The dnsenum.pl Perl script as described in its Perl documentation is a multithreaded script to enumerate information on a domain and to discover non-contiguous IP blocks. So the gist of dnsenum is to gather information about a specific domain using various sources. Information gathered about a domain includes sub domains, associated IP ranges, name servers, mx records, reverse DNS records, hostname IP addresses, and potential vulnerabilities via zone transfers. Below we go into detail regarding the switches available with dnsenum as well as what the command returns by default without and CLI switches.
dnsenum – DNS & IP Block Enumeration On Backtrack Linux
Click on the dnsenum Perl Documentation link below to expand out the dnsenum docs.
- DNSENUM(1) User Contributed Perl Documentation DNSENUM(1)
- NAME
- dnsenum.pl: multithread script to enumerate information on a domain and to discover non-contiguous IP blocks.
- VERSION
- dnsenum.pl version 1.2.2
- SYNOPSIS
- dnsenum.pl [options]
- DESCRIPTION
- Supported operations: nslookup, zonetransfer, google scraping, domain brute force (support also recursion), whois ip and reverse lookups.
- Operations:
- · 1) Get the host's addresse (A record).
- · 2) Get the nameservers (threaded).
- · 3) Get the MX record (threaded).
- · 4) Perform AXFR queries on nameservers (threaded).
- · 5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain").
- · 6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
- · 7) Calculate Class C IP network ranges from the results and perform whois queries on them (threaded).
- · 8) Perform reverse lookups on netranges (class C or/and whois netranges)(threaded).
- · 9) Write to domain_ips.txt file non-contiguous ip-blocks results.
- OPTIONS
- The brute force -f switch is obligatory.
- GENERAL OPTIONS:
- --dnsserver Use this DNS server to perform all A, NS and MX queries,
- the AXFR and PTR queries are sent to the domain's NS servers.
- --enum Shortcut option equivalent to --threads 5 -s 20 -w.
- -h, --help Print the help message.
- --noreverse Skip the reverse lookup operations.
- Reverse lookups can take long time on big netranges.
- --private Show and save private ips at the end of the file domain_ips.txt.
- --subfile Write all valid subdomains to this file.
- Subdomains are taken from NS and MX records, zonetransfer,
- google scraping, brute force and reverse lookup hostnames.
- -t, --timeout The tcp and udp timeout values in seconds (default: 10s).
- --threads The number of threads that will perform different queries.
- -v, --verbose Be verbose (show all the progress and all the error messages).
- Notes: neither the default domain nor the resolver search list are appended to domains that don't contain any dots.
- GOOGLE SCRAPING OPTIONS:
- This function will scrap subdomains from google search, using query: allinurl: -www site:domain.
- -p, --pages The number of google search pages to process when scraping names,
- the -s switch must be specified, (default: 20 pages).
- -s, --scrap The maximum number of subdomains that will be scraped from google.
- NOTES: Google can block our queries with the malware detection. Http proxy options for google scraping are automatically loaded from the environment if the vars http_proxy or
- HTTP_PROXY are present. "http_proxy=http://127.0.0.1:8118/" or "HTTP_PROXY=http://127.0.0.1:8118/". On IO errors the mechanize browser object will automatically call die.
- BRUTE FORCE OPTIONS:
- -f, --file Read subdomains from this file to perform brute force.
- -u, --update <a|g|r|z> Update the file specified with the -f switch with vaild subdomains.
- -u a Update using all results.
- -u g Update using only google scraping results.
- -u r Update using only reverse lookup results.
- -u z Update using only zonetransfer results.
- -r, --recursion Recursion on subdomains, brute force all discovred subdomains
- that have an NS record.
- NOTES: To perform recursion first we must check previous subdomains results (zonetransfer, google scraping and brute force) for NS records after that we perform brute force on
- valid subdomains that have NS records and so on. NS, MX and reverse lookup results are not concerned.
- WHOIS IP OPTIONS:
- Perform whois ip queries on c class netanges discovred from previous operations.
- -d, --delay The maximum value of seconds to wait between whois queries,
- the value is defined randomly, (default: 3s).
- NOTES: whois servers will limit the number of connections.
- -w, --whois Perform the whois queries on c class network ranges.
- Warning: this can generate very large netranges and it
- will take lot of time to performe reverse lookups.
- NOTES: The whois query should recursively query the various whois providers untile it gets the more detailed information including either TechPhone or OrgTechPhone by default.
