Posted on by Glenn

Using Backtrack 4: Information Gathering: DNS: dnsmap

dnsmap

Description (from the README):

“FUN THINGS THAT CAN HAPPEN

1. Finding interesting remote access servers (i.e.: https://extranet.targetdomain.com)

2. Finding badly configured and/or unpatched servers (i.e.: test.targetdomain.com)

3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
of your target organization (registry lookups – aka whois is your friend)

4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
(RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that
it *is* possible to enumerate internal servers of a target organization from the Internet
by only using standard DNS resolving (as oppossed to zone transfers for instance).”

(and from QuestionDefense.com:)

“5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com).
This method is an alternative to finding devices via Google hacking techniques

Bruteforcing can be done either with dnsmap’s built-in wordlist or a user-supplied wordlist. Results can be saved in CSV and human-readable format for further processing. dnsmap does NOT require root privileges to be run.”

Purpose:

Finding remote access servers, unpatched servers, and embedded devices like IP cameras; and mapping subdomains, especially those not shown on public DNS.

Stage:

Information Gathering

Tutorial:

http://www.question-defense.com/2010/05/24/backtrack-4-information-gathering-dns-dnsmap-subdomain-brute-forcing

Example (from the README):

Example of subdomain bruteforcing using dnsmap’s built-in word-list:

$ ./dnsmap targetdomain.foo

Example of subdomain bruteforcing using a user-supplied wordlist:

$ ./dnsmap targetdomain.foo -w wordlist.txt

Example of subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ :

$ ./dnsmap targetdomain.foo -r /tmp/

Since no filename was provided in the previous example, but rather only a path, dnsmap would create an unique filename which includes the current timestamp. E.g.: /tmp/dnsmap_targetdomain_foo_2009_12_15_234953.txt

Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/, and waiting a random maximum of 3 milliseconds between each request:

$ ./dnsmap targetdomain.foo -r /tmp/ -d 3

It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is interfering with your online experience. i.e.: killing your bandwidth

For bruteforcing a list of target domains in a bulk fashion use the bash script provided. e.g.:

$ ./dnsmap-bulk.sh domains.txt /tmp/results/