dnsenum - Backtrack 5 - Information Gathering - Network Analysis - DNS Analysis - dnsenum

The dnsenum.pl Perl script as described in its Perl documentation is a multithreaded script to enumerate information on a domain and to discover non-contiguous IP blocks. So the gist of dnsenum is to gather information about a specific domain using various sources. Information gathered about a domain includes sub domains, associated IP ranges, name servers, mx records, reverse DNS records, hostname IP addresses, and potential vulnerabilities via zone transfers. Below we go into detail regarding the switches available with dnsenum as well as what the command returns by default without and CLI switches.

dnsenum – DNS & IP Block Enumeration On Backtrack Linux

Click on the dnsenum Perl Documentation link below to expand out the dnsenum docs.

dnsenum Perl Documentation

DNSENUM(1) User Contributed Perl Documentation DNSENUM(1)
NAME
dnsenum.pl: multithread script to enumerate information on a domain and to discover non-contiguous IP blocks.
VERSION
dnsenum.pl version 1.2.2
SYNOPSIS
dnsenum.pl [options]
DESCRIPTION
Supported operations: nslookup, zonetransfer, google scraping, domain brute force (support also recursion), whois ip and reverse lookups.
Operations:
¬∑ 1) Get the host's addresse (A record).
¬∑ 2) Get the nameservers (threaded).
¬∑ 3) Get the MX record (threaded).
¬∑ 4) Perform AXFR queries on nameservers (threaded).
¬∑ 5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain").
¬∑ 6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
¬∑ 7) Calculate Class C IP network ranges from the results and perform whois queries on them (threaded).
¬∑ 8) Perform reverse lookups on netranges (class C or/and whois netranges)(threaded).
¬∑ 9) Write to domain_ips.txt file non-contiguous ip-blocks results.
OPTIONS
The brute force -f switch is obligatory.
GENERAL OPTIONS:
--dnsserver Use this DNS server to perform all A, NS and MX queries,
the AXFR and PTR queries are sent to the domain's NS servers.
--enum Shortcut option equivalent to --threads 5 -s 20 -w.
-h, --help Print the help message.
--noreverse Skip the reverse lookup operations.
Reverse lookups can take long time on big netranges.
--private Show and save private ips at the end of the file domain_ips.txt.
--subfile Write all valid subdomains to this file.
Subdomains are taken from NS and MX records, zonetransfer,
google scraping, brute force and reverse lookup hostnames.
-t, --timeout The tcp and udp timeout values in seconds (default: 10s).
--threads The number of threads that will perform different queries.
-v, --verbose Be verbose (show all the progress and all the error messages).
Notes: neither the default domain nor the resolver search list are appended to domains that don't contain any dots.
GOOGLE SCRAPING OPTIONS:
This function will scrap subdomains from google search, using query: allinurl: -www site:domain.
-p, --pages The number of google search pages to process when scraping names,
the -s switch must be specified, (default: 20 pages).
-s, --scrap The maximum number of subdomains that will be scraped from google.
NOTES: Google can block our queries with the malware detection. Http proxy options for google scraping are automatically loaded from the environment if the vars http_proxy or
HTTP_PROXY are present. "http_proxy=http://127.0.0.1:8118/" or "HTTP_PROXY=http://127.0.0.1:8118/". On IO errors the mechanize browser object will automatically call die.
BRUTE FORCE OPTIONS:
-f, --file Read subdomains from this file to perform brute force.
-u, --update <a|g|r|z> Update the file specified with the -f switch with vaild subdomains.
-u a Update using all results.
-u g Update using only google scraping results.
-u r Update using only reverse lookup results.
-u z Update using only zonetransfer results.
-r, --recursion Recursion on subdomains, brute force all discovred subdomains
that have an NS record.
NOTES: To perform recursion first we must check previous subdomains results (zonetransfer, google scraping and brute force) for NS records after that we perform brute force on
valid subdomains that have NS records and so on. NS, MX and reverse lookup results are not concerned.
WHOIS IP OPTIONS:
Perform whois ip queries on c class netanges discovred from previous operations.
-d, --delay The maximum value of seconds to wait between whois queries,
the value is defined randomly, (default: 3s).
NOTES: whois servers will limit the number of connections.
-w, --whois Perform the whois queries on c class network ranges.
Warning: this can generate very large netranges and it
will take lot of time to performe reverse lookups.
NOTES: The whois query should recursively query the various whois providers untile it gets the more detailed information including either TechPhone or OrgTechPhone by default.
See: perldoc Net::Whois::IP. On errors the netrange will be a default c class /24.
REVERSE LOOKUP OPTIONS:
-e, --exclude Exclude PTR records that match the regexp expression from reverse
lookup results, useful on invalid hostnames.
NOTES: PTR records that not match the domain are also excluded. Verbose mode will show all results.
OUTPUT FILES
Final non-contiguous ip blocks are writen to domain_ips.txt file.
NOTES: Final non-contiguous ip blocks are calculated :
¬∑ 1) From reverse lookups that were performed on netranges ( c class network ranges or whois netranges ).
¬∑ 2) If the noreverse switch is used then they are calculated from previous operations results (nslookups, zonetransfers, google scraping and brute forcing).
README
dnsenum.pl: multithread script to enumerate information on a domain and to discover non-contiguous ip blocks.
PREREQUISITES
Modules that are included in perl 5.10.0:
Getopt::Long, IO::File, Thread::Queue.
Other Necessary modules:
Must have: Net::DNS, Net::IP, Net::Netmask.
Optional: Net::Whois::IP, HTML::Parser, WWW::Mechanize.
Perl ithreads modules (perl must be compiled with ithreads support):
threads, threads::shared.
AUTHORS
Filip Waeytens <filip.waeytens[at]gmail.com>
tix tixxDZ <tixxdz[at]gmail.com>
COPYRIGHT
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
SCRIPT CATEGORIES
Networking DNS
perl v5.10.1 2011-06-16 DNSENUM(1)