- See: perldoc Net::Whois::IP. On errors the netrange will be a default c class /24.
- REVERSE LOOKUP OPTIONS:
- -e, --exclude Exclude PTR records that match the regexp expression from reverse
- lookup results, useful on invalid hostnames.
- NOTES: PTR records that not match the domain are also excluded. Verbose mode will show all results.
- OUTPUT FILES
- Final non-contiguous ip blocks are writen to domain_ips.txt file.
- NOTES: Final non-contiguous ip blocks are calculated :
- · 1) From reverse lookups that were performed on netranges ( c class network ranges or whois netranges ).
- · 2) If the noreverse switch is used then they are calculated from previous operations results (nslookups, zonetransfers, google scraping and brute forcing).
- README
- dnsenum.pl: multithread script to enumerate information on a domain and to discover non-contiguous ip blocks.
- PREREQUISITES
- Modules that are included in perl 5.10.0:
- Getopt::Long, IO::File, Thread::Queue.
- Other Necessary modules:
- Must have: Net::DNS, Net::IP, Net::Netmask.
- Optional: Net::Whois::IP, HTML::Parser, WWW::Mechanize.
- Perl ithreads modules (perl must be compiled with ithreads support):
- threads, threads::shared.
- AUTHORS
- Filip Waeytens <filip.waeytens[at]gmail.com>
- tix tixxDZ <tixxdz[at]gmail.com>
- COPYRIGHT
- This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either
- version 2 of the License, or (at your option) any later version.
- SCRIPT CATEGORIES
- Networking DNS
- perl v5.10.1 2011-06-16 DNSENUM(1)
dnsenum Perl Script: Default Output Against cnn.com
- root@bt:/pentest/enumeration/dns/dnsenum# perl dnsenum.pl cnn.com
- dnsenum.pl VERSION:1.2.2
- ----- cnn.com -----
- Host's addresses:
- __________________
- cnn.com 198 IN A 157.166.255.19
- cnn.com 198 IN A 157.166.226.25
- cnn.com 198 IN A 157.166.226.26
- cnn.com 198 IN A 157.166.255.18
- Name Servers:
- ______________
- ns1.p42.dynect.net 159347 IN A 208.78.70.42
- ns1.timewarner.net 169183 IN A 204.74.108.238
- ns3.timewarner.net 169183 IN A 199.7.68.238
- ns2.p42.dynect.net 169183 IN A 204.13.250.42
- Mail (MX) Servers:
- ___________________
- atlmail3.turner.com 40 IN A 157.166.174.56
- atlmail5.turner.com 40 IN A 157.166.165.14
- hkgmail1.turner.com 40 IN A 168.161.96.115
- lonmail1.turner.com 107 IN A 157.166.216.142
- nycmail1.turner.com 107 IN A 157.166.157.8
- nycmail2.turner.com 107 IN A 157.166.157.10
- Trying Zone Transfers and getting Bind Versions:
- _________________________________________________
- Trying Zone Transfer for cnn.com on ns1.p42.dynect.net ...
- AXFR record query failed: NOERROR
- 9.6-ESV-R7-P3t.net Bind Version:
- Trying Zone Transfer for cnn.com on ns1.timewarner.net ...
- AXFR record query failed: NOERROR
- ns1.timewarner.net Bind Version: UltraDNS Resolver
- Trying Zone Transfer for cnn.com on ns3.timewarner.net ...
- AXFR record query failed: NOERROR
- ns3.timewarner.net Bind Version: UltraDNS Resolver
- Trying Zone Transfer for cnn.com on ns2.p42.dynect.net ...
- AXFR record query failed: NOERROR
- 9.6-ESV-R7-P3t.net Bind Version:
- Wildcards detected, all subdomains will point to the same IP address, bye.
- root@bt:/pentest/enumeration/dns/dnsenum#
I think the output of dnsenum is pretty slick! You can quickly grab a bunch of info about a specific domain that provide a great starting point to begin for information gathering. It will be highly unlikely that you will have any success with AXFR record queries or zone transfers but it definitely doesn’t hurt anything to attempt these unless you are trying to be stealth. If you do come across a successful AXFR record query it will be a major finding as you could potentially obtain details about a domain that should not be public. With a successful zone transfer you will also potentially gain access to every DNS record associated to the domain.
