Posted on by Glenn

Using Backtrack 4: Information Gathering: DNS: dnsenum

dnsenum

Description:

The purpose of Dnsenum is to gather information about a domain. The program currently performs the following operations:

1) Get the host’s address (A record).
2) Get the domain’s nameservers.
3) Get MX (mail) records.
4) Perform axfr queries on nameservers.
5) Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
6) Brute force subdomains, and perform recursion on subdomains that have NS records.
7) Calculate C class domain network ranges and perform whois queries on them.
8) Perform reverse lookups on netranges ( C class or/and whois netranges).
9) Record used and unused IP blocks to file.

(from http://www.question-defense.com/2010/05/22/backtrack-4-information-gathering-dns-dnsenum-enumerate-information-on-a-domain-and-discover-non-contiguous-ip-blocks)

Purpose:

To get DNS information about a domain, find any subdomains and map them, then map any connected Class C network for used and unused IP addresses.

Stage:

Information Gathering

Tutorial:

http://www.question-defense.com/2010/05/22/backtrack-4-information-gathering-dns-dnsenum-enumerate-information-on-a-domain-and-discover-non-contiguous-ip-blocks

Example:

./dnsenum.pl cnn.co

Opening Instructions:

Usage: dnsenum.pl [Options] <domain>
[Options]:
Note: the brute force -f switch must be specified to be able to continue
the process execution.
GENERAL OPTIONS:
–dnsserver   <server>
Use this DNS server for A, NS and MX queries.
–enum                Shortcut option equivalent to –threads 5 -s 20 -w.
-h, –help            Print this help message.
–noreverse           Skip the reverse lookup operations.
–private             Show and save private ips at the end of the file
domain_ips.txt.
–subfile <file>      Write all valid subdomains to this file.
-t, –timeout <value> The tcp and udp timeout values in seconds
(default: 10s).
–threads <value>     The number of threads that will perform different
queries.
-v, –verbose         Be verbose: show all the progress and all the error
messages.
GOOGLE SCRAPING OPTIONS:
-p, –pages <value>   The number of google search pages to process when
scraping names, the default is 20 pages,
the -s switch must be specified.
-s, –scrap <value>   The maximum number of subdomains that will be scraped
from google.
BRUTE FORCE OPTIONS:
-f, –file <file>     Read subdomains from this file to perform brute force.
-u, –update  <a|g|r|z>
Update the file specified with the -f switch with
vaild subdomains.
a (all)         Update using all results.
g               Update using only google scraping results.
r               Update using only reverse lookup results.
z               Update using only zonetransfer results.
-r, –recursion       Recursion on subdomains, brute force all discovred
subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
-d, –delay <value>   The maximum value of seconds to wait between whois
queries, the value is defined randomly, default: 3s.
-w, –whois           Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges
and it will take lot of time to performe reverse
lookups.
REVERSE LOOKUP OPTIONS:
-e, –exclude <regexp>
Exclude PTR records that match the regexp expression
from reverse lookup results, useful on invalid
hostnames.