslookup, zonetransfer, google scraping, domain brute force (support also recursion), whois ip and reverse lookups.

Operations:

¬∑ 1) Get the host’s addresse (A record).

· 2) Get the nameservers (threaded).

· 3) Get the MX record (threaded).

· 4) Perform AXFR queries on nameservers (threaded).

¬∑ 5) Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).

· 6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).

· 7) Calculate Class C IP network ranges from the results and perform whois queries on them (threaded).

· 8) Perform reverse lookups on netranges (class C or/and whois netranges)(threaded).

· 9) Write to domain_ips.txt file non-contiguous ip-blocks results.

OPTIONS
The brute force -f switch is obligatory.

GENERAL OPTIONS:
–dnsserver Use this DNS server to perform all A, NS and MX queries,
the AXFR and PTR queries are sent to the domain’s NS servers.

–enum Shortcut option equivalent to –threads 5 -s 20 -w.

-h, –help Print the help message.

–noreverse Skip the reverse lookup operations.
Reverse lookups can take long time on big netranges.

–private Show and save private ips at the end of the file domain_ips.txt.

–subfile Write all valid subdomains to this file.
Subdomains are taken from NS and MX records, zonetransfer,
google scraping, brute force and reverse lookup hostnames.

-t, –timeout The tcp and udp timeout values in seconds (default: 10s).

–threads The number of threads that will perform different queries.

-v, –verbose Be verbose (show all the progress and all the error messages).

Notes: neither the default domain nor the resolver search list are appended to domains that don’t contain any dots.

GOOGLE SCRAPING OPTIONS:
This function will scrap subdomains from google search, using query: allinurl: -www site:domain.

-p, –pages The number of google search pages to process when scraping names,
the -s switch must be specified, (default: 20 pages).

-s, –scrap The maximum number of subdomains that will be scraped from google.

NOTES: Google can block our queries with the malware detection. Http proxy options for google scraping are automatically loaded from the environment if the vars http_proxy or
HTTP_PROXY are present. “http_proxy=http://127.0.0.1:8118/” or “HTTP_PROXY=http://127.0.0.1:8118/”. On IO errors the mechanize browser object will automatically call die.

BRUTE FORCE OPTIONS:
-f, –file Read subdomains from this file to perform brute force.

-u, –update <a|g|r|z> Update the file specified with the -f switch with vaild subdomains.

-u a Update using all results.

-u g Update using only google scraping results.

-u r Update using only reverse lookup results.

-u z Update using only zonetransfer results.

-r, –recursion Recursion on subdomains, brute force all discovred subdomains
that have an NS record.

NOTES: To perform recursion first we must check previous subdomains results (zonetransfer, google scraping and brute force) for NS records after that we perform brute force on
valid subdomains that have NS records and so on. NS, MX and reverse lookup results are not concerned.

WHOIS IP OPTIONS:
Perform whois ip queries on c class netanges discovred from previous operations.

-d, –delay The maximum value of seconds to wait between whois queries,
the value is defined randomly, (default: 3s).

NOTES: whois servers will limit the number of connections.

-w, –whois Perform the whois queries on c class network ranges.
Warning: this can generate very large netranges and it
will take lot of time to performe reverse lookups.

NOTES: The whois query should recursively query the various whois providers untile it gets the more detailed information including either TechPhone or OrgTechPhone by default.
See: perldoc Net::Whois::IP. On errors the netrange will be a default c class /24.

REVERSE LOOKUP OPTIONS:
-e, –exclude Exclude PTR records that match the regexp expression from reverse
lookup results, useful on invalid hostnames.

NOTES: PTR records that not match the domain are also excluded. Verbose mode will show all results.

OUTPUT FILES
Final non-contiguous ip blocks are writen to domain_ips.txt file.

NOTES: Final non-contiguous ip blocks are calculated :

· 1) From reverse lookups that were performed on netranges ( c class network ranges or whois netranges ).

· 2) If the noreverse switch is used then they are calculated from previous operations results (nslookups, zonetransfers, google scraping and brute forcing).

README
dnsenum.pl: multithread script to enumerate information on a domain and to discover non-contiguous ip blocks.

PREREQUISITES
Modules that are included in perl 5.10.0:
Getopt::Long, IO::File, Thread::Queue.

Other Necessary modules:
Must have: Net::DNS, Net::IP, Net::Netmask.
Optional: Net::Whois::IP, HTML::Parser, WWW::Mechanize.