Notice how in the documentation there are nine items that dnsenum notes it will provide. Unfortunately this is not entirely true on Backtrack Linux 5 as a couple of the outputs seems to be not working correctly. I hope to look at this in more detail in the future but for now we will note each of the nine items and provide examples where possible. I have cut only the output pertaining to the piece of data noted so for example when the default command is used by only specifying a domain and without any switches there is still a bunch of information output to the screen.
dnsenum Functionality And Output On Backtrack Linux 5 R3:
Output Data: Output Hostname – ONE
Status: Functional
Command Example/Necessary Switches: perl dnsenum.pl example.com
Hostname Example Output:
- Host's addresses:
- __________________
- example.com 103059 IN A 192.0.43.10
Output Data: Output Name Servers – TWO
Status: Functional
Command Example/Necessary Switches: perl dnsenum.pl example.com
Name Servers Example Output:
- Name Servers:
- ______________
- a.iana-servers.net 1143 IN A 199.43.132.53
- b.iana-servers.net 1143 IN A 199.43.133.53
Output Data: Output MX Records – THREE
Status: Functional
Command Example/Necessary Switches: perl dnsenum.pl SomeDomain.com
MX Records Example Output:
- Mail (MX) Servers:
- ___________________
- ASPMX.L.GOOGLE.com 9 IN A 74.125.142.27
- ALT1.ASPMX.L.GOOGLE.com 84 IN A 173.194.74.26
- ALT2.ASPMX.L.GOOGLE.com 147 IN A 74.125.131.27
- ASPMX2.GOOGLEMAIL.com 282 IN A 173.194.74.26
- ASPMX3.GOOGLEMAIL.com 286 IN A 74.125.131.26
Output Data: Zone/AXFR Queries To Name Servers – FOUR
Status: Functional
Command Example/Necessary Switches: perl dnsenum.pl SomeDomain.com
Zone Transfer/AFXR Query Example Output:
- Trying Zone Transfer for example.com on a.iana-servers.net ...
- AXFR record query failed: NOERROR
- a.iana-servers.net Bind Version: )You shouldn't ask a lady about her age :)
- Trying Zone Transfer for example.com on b.iana-servers.net ...
- AXFR record query failed: NOERROR
- b.iana-servers.net Bind Version: 9.8.3-vjs197.16-P3
Output Data: Scrape Sub Domains From Google – FIVE
Status: Not Functional
Command Example/Necessary Switches: perl dnsenum.pl -s 5 -p 5 SomeDomain.com
Google Sub Domain Scrape Example Output:
- ---- Google search page: 1 ----
- ---- Google search page: 2 ----
- ---- Google search page: 3 ----
- ---- Google search page: 4 ----
- ---- Google search page: 5 ----
- Google Results:
- ________________
- perhaps Google is blocking our queries.
- Check manually.
Notes: Since this is not functional you can manually run the command in a Google search: “allinurl: -www site:DOMAIN-NAME-HERE”
Output Data: Bruteforce Sub Domains From File – SIX
Status: Functional
Command Example/Necessary Switches: perl dnsenum.pl -f somefile.txt –dnsserver 8.8.8.8 example.com
Bruteforced Sub Domains Example Output:
- Brute forcing with subdomains.txt:
- ___________________________________
- access.cnn.com 2066 IN A 64.20.247.69
- ads.cnn.com 96 IN A 157.166.255.216
- asia.cnn.com 300 IN CNAME
- edition.cnn.com 3600 IN CNAME
- www.edition.cnn.com 3600 IN CNAME
- www.edition.cnn.com.vgtf.net 28 IN CNAME
- cnnintl-56m.gslb.vgtf.net 156 IN A 157.166.249.13
- cnnintl-56m.gslb.vgtf.net 156 IN A 157.166.248.13
- avatar.cnn.com 3300 IN CNAME
- ireport.com 3300 IN A 157.166.224.6
- ireport.com 3300 IN A 157.166.255.213
- ireport.com 3300 IN A 157.166.224.4
- channel.cnn.com 2075 IN A 207.25.71.117
- election.cnn.com 2675 IN CNAME
- reflector2.turner.com 2675 IN A 157.166.246.219
Notes: We are using the Google public DNS server of 8.8.8.8 however you can replace this with any DNS server that you like. It may be beneficial to use the companies DNS server or a DNS server you have setup a specific way.