dnsenum Perl Script: Default Output Against cnn.com

root@bt:/pentest/enumeration/dns/dnsenum# perl dnsenum.pl cnn.com
dnsenum.pl VERSION:1.2.2
----- cnn.com -----
Host's addresses:
__________________
cnn.com 198 IN A 157.166.255.19
cnn.com 198 IN A 157.166.226.25
cnn.com 198 IN A 157.166.226.26
cnn.com 198 IN A 157.166.255.18
Name Servers:
______________
ns1.p42.dynect.net 159347 IN A 208.78.70.42
ns1.timewarner.net 169183 IN A 204.74.108.238
ns3.timewarner.net 169183 IN A 199.7.68.238
ns2.p42.dynect.net 169183 IN A 204.13.250.42
Mail (MX) Servers:
___________________
atlmail3.turner.com 40 IN A 157.166.174.56
atlmail5.turner.com 40 IN A 157.166.165.14
hkgmail1.turner.com 40 IN A 168.161.96.115
lonmail1.turner.com 107 IN A 157.166.216.142
nycmail1.turner.com 107 IN A 157.166.157.8
nycmail2.turner.com 107 IN A 157.166.157.10
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for cnn.com on ns1.p42.dynect.net ...
AXFR record query failed: NOERROR
9.6-ESV-R7-P3t.net Bind Version:
Trying Zone Transfer for cnn.com on ns1.timewarner.net ...
AXFR record query failed: NOERROR
ns1.timewarner.net Bind Version: UltraDNS Resolver
Trying Zone Transfer for cnn.com on ns3.timewarner.net ...
AXFR record query failed: NOERROR
ns3.timewarner.net Bind Version: UltraDNS Resolver
Trying Zone Transfer for cnn.com on ns2.p42.dynect.net ...
AXFR record query failed: NOERROR
9.6-ESV-R7-P3t.net Bind Version:
Wildcards detected, all subdomains will point to the same IP address, bye.
root@bt:/pentest/enumeration/dns/dnsenum#

I think the output of dnsenum is pretty slick! You can quickly grab a bunch of info about a specific domain that provide a great starting point to begin for information gathering. It will be highly unlikely that you will have any success with AXFR record queries or zone transfers but it definitely doesn’t hurt anything to attempt these unless you are trying to be stealth. If you do come across a successful AXFR record query it will be a major finding as you could potentially obtain details about a domain that should not be public. With a successful zone transfer you will also potentially gain access to every DNS record associated to the domain.

