02 March 2012

BackTrack tool review: dnsenum

Note: This is part of a series on BackTrack 5 tool reviews. It is not meant to be an exhaustive analysis of any tool, just a demonstration of the tool using real-world targets.

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl
dnsenum.pl VERSION:1.2.2
Usage: dnsenum.pl [Options]  
Note: the brute force -f switch is obligatory.
Use this DNS server for A, NS and MX queries.
  --enum Shortcut option equivalent to --threads 5 -s 20 -w.
  -h, --help Print this help message.
  --noreverse Skip the reverse lookup operations.
  --private Show and save private ips at the end of the file domain_ips.txt.
  --subfile Write all valid subdomains to this file.
  -t, --timeout The tcp and udp timeout values in seconds (default: 10s).
  --threads The number of threads that will perform different queries.
  -v, --verbose Be verbose: show all the progress and all the error messages.
  -p, --pages The number of google search pages to process when scraping names, 
the default is 20 pages, the -s switch must be specified.
  -s, --scrap The maximum number of subdomains that will be scraped from Google.
  -f, --file Read subdomains from this file to perform brute force.
  -u, --update
Update the file specified with the -f switch with valid subdomains.
a (all) Update using all results.
g Update using only google scraping results.
r Update using only reverse lookup results.
z Update using only zonetransfer results.
  -r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record.
  -d, --delay The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
  -w, --whois Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
  -e, --exclude
Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
  -o --output Output in XML format. Can be imported in MagicTree (www.gremwell.com)

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl --dnsserver ns0.interpol.int --private --threads 16 -p 5 -s 20 -f dns.txt interpol.int
dnsenum.pl VERSION:1.2.2

-----   interpol.int   -----

Host's addresses:

interpol.int                             10       IN    A

Name Servers:

ns0.interpol.int                         10       IN    A
ns1.interpol.int                         10       IN    A

Mail (MX) Servers:

mail11.interpol.int                      10       IN    A
mail12.interpol.int                      10       IN    A

Trying Zone Transfers and getting Bind Versions:

Trying Zone Transfer for interpol.int on ns0.interpol.int ... 
AXFR record query failed: NXDOMAIN
Unable to obtain Server Version for ns0.interpol.int : NXDOMAIN

Trying Zone Transfer for interpol.int on ns1.interpol.int ... 
AXFR record query failed: NXDOMAIN
Unable to obtain Server Version for ns1.interpol.int : NXDOMAIN

Scraping interpol.int subdomains from Google:

 ----   Google search page: 1   ---- 

 ----   Google search page: 2   ---- 

 ----   Google search page: 3   ---- 

 ----   Google search page: 4   ---- 

 ----   Google search page: 5   ---- 

Google Results:

  perhaps Google is blocking our queries.
 Check manually.

Brute forcing with dns.txt:

ns1.interpol.int                         10       IN    A
www.interpol.int                         10       IN    A

interpol.int class C netranges:

Performing reverse lookup on 256 ip addresses:
_______________________________________________                  10       IN    PTR                         10       IN    PTR                         10       IN    PTR                        10       IN    PTR                        10       IN    PTR                        10       IN    PTR                        10       IN    PTR                        10       IN    PTR                        10       IN    PTR                        10       IN    PTR                       10       IN    PTR                       10       IN    PTR                       10       IN    PTR                

13 results out of 256 IP addresses.

interpol.int ip blocks:

Post a Comment