[index][raw][main]
[noise@unvalidatedinput]$ man DNS_bruteforce
DNS_bruteforce(1) User Manuals DNS_bruteforce(1)
NAME
DNS bruteforce
Sun Apr 26 12:41:41 BST 2015
DESCRIPTION
Just a few tools to run a dns brute force enumeration. Some tools like Fierece or Dnsmap do
handle wildcard DNS correctly.
Fierce
$ fierce -dns test.com -wordlist /usr/share/fierce/hosts.txt
DNS Servers for test.com:
ns66.worldnic.com
ns65.worldnic.com
Trying zone transfer first...
Testing ns66.worldnic.com
Request timed out or transfer not allowed.
Testing ns65.worldnic.com
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force
Checking for wildcard DNS...
** Found 94496356619.test.com at 192.99.166.230.
** High probability of wildcard DNS.
Now performing 2280 test(s)...
208.112.2.147 mail.test.com
76.12.20.251 secure.test.com
66.241.194.12 ws10.test.com
66.241.194.13 ws11.test.com
Subnets found (may want to probe here using nmap or unicornscan):
208.112.2.0-255 : 1 hostnames found.
66.241.194.0-255 : 2 hostnames found.
76.12.20.0-255 : 1 hostnames found.
Done with Fierce scan: http://ha.ckers.org/fierce/
Found 4 entries.
Have a nice day.
Recon-ng
$ recon-ng -w example.com
[recon-ng][example.com] > add domains example.com
[recon-ng][example.com] > use recon/domains-hosts/brute_hosts
[recon-ng][example.com][brute_hosts] > run
-----------
EXAMPLE.COM
-----------
[*] No Wildcard DNS entry found.
[*] 0.example.com => No record found.
[*] 01.example.com => No record found.
-------
SUMMARY
-------
[*] 1 total (1 new) hosts found.
[recon-ng][test.com][brute_hosts] > show hosts
+----------------------------------------------------------------------------------------------+
| rowid | host | ip_address | region | country | latitude | longitude | module |
+----------------------------------------------------------------------------------------------+
| 1 | www.example.com | | | | | | brute_hosts |
+----------------------------------------------------------------------------------------------+
[*] 1 rows returned
Metasploit
$ msfconsole
msf> use auxiliary/gather/enum_dns
msf auxiliary(enum_dns) > set domain test.org
domain => test.org
msf auxiliary(enum_dns) > run
[*] This domain has wildcards enabled!!
[*] Wildcard IP for 2565.test.org is: 217.145.99.169
[*] Setting DNS Server to test.org NS: 217.145.97.43
[*] Retrieving general DNS records
[*] Domain: test.org IP address: 217.145.96.131 Record: A
[*] Start of Authority: ns0.tmt.de. IP address: 217.145.97.43 Record: SOA
[*] Name Server: ns1.tmt.de. IP address: 217.145.96.133 Record: NS
[*] Name Server: ns3.tmt.de. IP address: 217.145.98.42 Record: NS
[*] Name Server: ns0.tmt.de. IP address: 217.145.97.43 Record: NS
[*] Name Server: ns4.tmt.de. IP address: 217.145.99.3 Record: NS
[*] Name Server: ns2.tmt.de. IP address: 217.145.98.52 Record: NS
[*] Name: git.tmt.de. Preference: 5 Record: MX
[*] Name: ubique.maisel.de. Preference: 10 Record: MX
[*] Running bruteforce against domain test.org
[*] Hostname: 01.test.org IP address: 217.145.99.169
[*] Hostname: 02.test.org IP address: 217.145.99.169
[*] Hostname: 03.test.org IP address: 217.145.99.169
Dnsmap
$ dnsmap test.com
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
[+] warning: domain might use wildcards. 192.99.166.230 will be ignored from results
[+] searching (sub)domains for test.com using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests
mail.test.com
IP address #1: 208.112.2.147
Linux April 2015 DNS_bruteforce(1)
[noise@unvalidatedinput]$ ∎