Notice how in the documentation there are nine items that dnsenum notes it will provide. Unfortunately this is not entirely true on Backtrack Linux 5 as a couple of the outputs seems to be not working correctly. I hope to look at this in more detail in the future but for now we will note each of the nine items and provide examples where possible. I have cut only the output pertaining to the piece of data noted so for example when the default command is used by only specifying a domain and without any switches there is still a bunch of information output to the screen.

dnsenum Functionality And Output On Backtrack Linux 5 R3:

Output Data: Output Hostname – ONE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl example.com

Hostname Example Output:

Host's addresses:
__________________
example.com 103059 IN A 192.0.43.10

Output Data: Output Name Servers – TWO

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl example.com

Name Servers Example Output:

Name Servers:
______________
a.iana-servers.net 1143 IN A 199.43.132.53
b.iana-servers.net 1143 IN A 199.43.133.53

Output Data: Output MX Records – THREE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl SomeDomain.com

MX Records Example Output:

Mail (MX) Servers:
___________________
ASPMX.L.GOOGLE.com 9 IN A 74.125.142.27
ALT1.ASPMX.L.GOOGLE.com 84 IN A 173.194.74.26
ALT2.ASPMX.L.GOOGLE.com 147 IN A 74.125.131.27
ASPMX2.GOOGLEMAIL.com 282 IN A 173.194.74.26
ASPMX3.GOOGLEMAIL.com 286 IN A 74.125.131.26

Output Data: Zone/AXFR Queries To Name Servers – FOUR

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl SomeDomain.com

Zone Transfer/AFXR Query Example Output:

Trying Zone Transfer for example.com on a.iana-servers.net ...
AXFR record query failed: NOERROR
a.iana-servers.net Bind Version: )You shouldn't ask a lady about her age :)
Trying Zone Transfer for example.com on b.iana-servers.net ...
AXFR record query failed: NOERROR
b.iana-servers.net Bind Version: 9.8.3-vjs197.16-P3

Output Data: Scrape Sub Domains From Google – FIVE

Status: Not Functional

Command Example/Necessary Switches: perl dnsenum.pl -s 5 -p 5 SomeDomain.com

Google Sub Domain Scrape Example Output:

---- Google search page: 1 ----
---- Google search page: 2 ----
---- Google search page: 3 ----
---- Google search page: 4 ----
---- Google search page: 5 ----
Google Results:
________________
perhaps Google is blocking our queries.
Check manually.

Notes: Since this is not functional you can manually run the command in a Google search: “allinurl: -www site:DOMAIN-NAME-HERE”

Output Data: Bruteforce Sub Domains From File – SIX

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f somefile.txt –dnsserver 8.8.8.8 example.com

Bruteforced Sub Domains Example Output:

Brute forcing with subdomains.txt:
___________________________________
access.cnn.com 2066 IN A 64.20.247.69
ads.cnn.com 96 IN A 157.166.255.216
asia.cnn.com 300 IN CNAME
edition.cnn.com 3600 IN CNAME
www.edition.cnn.com 3600 IN CNAME
www.edition.cnn.com.vgtf.net 28 IN CNAME
cnnintl-56m.gslb.vgtf.net 156 IN A 157.166.249.13
cnnintl-56m.gslb.vgtf.net 156 IN A 157.166.248.13
avatar.cnn.com 3300 IN CNAME
ireport.com 3300 IN A 157.166.224.6
ireport.com 3300 IN A 157.166.255.213
ireport.com 3300 IN A 157.166.224.4
channel.cnn.com 2075 IN A 207.25.71.117
election.cnn.com 2675 IN CNAME
reflector2.turner.com 2675 IN A 157.166.246.219

Notes: We are using the Google public DNS server of 8.8.8.8 however you can replace this with any DNS server that you like. It may be beneficial to use the companies DNS server or a DNS server you have setup a specific way.

