Using Backtrack 4: Information Gathering: Route: DMitry



DMitry, the Deep Magic Information Gathering Tool (with the mysterious acronym), performs a whole stack of tests that you could do yourself, but might prefer to automate. Given an IP address it can do an Internet Number whois; given a hostname or domain name it can do a whois. Add a query, a search-engine powered subdomain search, an email address search and a basic port scan, and you can perform deep research with a one-line command.

Note that this comes at a cost in processor time. DMitry can provoke a segmentation fault, among other issues. Thus it might be handy to run on someone else’s machine, somewhere, somehow, out it cyberspace.

Output can be saved to a file, which makes this a handy tool to fire off and come back to later.


Information Gathering

Man Page:

There is a very nice man page with examples at


Using Backtrack 4: Information Gathering: Route: 0trace

Information Gathering: Route: 0trace

Opening Instructions:

Usage: /usr/local/sbin/ iface target_ip [ target_port ]


This tool is designed to circumvent routers that block regular ICMP packets (pings and traceroutes, among others) by enumerating hosts (servers and routers). When you can’t use traceroute because ICMP is blocked, you can get similar functionality with 0trace, with the one “gotcha” that you’ve got to establish a TCP session with your target. In practice this isn’t that hard, depending on the type of target: just visit the site, or try to login to the server, or use your imagination.


Information Gathering

Home Page:
If you’re interested in this website, you definitely want to visit

More Information:

Stuxnet infects Iranian power system; FBI wants keys to everyone’s encryption

Ron T. writes me:

You probably caught this little tidbit, but it was interesting.

and this one as well…

Yes, I saw the Stuxnet news, and my surprise is (surprise!) microscopic. The topic I find really interesting: Hmm, just exactly who would have the expertise and resources to worm into the Iranian power grid?

On a completely different topic, the FBI wants to implement encryption key hostage, um, I mean key escrow – on everybody:

Sure is surprising how deep the tentacles reach, isn’t it? Maybe it’s not such a different topic after all.

Using Backtrack 4: Information Gathering: DNS: lbd


Opening Instructions:

lbd – load balancing detector 0.1 – Checks if a given domain uses load-balancing.
Written by Stefan Behte (
Proof-of-concept! Might give false positives.
usage: ./ [domain]


Determining if a domain uses a load-balancing scheme. Knowing this might suggest an exploit against, for instance, Apache’s load-balancing and sticky-session operations, or a head machine’s OS vulnerabilities.


Information Gathering

Using BackTrack 4: Information Gathering: DNS: Fierce


Opening Instructions:

Usage: perl [-dns] [OPTIONS]

Fierce is a semi-lightweight scanner that helps locate non-contiguous
IP space and hostnames against specified domains.  It’s really meant
as a pre-cursor to nmap, unicornscan, nessus, nikto, etc, since all
of those require that you already know what IP space you are looking
for.  This does not perform exploitation and does not scan the whole
internet indiscriminately.  It is meant specifically to locate likely
targets both inside and outside a corporate network.  Because it uses
DNS primarily you will often find mis-configured networks that leak
internal address space. That’s especially useful in targeted malware.

-connect        Attempt to make http connections to any non RFC1918
(public) addresses.  This will output the return headers but
be warned, this could take a long time against a company with
many targets, depending on network/machine lag.  I wouldn’t
recommend doing this unless it’s a small company or you have a
lot of free time on your hands (could take hours-days).
Inside the file specified the text “Host:\n” will be replaced
by the host specified. Usage:

perl -dns -connect headers.txt

-delay          The number of seconds to wait between lookups.
-dns            The domain you would like scanned.
-dnsfile        Use DNS servers provided by a file (one per line) for
reverse lookups (brute force).
-dnsserver      Use a particular DNS server for reverse lookups
(probably should be the DNS server of the target).  Fierce
uses your DNS server for the initial SOA query and then uses
the target’s DNS server for all additional queries by default.
-file           A file you would like to output to be logged to.
-fulloutput     When combined with -connect this will output everything
the webserver sends back, not just the HTTP headers.
-help           This screen.
-nopattern      Don’t use a search pattern when looking for nearby
hosts.  Instead dump everything.  This is really noisy but
is useful for finding other domains that spammers might be
using.  It will also give you lots of false positives,
especially on large domains.
-range          Scan an internal IP range (must be combined with
-dnsserver).  Note, that this does not support a pattern
and will simply output anything it finds.  Usage:

perl -range 111.222.333.0-255 -dnsserver

-search         Search list.  When fierce attempts to traverse up and
down ipspace it may encounter other servers within other
domains that may belong to the same company.  If you supply a
comma delimited list to fierce it will report anything found.
This is especially useful if the corporate servers are named
different from the public facing website.  Usage:

perl -dns -search corpcompany,blahcompany

Note that using search could also greatly expand the number of
hosts found, as it will continue to traverse once it locates
servers that you specified in your search list.  The more the
-stop           Stop scan if Zone Transfer works.
-suppress       Suppress all TTY output (when combined with -file).
-tcptimeout     Specify a different timeout (default 10 seconds).  You
may want to increase this if the DNS server you are querying
is slow or has a lot of network lag.
-threads  Specify how many threads to use while scanning (default
is single threaded).
-traverse       Specify a number of IPs above and below whatever IP you
have found to look for nearby IPs.  Default is 5 above and
below.  Traverse will not move into other C blocks.
-version        Output the version number.
-wide           Scan the entire class C after finding any matching
hostnames in that class C.  This generates a lot more traffic
but can uncover a lot more information.
-wordlist       Use a seperate wordlist (one word per line).  Usage:

perl -dns -wordlist dictionary.txt


Finding IP ranges preliminary to using mapping tools like Nessus, which need to know an IP target. Fierce is particularly effective at discovering non-contiguous IP ranges, which are common in internal networks.