Perl ithreads modules (perl must be compiled with ithreads support):
threads, threads::shared.

AUTHORS
Filip Waeytens <filip.waeytens[at]gmail.com>

tix tixxDZ <tixxdz[at]gmail.com>

COPYRIGHT
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.

SCRIPT CATEGORIES
Networking DNS

perl v5.10.1 2011-06-16 DNSENUM(1)
[/expand]

dnsenum Perl Script: Default Output Against cnn.com

I think the output of dnsenum is pretty slick! You can quickly grab a bunch of info about a specific domain that provide a great starting point to begin for information gathering. It will be highly unlikely that you will have any success with AXFR record queries or zone transfers but it definitely doesn’t hurt anything to attempt these unless you are trying to be stealth. If you do come across a successful AXFR record query it will be a major finding as you could potentially obtain details about a domain that should not be public. With a successful zone transfer you will also potentially gain access to every DNS record associated to the domain.

Notice how in the documentation there are nine items that dnsenum notes it will provide. Unfortunately this is not entirely true on Backtrack Linux 5 as a couple of the outputs seems to be not working correctly. I hope to look at this in more detail in the future but for now we will note each of the nine items and provide examples where possible. I have cut only the output pertaining to the piece of data noted so for example when the default command is used by only specifying a domain and without any switches there is still a bunch of information output to the screen.

dnsenum Functionality And Output On Backtrack Linux 5 R3:

Output Data: Output Hostname – ONE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl example.com

Hostname Example Output:

Output Data: Output Name Servers – TWO

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl example.com

Name Servers Example Output:

Output Data: Output MX Records – THREE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl SomeDomain.com

MX Records Example Output:

Output Data: Zone/AXFR Queries To Name Servers – FOUR

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl SomeDomain.com

Zone Transfer/AFXR Query Example Output:

Output Data: Scrape Sub Domains From Google – FIVE

Status: Not Functional

Command Example/Necessary Switches: perl dnsenum.pl -s 5 -p 5 SomeDomain.com

Google Sub Domain Scrape Example Output:

Notes: Since this is not functional you can manually run the command in a Google search: “allinurl: -www site:DOMAIN-NAME-HERE”

Output Data: Bruteforce Sub Domains From File – SIX

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f somefile.txt –dnsserver 8.8.8.8 example.com

Bruteforced Sub Domains Example Output:

Notes: We are using the Google public DNS server of 8.8.8.8 however you can replace this with any DNS server that you like. It may be beneficial to use the companies DNS server or a DNS server you have setup a specific way.

Output Data: Calculate Network Blocks – SEVEN

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f somefile.txt –dnsserver 8.8.8.8 example.com

Network Blocks Example Output:

Notes: In the example we show RFC 1918 IP space or private IP’s however in real output you would only see public IP ranges unless you specified the –private switch and then the private networks would display at the bottom of the output file.

Output Data: Perform Reverse Lookups On IP Ranges – EIGHT

Status: Not Functional

Command Example/Necessary Switches: Default Command, No Switches Required

IP Range Reverse Lookup Results Example Output:

Notes: If you want to run reverse lookups manually against the subnets you could use something like the following command.The below command was modified from a broken command found here. It is not perfect but provides a quick and dirty way to run reverse lookups on large IP subnets quickly.

Output Data: Output Non-Contiguous IP-Blocks Results To File – NINE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f dns.txt –dnsserver 8.8.8.8 –noreverse cnn.com

Non-Contiguous IP-Block Example Output:

Notes: Notice most of the above IP’s are not really subnets at all however I cut the results short to save output in the article. You will definitely run across larger networks when using dnsenum.

Out of all nine of the functions dnsenum describes in its man page there are only two that are not functional at this time. It appears that dnsenum has help up fairly well over time which is impressive considering it hasn’t been updated in so long. One more switch that appears to not be functional at all times but does work some of the time is the –subfile switch which writes located sub domains to a file by the name specified after the –subfile switch. I believe it either has something to do with the number od sub domains located or with the switch combinations used so you might try a couple different switch combinations if you need the –subfile switch functionality. Below we show our final example which combines a ton of the above examples into one large domain recon command that could be useful when information gathering on a specific domain!

dnsenum – Multi Switch Use Example On Backtrack Linux:

There you have it… dnsenum examples and information regarding its current status in Backtrack Linux version 5 release 3. If anyone has any additions in terms of functionality either email me or note in the comments below!