Output Data: Calculate Network Blocks – SEVEN

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f somefile.txt –dnsserver 8.8.8.8 example.com

Network Blocks Example Output:

question-defense.com class C netranges:
________________________________________
192.168.54.0/24
10.11.54.0/24

Notes: In the example we show RFC 1918 IP space or private IP’s however in real output you would only see public IP ranges unless you specified the –private switch and then the private networks would display at the bottom of the output file.

Output Data: Perform Reverse Lookups On IP Ranges – EIGHT

Status: Not Functional

Command Example/Necessary Switches: Default Command, No Switches Required

IP Range Reverse Lookup Results Example Output:

Performing reverse lookup on 512 ip addresses:
_______________________________________________
0 results out of 512 IP addresses.

Notes: If you want to run reverse lookups manually against the subnets you could use something like the following command.The below command was modified from a broken command found here. It is not perfect but provides a quick and dirty way to run reverse lookups on large IP subnets quickly.

root@bt:/pentest/enumeration/dns/dnsenum# nmap -R -sL 64.20.247.69/30 | awk '{if($6=="")print"("$5") no PTR";else print$6" is "$5}'
() no PTR
) is http://nmap.org
(64.20.247.68) is mail7.access.cnn.com
(64.20.247.69) is mail8.access.cnn.com
(64.20.247.70) is mail9.access.cnn.com
(64.20.247.71) is mail10.access.cnn.com
(0 is addresses
root@bt:/pentest/enumeration/dns/dnsenum#

Output Data: Output Non-Contiguous IP-Blocks Results To File – NINE

Status: Functional

Command Example/Necessary Switches: perl dnsenum.pl -f dns.txt –dnsserver 8.8.8.8 –noreverse cnn.com

Non-Contiguous IP-Block Example Output:

root@bt:/pentest/enumeration/dns/dnsenum# cat cnn.com_ips.txt
64.20.247.69/32
64.236.16.20/32
64.236.26.21/32
157.166.224.185/32
157.166.224.186/32
157.166.226.25/32
157.166.226.26/32
157.166.226.185/32
157.166.226.186/32
157.166.236.65/32
157.166.236.135/32
157.166.246.208/32
157.166.255.18/31
157.166.255.216/32
207.25.71.114/32
207.25.71.117/32
root@bt:/pentest/enumeration/dns/dnsenum#

Notes: Notice most of the above IP’s are not really subnets at all however I cut the results short to save output in the article. You will definitely run across larger networks when using dnsenum.

Out of all nine of the functions dnsenum describes in its man page there are only two that are not functional at this time. It appears that dnsenum has help up fairly well over time which is impressive considering it hasn’t been updated in so long. One more switch that appears to not be functional at all times but does work some of the time is the –subfile switch which writes located sub domains to a file by the name specified after the –subfile switch. I believe it either has something to do with the number od sub domains located or with the switch combinations used so you might try a couple different switch combinations if you need the –subfile switch functionality. Below we show our final example which combines a ton of the above examples into one large domain recon command that could be useful when information gathering on a specific domain!

dnsenum – Multi Switch Use Example On Backtrack Linux:

