dnsmap
Description (from the README):
“FUN THINGS THAT CAN HAPPEN
1. Finding interesting remote access servers (i.e.: https://extranet.targetdomain.com)
2. Finding badly configured and/or unpatched servers (i.e.: test.targetdomain.com)
3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
of your target organization (registry lookups – aka whois is your friend)
4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
(RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that
it *is* possible to enumerate internal servers of a target organization from the Internet
by only using standard DNS resolving (as oppossed to zone transfers for instance).”
(and from QuestionDefense.com:)
“5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com).
This method is an alternative to finding devices via Google hacking techniques
Bruteforcing can be done either with dnsmap’s built-in wordlist or a user-supplied wordlist. Results can be saved in CSV and human-readable format for further processing. dnsmap does NOT require root privileges to be run.”
Purpose:
Finding remote access servers, unpatched servers, and embedded devices like IP cameras; and mapping subdomains, especially those not shown on public DNS.
Stage:
Information Gathering
Tutorial:
Example (from the README):
Example of subdomain bruteforcing using dnsmap’s built-in word-list:
$ ./dnsmap targetdomain.foo
Example of subdomain bruteforcing using a user-supplied wordlist:
$ ./dnsmap targetdomain.foo -w wordlist.txt
Example of subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ :
$ ./dnsmap targetdomain.foo -r /tmp/
Since no filename was provided in the previous example, but rather only a path, dnsmap would create an unique filename which includes the current timestamp. E.g.: /tmp/dnsmap_targetdomain_foo_2009_12_15_234953.txt
Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/, and waiting a random maximum of 3 milliseconds between each request:
$ ./dnsmap targetdomain.foo -r /tmp/ -d 3
It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is interfering with your online experience. i.e.: killing your bandwidth
For bruteforcing a list of target domains in a bulk fashion use the bash script provided. e.g.:
$ ./dnsmap-bulk.sh domains.txt /tmp/results/