Output Data: Calculate Network Blocks – SEVEN
Status: Functional
Command Example/Necessary Switches: perl dnsenum.pl -f somefile.txt –dnsserver 8.8.8.8 example.com
Network Blocks Example Output:
- question-defense.com class C netranges:
- ________________________________________
- 192.168.54.0/24
- 10.11.54.0/24
Notes: In the example we show RFC 1918 IP space or private IP’s however in real output you would only see public IP ranges unless you specified the –private switch and then the private networks would display at the bottom of the output file.
Output Data: Perform Reverse Lookups On IP Ranges – EIGHT
Status: Not Functional
Command Example/Necessary Switches: Default Command, No Switches Required
IP Range Reverse Lookup Results Example Output:
- Performing reverse lookup on 512 ip addresses:
- _______________________________________________
- 0 results out of 512 IP addresses.
Notes: If you want to run reverse lookups manually against the subnets you could use something like the following command.The below command was modified from a broken command found here. It is not perfect but provides a quick and dirty way to run reverse lookups on large IP subnets quickly.
- root@bt:/pentest/enumeration/dns/dnsenum# nmap -R -sL 64.20.247.69/30 | awk '{if($6=="")print"("$5") no PTR";else print$6" is "$5}'
- () no PTR
- ) is http://nmap.org
- (64.20.247.68) is mail7.access.cnn.com
- (64.20.247.69) is mail8.access.cnn.com
- (64.20.247.70) is mail9.access.cnn.com
- (64.20.247.71) is mail10.access.cnn.com
- (0 is addresses
- root@bt:/pentest/enumeration/dns/dnsenum#
Output Data: Output Non-Contiguous IP-Blocks Results To File – NINE
Status: Functional
Command Example/Necessary Switches: perl dnsenum.pl -f dns.txt –dnsserver 8.8.8.8 –noreverse cnn.com
Non-Contiguous IP-Block Example Output:
- root@bt:/pentest/enumeration/dns/dnsenum# cat cnn.com_ips.txt
- 64.20.247.69/32
- 64.236.16.20/32
- 64.236.26.21/32
- 157.166.224.185/32
- 157.166.224.186/32
- 157.166.226.25/32
- 157.166.226.26/32
- 157.166.226.185/32
- 157.166.226.186/32
- 157.166.236.65/32
- 157.166.236.135/32
- 157.166.246.208/32
- 157.166.255.18/31
- 157.166.255.216/32
- 207.25.71.114/32
- 207.25.71.117/32
- root@bt:/pentest/enumeration/dns/dnsenum#
Notes: Notice most of the above IP’s are not really subnets at all however I cut the results short to save output in the article. You will definitely run across larger networks when using dnsenum.
Out of all nine of the functions dnsenum describes in its man page there are only two that are not functional at this time. It appears that dnsenum has help up fairly well over time which is impressive considering it hasn’t been updated in so long. One more switch that appears to not be functional at all times but does work some of the time is the –subfile switch which writes located sub domains to a file by the name specified after the –subfile switch. I believe it either has something to do with the number od sub domains located or with the switch combinations used so you might try a couple different switch combinations if you need the –subfile switch functionality. Below we show our final example which combines a ton of the above examples into one large domain recon command that could be useful when information gathering on a specific domain!
dnsenum – Multi Switch Use Example On Backtrack Linux:
- root@bt:/pentest/enumeration/dns/dnsenum# perl dnsenum.pl -f dns2.txt --dnsserver 8.8.8.8 --enum --private --subfile cnn-sub-domains.txt --noreverse cnn.com
- dnsenum.pl VERSION:1.2.2
- ----- cnn.com -----
- Host's addresses:
- __________________
- cnn.com 18 IN A 157.166.226.26
- cnn.com 18 IN A 157.166.255.18
- cnn.com 18 IN A 157.166.255.19
- cnn.com 18 IN A 157.166.226.25
- Name Servers:
- ______________
- ns1.p42.dynect.net 21359 IN A 208.78.70.42
- ns3.timewarner.net 8 IN A 199.7.68.238
- ns1.timewarner.net 238 IN A 204.74.108.238
- ns2.p42.dynect.net 6727 IN A 204.13.250.42
- Mail (MX) Servers:
- ___________________
- atlmail3.turner.com 257 IN A 157.166.174.56
- atlmail5.turner.com 257 IN A 157.166.165.14
- hkgmail1.turner.com 77 IN A 168.161.96.115
- lonmail1.turner.com 253 IN A 157.166.216.142
- nycmail1.turner.com 257 IN A 157.166.157.8
- nycmail2.turner.com 257 IN A 157.166.157.10
- Trying Zone Transfers and getting Bind Versions:
- _________________________________________________
- Trying Zone Transfer for cnn.com on ns1.timewarner.net ...