root@bt:/pentest/enumeration/dns/dnsenum# perl dnsenum.pl -f dns2.txt --dnsserver 8.8.8.8 --enum --private --subfile cnn-sub-domains.txt --noreverse cnn.com
dnsenum.pl VERSION:1.2.2
----- cnn.com -----
Host's addresses:
__________________
cnn.com 18 IN A 157.166.226.26
cnn.com 18 IN A 157.166.255.18
cnn.com 18 IN A 157.166.255.19
cnn.com 18 IN A 157.166.226.25
Name Servers:
______________
ns1.p42.dynect.net 21359 IN A 208.78.70.42
ns3.timewarner.net 8 IN A 199.7.68.238
ns1.timewarner.net 238 IN A 204.74.108.238
ns2.p42.dynect.net 6727 IN A 204.13.250.42
Mail (MX) Servers:
___________________
atlmail3.turner.com 257 IN A 157.166.174.56
atlmail5.turner.com 257 IN A 157.166.165.14
hkgmail1.turner.com 77 IN A 168.161.96.115
lonmail1.turner.com 253 IN A 157.166.216.142
nycmail1.turner.com 257 IN A 157.166.157.8
nycmail2.turner.com 257 IN A 157.166.157.10
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for cnn.com on ns1.timewarner.net ...
AXFR record query failed: NOERROR
ns1.timewarner.net Bind Version: UltraDNS Resolver
Trying Zone Transfer for cnn.com on ns1.p42.dynect.net ...
AXFR record query failed: NOERROR
9.6-ESV-R7-P3t.net Bind Version:
Trying Zone Transfer for cnn.com on ns2.p42.dynect.net ...
AXFR record query failed: NOERROR
9.6-ESV-R7-P3t.net Bind Version:
Trying Zone Transfer for cnn.com on ns3.timewarner.net ...
AXFR record query failed: no nameservers
Unable to obtain Server Version for ns3.timewarner.net : no nameservers
Scraping cnn.com subdomains from Google:
_________________________________________
---- Google search page: 1 ----
---- Google search page: 2 ----
---- Google search page: 3 ----
....Results Cut To Shorten Output....
---- Google search page: 17 ----
---- Google search page: 18 ----
---- Google search page: 19 ----
---- Google search page: 20 ----
Google Results:
________________
perhaps Google is blocking our queries.
Check manually.
Brute forcing with dns2.txt:
_____________________________
access.cnn.com 1177 IN A 64.20.247.69
ads.cnn.com 249 IN A 157.166.255.218
www.cnn.com 3122 IN CNAME
www.cnn.com.vgtf.net 14 IN CNAME
cnn-56m.gslb.vgtf.net 164 IN A 157.166.248.10
cnn-56m.gslb.vgtf.net 164 IN A 157.166.249.10
cnn-56m.gslb.vgtf.net 164 IN A 157.166.248.11
cnn-56m.gslb.vgtf.net 164 IN A 157.166.249.11
search.cnn.com 1858 IN CNAME
search3.turner.com 1858 IN A 157.166.253.205
search3.turner.com 1858 IN A 157.166.246.202
phone.cnn.com 1227 IN CNAME
rss.cnn.com 2048 IN CNAME
cnn.feedproxy.ghs.google.com 300 IN CNAME
ghs.l.google.com 300 IN A 74.125.142.121
www.cnn.com 1227 IN CNAME
www.cnn.com.vgtf.net 150 IN CNAME
cnn-lax-tmp.gslb.vgtf.net 30 IN A 157.166.240.13
election.cnn.com 1789 IN CNAME
reflector2.turner.com 1789 IN A 157.166.246.219
channel.cnn.com 1187 IN A 207.25.71.117
trends.cnn.com 3588 IN CNAME
trends.cnn.com.vgtf.net 18 IN A 157.166.246.141
trends.cnn.com.vgtf.net 18 IN A 157.166.246.145
xml.cnn.com 1249 IN CNAME
robots.cnn.com 1249 IN A 157.166.226.185
robots.cnn.com 1249 IN A 157.166.224.185
robots.cnn.com 3600 IN A 157.166.224.185
robots.cnn.com 3600 IN A 157.166.226.185
Launching Whois Queries:
_________________________
whois ip result: 157.166.224.0 -> 157.166.0.0/16
whois ip result: 64.20.247.0 -> 64.20.224.0/19
whois ip result: 207.25.71.0 -> 207.25.71.0/24
cnn.com_______
157.166.0.0/16
207.25.71.0/24
64.20.224.0/19
cnn.com ip blocks:
___________________
64.20.247.69/32
157.166.224.185/32
157.166.226.25/32
157.166.226.26/32
157.166.226.185/32
157.166.255.18/31
157.166.255.218/32
207.25.71.117/32
done.
root@bt:/pentest/enumeration/dns/dnsenum#

There you have it… dnsenum examples and information regarding its current status in Backtrack Linux version 5 release 3. If anyone has any additions in terms of functionality either email me or note in the comments below!

Click here for more Backtrack Linux articles.

dnsenum – DNS & IP Block Enumeration On Backtrack Linux

dnsenum Perl Script: Default Output Against cnn.com