Information Gathering

Home Page and Tutorial:

Using BackTrack 4: Information Gathering: DNS: dnsrecon


Opening Instructions:

This is a simple tool written for target enumeration during authorized penetration test
engagements. This tool provides different methods for enumerating targets through DNS service.
ruby dnsrecon.rb <type> <arguments> <Optional:nameserver to use>

*** Reverse Lookup for Range ***
ruby dnsrecon.rb -r <start ip> <end ip> <Optional:nameserver to use>

*** Top Level Domain Expansion ***
ruby dnsrecon.rb -tld <target domain> <Optional:nameserver to use>

*** DNS Host and Domain Bruteforce ***
ruby dnsrecon.rb -b <target domain> <file> <Optional:nameserver to use>

*** General DNS Query for NS, SOA and MX Records ***
ruby dnsrecon.rb -s <target domain> <Optional:nameserver to use>

*** Execute Zone transfer on each NS server reported ***
ruby dnsrecon.rb -axfr <target domain> <Optional:nameserver to use>

*** Enumerates most common SRV Records for a given domain ***
ruby dnsrecon.rb -srv <target domain> <Optional:nameserver to use>



Requesting zone transfers; finding undocumented subdomains; doing reverse lookup using IP ranges to find any domain or particular domains.


Information Gathering


Using BackTrack 4: Information Gathering: DNS

Information Gathering: The DNS Menu

Why do I want DNS information?

  1. Denial of Service: find your target’s DNS server and bring it down, or corrupt DNS records to make a site unavailable.
  2. Service Enumeration: find your target’s web, database, email etc. servers so you can target *them*.
  3. Find Internal DNS Information: explore organizations’ internal network using non-public DNS records.
  4. Document Subdomains: discover useful or hidden subdomains of your target domain.
  5. Explore Intermal IP Ranges: enumerate Class B or C non-routable IP subnets for interesting hosts and services.
  6. Find Embedded Devices: for instance, ferret out any available IP cameras. Useful, no?

How can I get it?

The classic method is requesting a zone transfer. Research this term if you’re not familiar with it.

Most DNS servers will not give you a zone transfer any more. But you should check as part of due diligence.

What information can I get from DNS records?

Those A and PTR and MX records are indeed quite informative. One might corrupt an address record, penetrate a mail server, or exploit a malformed pointer, for instance.

(In)Security in Practice: What the New School Is Likely to Look Like

In my last post I discussed what I called an “old school” security tool, WinArpAttacker. It’s a nifty MAC-layer tool for enumerating hosts, performing man-in-the-middle attacks, spoofing MAC or IP addresses – or detecting these exploits. But this is network security at the level of the oil-change mechanic. This kind of tool is still necessary, the way a ruler is still a useful tool.

What is “New School” security likely to look like? Consider what you know about security already: What single thing gives you the biggest boost in security? User education. What single element is the biggest barrier to effective security practices? Reluctant users. So what’s wrong with this model? Everyone’s motivations are pointing in different directions, leaving organizations vulnerable to simple manipulation of human nature.

Yes, you read that right. Human nature. Follow me out of the woods here.

You need to become (highly) aware of an organization called ISCOM ( It manages, among other things, the ongoing development of the Open Source Security Testing Methodology Manual. Essentially this is the brainchild of Pete Herzog, who is an internationally famous security researcher and teacher. What’s fascinating is that his education is in psychology. It seems like every psychology student, teacher or researcher I’ve met has been an exceptional infosec practicioner, and Pete’s the shiniest example.

There is a very nicely written Introduction to the OSSTMM Version 3 (recently released) at (with kudos to Michael Menefee). Sit down and spend some time studying this article. Consider some of these concepts: Trust Analysis. Defense in Width. Critical Security Thinking.

This is a whole different world, mates. This is a model that accounts for the charmer who suckers the front desk clerk out of a telephone list, for instance, as well as the botnet worm. Give it some thought, and if it strikes some sparks, drop me a line.

(In)Security Tool: WinArpAttacker

My security students often are a little mystified about the true nature of security as a practice. Here’s a good example of “old school” security: what I’ll label a “LAN tool,” WinArpAttacker. There’s a review at (, with points for completeness but marked with some language problems.

I call this a LAN tool because it works in an Ethernet environment. It’s MAC-address-centric, which is to say this isn’t an Internet tool per se. (Remember, Network students, that Layer 2 can just as easily be ATM over SONET, Frame Relay over T1, DOCSIS over cable, or heck, PPP over dial-up.)

But if you want to enumerate hosts on a LAN, this thing is a ninja sword. And remember all that discussion of man-in-the-middle attacks? This is the tool for the job. Want to knock a host off the net? ARP spoofing or a deliberate IP address conflict will keep your target wailing for tech support.

So why do we care? We’re the good guys, right?

Because WinArpAttacker also serves to detect its own attacks, and similar attacks from other vectors. It provides the detection that lets you log, or launch appropriate countermeasures. Which will be discussed elsewhere….

Using Backtrack 4: Information Gathering: DNS: dnsmap-bulk



This script lets you do “bulk” mapping of multiple domains using dnsmap.


Mapping domains and subdomains, finding remote access or unpatched servers, and finding embedded devices like IP cameras.


Information Gathering

Opening Instructions:

usage: <domains-file> [results-path]
e.g.: domains.txt domains.txt /tmp/