Back|Track OS Tools Tutorials
Episode 5
DNSMAP & DNSRECON
I thought it would be tedious and a bit counterproductive if i made a post for every single tool here in this section so i made two separate post for the biggest ones and if i encountered a bigger tool in this post i'll make sure ill cover it all.
Now let's get down to business.
DNSMAP_
dnsmap is a small tool used in finding out the subdomains associated with the domain you're enumerating by trying to "Guess" (and by guess i mean bruteforcing) their names, its small and simple and doesn't have many options.
Running the tool without arguments will give you the help page which contains info about the options and what they do.
Let's do a quick review of the options and their functions and try a couple.
- -w <wordlist> : Specifies a path to a custom wordlist of your choice (Would be a great time saver in case you have some prospect subdomain names in mind that you want to check).
- -r <resultsfile> : Exports the results to a normal .txt file which you put it's path in the <resultsfile> part.
- -c <csvresults> : Exports the results to a .csv file (Comma Separated values) which can be later passed to other programs.
- -d <milliseconds> : Specifies the delay between requests in milliseconds (1000ms = 1 second)
- -i : Specifies a one or more IP addresses to ignore during the process.
Now let's try to make it discover some of Marvel's subdomains (Hope its not illegal)* with a delay value of 20ms and outputting the results to a CSV file called Stark.csv
As you can see it did quite a good job there disclosing some subdomains and even some internal private IP addresses (RFC1918).
It's a small tool for quick use or when you have a couple of subdomains in mind that you want to test for, But further than that you'd have to use a bigger, more capable tool.
DNSRECON_
Another tool for DNS enumeration is DNSRECON, DNSRECON is a python script made for getting DNS data about a domain name plus some other tricks like AXFR (Zone Transfers) and NS cache snooping which is basically probing the DNS server to to see if it has any DNS entries in its cache to see where the DNS server user has been going and the sites they've been visiting etc..
it's sorta like running the windows command
Running the tool without arguments will (you guessed it !) give us the help page.
And here's a quick review of the most used options and their uses:
Whew ! That's one hell of an options list ! It's a big tool but to be honest it's worth every second i spent to learn all about it !
ipconfig /flushdns except it's on somebody else's computer, Which in my opinion is a pretty cool trick that i haven't seen in any other tool till now.Running the tool without arguments will (you guessed it !) give us the help page.
And here's a quick review of the most used options and their uses:
- -d / --domain : The domain that you want to enumerate.
- -c / --cidr : Uses an IP address in CIDR format* which will be reversed and the process will continue normally
- -r / --range : Uses a range of IP addresses to perform reverse resolving and enumeration on.
- -n / --nameserver : Sets the nameserver (NS) to use in the enumeration process, Better be left alone because this tool has a feature of referring to the domain's SOA* if no value was given, Unless of course if it couldn't find any SOA records for the target.
- -f / --output-file: Used to specify a file to which the tool will output its findings.
- -t / --type: Now let's just stop here for a second because this option is (in my opinion) what makes this tool stand out.
the --type option makes you specify which type of enumeration you want the tool to do for you, it's an option that has options.
mdns: Start enumeration of the local network addresses using MDNS*
std: Start a Standard enumeration process which involves enumerating the general DNS record types (A, AAAA, MX, NS, SOA etc..)
rvl: Does a reverse lookup (IP to Domain name) on a given IP addresses range in CIDR format
brt: Bruteforce the target for domain names and host names using a given word list (Sorta like what dnsmap does)
srv: Enumerate the target for and SRV records* and check if they're available.
axfr: Scans the Nameservers for a AFXR (Zone Transfer) vulnerability.
goo: Uses Google in the enumeration process by searching on it for any of the subdomain names and hosts in the target's network.
tld: Strips the domain name of any TLD ( .com, .net, .org etc..) and tests it against against all the TLD's registered in the IANA organization.
snoop: Perform the Cache snooping attack mentioned above on a the selected domain(s), Note that the domains must be supplied with the -D option.
- -x / --afxr: Perform a Zone transfer attack along with the normal enumeration
- -s / --do_spf: Does a reverse look up on the IP addresses specified in the domain's SPF record, which is another nice trick. The SPF record allows Domain owners to specify a bunch IP addresses on it which will be the ONLY ones authorized by the owner to send Emails on the organization's behalf, This is done in an attempt to minimize fraud in the name of the company\organization so you can imagine what someone can do by having even the addresses of these authorized hosts.
- -g / --google: incorporates Google in the Enumeration process.
- -w / --do_whois: Does a "Deep" WHOIS query on the target (And when that tool's developer said "Deep" he meant real deep, Trust me i tried it.)
Whew ! That's one hell of an options list ! It's a big tool but to be honest it's worth every second i spent to learn all about it !
Now for the fun part, Let's go try it on something.
Let's run it on some random website which i hope isn't an illegal act with the options set:
--type std --do_whois --axfr
This is by far the best DNS reconnaissance tool i've ever used until now, the tool is very smart and interactive and we'll get you what you want to know, Nothing more nothing less.
As you can see it first checked for AXFR on all the Nameservers and it Succeeded and gave out the data it found. Then it tried to look for SRV records but it couldn't find any so it took it like a man and moved on. Then it ran the WHOIS query against the found records but it encountered 3 Ranges of IP's so it actually stops in the middle of it, gives you a numbered list of the ranges it found and the organizations they belong to and asks you which range would you like to run the WHOIS on. I chose the 2nd one
As you can see it first checked for AXFR on all the Nameservers and it Succeeded and gave out the data it found. Then it tried to look for SRV records but it couldn't find any so it took it like a man and moved on. Then it ran the WHOIS query against the found records but it encountered 3 Ranges of IP's so it actually stops in the middle of it, gives you a numbered list of the ranges it found and the organizations they belong to and asks you which range would you like to run the WHOIS on. I chose the 2nd one
and it starts its journey -which resulted in these records at the bottom- after giving you the estimated time till the end of the querying.
Again until now i haven't seen such a powerful tool when it comes to DNS enumeration, DNSRECON is one of the tools that are worthy of the title "The DNS Swiss army knife".
*if it's illegal you'll know by me not posting anymore, unless my cellmate was kind enough to lend me his laptop every once in a while.
*CIDR Format: A format of representing IP addresses + their network mask ie. 192.168.0.1/24 corresponds to 192.168.0.1 with a netmask of 255.255.255.0. Read more here.
*SOA (start of authority) records are given to the servers that can provide an authoritative answer to DNS queries, Unlike non-authoritative ones or cached ones which in some cases can't be trusted.
*MDNS: A variant of the original DNS protocol that is used to resolve IP addresses to host names in small and local networks.
*SRV record: A DNS record which contains the services running on your servers and the servers running them, I'll leave how useful this can be if it's compromised to your imagination.
Again until now i haven't seen such a powerful tool when it comes to DNS enumeration, DNSRECON is one of the tools that are worthy of the title "The DNS Swiss army knife".
___________________________________
*CIDR Format: A format of representing IP addresses + their network mask ie. 192.168.0.1/24 corresponds to 192.168.0.1 with a netmask of 255.255.255.0. Read more here.
*SOA (start of authority) records are given to the servers that can provide an authoritative answer to DNS queries, Unlike non-authoritative ones or cached ones which in some cases can't be trusted.
*MDNS: A variant of the original DNS protocol that is used to resolve IP addresses to host names in small and local networks.
*SRV record: A DNS record which contains the services running on your servers and the servers running them, I'll leave how useful this can be if it's compromised to your imagination.
Next Episode: DNSTRACER
No comments:
Post a Comment