[index][raw][main]

[[email protected]put]$ man DNS_bruteforce

DNS_bruteforce(1)                           User Manuals                           DNS_bruteforce(1)

NAME
       DNS bruteforce
                                                                        Sun Apr 26 12:41:41 BST 2015

DESCRIPTION
       Just  a  few tools to run a dns brute force enumeration. Some tools like Fierece or Dnsmap do
       handle wildcard DNS correctly.

       Fierce

       $ fierce -dns test.com -wordlist /usr/share/fierce/hosts.txt
       DNS Servers for test.com:
         ns66.worldnic.com
         ns65.worldnic.com

       Trying zone transfer first...
         Testing ns66.worldnic.com
           Request timed out or transfer not allowed.
         Testing ns65.worldnic.com
           Request timed out or transfer not allowed.

       Unsuccessful in zone transfer (it was worth a shot)
       Okay, trying the good old fashioned way... brute force

       Checking for wildcard DNS...
         ** Found 94496356619.test.com at 192.99.166.230.
         ** High probability of wildcard DNS.
       Now performing 2280 test(s)...
       208.112.2.147 mail.test.com
       76.12.20.251  secure.test.com
       66.241.194.12 ws10.test.com
       66.241.194.13 ws11.test.com

       Subnets found (may want to probe here using nmap or unicornscan):
         208.112.2.0-255 : 1 hostnames found.
         66.241.194.0-255 : 2 hostnames found.
         76.12.20.0-255 : 1 hostnames found.

       Done with Fierce scan: http://ha.ckers.org/fierce/
       Found 4 entries.

       Have a nice day.

       Recon-ng

       $ recon-ng -w example.com

       [recon-ng][example.com] > add domains example.com
       [recon-ng][example.com] > use recon/domains-hosts/brute_hosts
       [recon-ng][example.com][brute_hosts] > run
       -----------
       EXAMPLE.COM
       -----------
       [*] No Wildcard DNS entry found.
       [*] 0.example.com => No record found.
       [*] 01.example.com => No record found.
       -------
       SUMMARY
       -------
       [*] 1 total (1 new) hosts found.
       [recon-ng][test.com][brute_hosts] > show hosts

         +----------------------------------------------------------------------------------------------+
         | rowid |       host      | ip_address | region | country | latitude | longitude |    module   |
         +----------------------------------------------------------------------------------------------+
         | 1     | www.example.com |            |        |         |          |           | brute_hosts |
         +----------------------------------------------------------------------------------------------+

       [*] 1 rows returned

       Metasploit

       $ msfconsole
       msf> use auxiliary/gather/enum_dns
       msf auxiliary(enum_dns) > set domain test.org
       domain => test.org

       msf auxiliary(enum_dns) > run

       [*] This domain has wildcards enabled!!
       [*] Wildcard IP for 2565.test.org is: 217.145.99.169
       [*] Setting DNS Server to test.org NS: 217.145.97.43
       [*] Retrieving general DNS records
       [*] Domain: test.org IP address: 217.145.96.131 Record: A
       [*] Start of Authority: ns0.tmt.de. IP address: 217.145.97.43 Record: SOA
       [*] Name Server: ns1.tmt.de. IP address: 217.145.96.133 Record: NS
       [*] Name Server: ns3.tmt.de. IP address: 217.145.98.42 Record: NS
       [*] Name Server: ns0.tmt.de. IP address: 217.145.97.43 Record: NS
       [*] Name Server: ns4.tmt.de. IP address: 217.145.99.3 Record: NS
       [*] Name Server: ns2.tmt.de. IP address: 217.145.98.52 Record: NS
       [*] Name: git.tmt.de. Preference: 5 Record: MX
       [*] Name: ubique.maisel.de. Preference: 10 Record: MX
       [*] Running bruteforce against domain test.org
       [*] Hostname: 01.test.org IP address: 217.145.99.169
       [*] Hostname: 02.test.org IP address: 217.145.99.169
       [*] Hostname: 03.test.org IP address: 217.145.99.169

       Dnsmap

       $ dnsmap test.com
       dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

       [+] warning: domain might use wildcards. 192.99.166.230 will be ignored from results
       [+] searching (sub)domains for test.com using built-in wordlist
       [+] using maximum random delay of 10 millisecond(s) between requests

       mail.test.com
       IP address #1: 208.112.2.147

Linux                                        April 2015                            DNS_bruteforce(1)


[[email protected]]$ ∎