.SH NAME DNS bruteforce .rj Sun Apr 26 12:41:41 BST 2015 .SH DESCRIPTION Just a few tools to run a dns brute force enumeration. Some tools like Fierece or Dnsmap do handle wildcard DNS correctly. Fierce 'nf $ fierce -dns test.com -wordlist /usr/share/fierce/hosts.txt DNS Servers for test.com: ns66.worldnic.com ns65.worldnic.com Trying zone transfer first... Testing ns66.worldnic.com Request timed out or transfer not allowed. Testing ns65.worldnic.com Request timed out or transfer not allowed. Unsuccessful in zone transfer (it was worth a shot) Okay, trying the good old fashioned way... brute force Checking for wildcard DNS... ** Found 94496356619.test.com at 192.99.166.230. ** High probability of wildcard DNS. Now performing 2280 test(s)... 208.112.2.147 mail.test.com 76.12.20.251 secure.test.com 66.241.194.12 ws10.test.com 66.241.194.13 ws11.test.com Subnets found (may want to probe here using nmap or unicornscan): 208.112.2.0-255 : 1 hostnames found. 66.241.194.0-255 : 2 hostnames found. 76.12.20.0-255 : 1 hostnames found. Done with Fierce scan: http://ha.ckers.org/fierce/ Found 4 entries. Have a nice day. 'fi Recon-ng 'nf $ recon-ng -w example.com [recon-ng][example.com] > add domains example.com [recon-ng][example.com] > use recon/domains-hosts/brute_hosts [recon-ng][example.com][brute_hosts] > run ----------- EXAMPLE.COM ----------- [*] No Wildcard DNS entry found. [*] 0.example.com => No record found. [*] 01.example.com => No record found. .... ------- SUMMARY ------- [*] 1 total (1 new) hosts found. [recon-ng][test.com][brute_hosts] > show hosts +----------------------------------------------------------------------------------------------+ | rowid | host | ip_address | region | country | latitude | longitude | module | +----------------------------------------------------------------------------------------------+ | 1 | www.example.com | | | | | | brute_hosts | +----------------------------------------------------------------------------------------------+ [*] 1 rows returned 'fi Metasploit 'nf $ msfconsole msf> use auxiliary/gather/enum_dns msf auxiliary(enum_dns) > set domain test.org domain => test.org msf auxiliary(enum_dns) > run [*] This domain has wildcards enabled!! [*] Wildcard IP for 2565.test.org is: 217.145.99.169 [*] Setting DNS Server to test.org NS: 217.145.97.43 [*] Retrieving general DNS records [*] Domain: test.org IP address: 217.145.96.131 Record: A [*] Start of Authority: ns0.tmt.de. IP address: 217.145.97.43 Record: SOA [*] Name Server: ns1.tmt.de. IP address: 217.145.96.133 Record: NS [*] Name Server: ns3.tmt.de. IP address: 217.145.98.42 Record: NS [*] Name Server: ns0.tmt.de. IP address: 217.145.97.43 Record: NS [*] Name Server: ns4.tmt.de. IP address: 217.145.99.3 Record: NS [*] Name Server: ns2.tmt.de. IP address: 217.145.98.52 Record: NS [*] Name: git.tmt.de. Preference: 5 Record: MX [*] Name: ubique.maisel.de. Preference: 10 Record: MX [*] Running bruteforce against domain test.org [*] Hostname: 01.test.org IP address: 217.145.99.169 [*] Hostname: 02.test.org IP address: 217.145.99.169 [*] Hostname: 03.test.org IP address: 217.145.99.169 'fi Dnsmap 'nf $ dnsmap test.com dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) [+] warning: domain might use wildcards. 192.99.166.230 will be ignored from results [+] searching (sub)domains for test.com using built-in wordlist [+] using maximum random delay of 10 millisecond(s) between requests mail.test.com IP address #1: 208.112.2.147 'fi