- AXFR record query failed: NOERROR
- ns1.timewarner.net Bind Version: UltraDNS Resolver
- Trying Zone Transfer for cnn.com on ns1.p42.dynect.net ...
- AXFR record query failed: NOERROR
- 9.6-ESV-R7-P3t.net Bind Version:
- Trying Zone Transfer for cnn.com on ns2.p42.dynect.net ...
- AXFR record query failed: NOERROR
- 9.6-ESV-R7-P3t.net Bind Version:
- Trying Zone Transfer for cnn.com on ns3.timewarner.net ...
- AXFR record query failed: no nameservers
- Unable to obtain Server Version for ns3.timewarner.net : no nameservers
- Scraping cnn.com subdomains from Google:
- _________________________________________
- ---- Google search page: 1 ----
- ---- Google search page: 2 ----
- ---- Google search page: 3 ----
- ....Results Cut To Shorten Output....
- ---- Google search page: 17 ----
- ---- Google search page: 18 ----
- ---- Google search page: 19 ----
- ---- Google search page: 20 ----
- Google Results:
- ________________
- perhaps Google is blocking our queries.
- Check manually.
- Brute forcing with dns2.txt:
- _____________________________
- access.cnn.com 1177 IN A 64.20.247.69
- ads.cnn.com 249 IN A 157.166.255.218
- www.cnn.com 3122 IN CNAME
- www.cnn.com.vgtf.net 14 IN CNAME
- cnn-56m.gslb.vgtf.net 164 IN A 157.166.248.10
- cnn-56m.gslb.vgtf.net 164 IN A 157.166.249.10
- cnn-56m.gslb.vgtf.net 164 IN A 157.166.248.11
- cnn-56m.gslb.vgtf.net 164 IN A 157.166.249.11
- search.cnn.com 1858 IN CNAME
- search3.turner.com 1858 IN A 157.166.253.205
- search3.turner.com 1858 IN A 157.166.246.202
- phone.cnn.com 1227 IN CNAME
- rss.cnn.com 2048 IN CNAME
- cnn.feedproxy.ghs.google.com 300 IN CNAME
- ghs.l.google.com 300 IN A 74.125.142.121
- www.cnn.com 1227 IN CNAME
- www.cnn.com.vgtf.net 150 IN CNAME
- cnn-lax-tmp.gslb.vgtf.net 30 IN A 157.166.240.13
- election.cnn.com 1789 IN CNAME
- reflector2.turner.com 1789 IN A 157.166.246.219
- channel.cnn.com 1187 IN A 207.25.71.117
- trends.cnn.com 3588 IN CNAME
- trends.cnn.com.vgtf.net 18 IN A 157.166.246.141
- trends.cnn.com.vgtf.net 18 IN A 157.166.246.145
- xml.cnn.com 1249 IN CNAME
- robots.cnn.com 1249 IN A 157.166.226.185
- robots.cnn.com 1249 IN A 157.166.224.185
- robots.cnn.com 3600 IN A 157.166.224.185
- robots.cnn.com 3600 IN A 157.166.226.185
- Launching Whois Queries:
- _________________________
- whois ip result: 157.166.224.0 -> 157.166.0.0/16
- whois ip result: 64.20.247.0 -> 64.20.224.0/19
- whois ip result: 207.25.71.0 -> 207.25.71.0/24
- cnn.com_______
- 157.166.0.0/16
- 207.25.71.0/24
- 64.20.224.0/19
- cnn.com ip blocks:
- ___________________
- 64.20.247.69/32
- 157.166.224.185/32
- 157.166.226.25/32
- 157.166.226.26/32
- 157.166.226.185/32
- 157.166.255.18/31
- 157.166.255.218/32
- 207.25.71.117/32
- done.
- root@bt:/pentest/enumeration/dns/dnsenum#
There you have it… dnsenum examples and information regarding its current status in Backtrack Linux version 5 release 3. If anyone has any additions in terms of functionality either email me or note in the comments below!
Click here for more Backtrack Linux articles.