02 March 2012

BackTrack tool review: dnsenum

Note: This is part of a series on BackTrack 5 tool reviews. It is not meant to be an exhaustive analysis of any tool, just a demonstration of the tool using real-world targets.

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl
dnsenum.pl VERSION:1.2.2
Usage: dnsenum.pl [Options]  
[Options]:
Note: the brute force -f switch is obligatory.
GENERAL OPTIONS:
  --dnsserver
Use this DNS server for A, NS and MX queries.
  --enum Shortcut option equivalent to --threads 5 -s 20 -w.
  -h, --help Print this help message.
  --noreverse Skip the reverse lookup operations.
  --private Show and save private ips at the end of the file domain_ips.txt.
  --subfile Write all valid subdomains to this file.
  -t, --timeout The tcp and udp timeout values in seconds (default: 10s).
  --threads The number of threads that will perform different queries.
  -v, --verbose Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
  -p, --pages The number of google search pages to process when scraping names, 
the default is 20 pages, the -s switch must be specified.
  -s, --scrap The maximum number of subdomains that will be scraped from Google.
BRUTE FORCE OPTIONS:
  -f, --file Read subdomains from this file to perform brute force.
  -u, --update
Update the file specified with the -f switch with valid subdomains.
a (all) Update using all results.
g Update using only google scraping results.
r Update using only reverse lookup results.
z Update using only zonetransfer results.
  -r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
  -d, --delay The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
  -w, --whois Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
REVERSE LOOKUP OPTIONS:
  -e, --exclude
Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
  -o --output Output in XML format. Can be imported in MagicTree (www.gremwell.com)


root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl --dnsserver ns0.interpol.int --private --threads 16 -p 5 -s 20 -f dns.txt interpol.int
dnsenum.pl VERSION:1.2.2


-----   interpol.int   -----


Host's addresses:
__________________


interpol.int                             10       IN    A        193.22.7.1


Name Servers:
______________


ns0.interpol.int                         10       IN    A        193.22.7.80
ns1.interpol.int                         10       IN    A        193.22.7.122


Mail (MX) Servers:
___________________


mail11.interpol.int                      10       IN    A        193.22.7.4
mail12.interpol.int                      10       IN    A        193.22.7.5


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for interpol.int on ns0.interpol.int ... 
AXFR record query failed: NXDOMAIN
Unable to obtain Server Version for ns0.interpol.int : NXDOMAIN


Trying Zone Transfer for interpol.int on ns1.interpol.int ... 
AXFR record query failed: NXDOMAIN
Unable to obtain Server Version for ns1.interpol.int : NXDOMAIN


Scraping interpol.int subdomains from Google:
______________________________________________


 ----   Google search page: 1   ---- 


 ----   Google search page: 2   ---- 


 ----   Google search page: 3   ---- 


 ----   Google search page: 4   ---- 


 ----   Google search page: 5   ---- 




Google Results:
________________


  perhaps Google is blocking our queries.
 Check manually.


Brute forcing with dns.txt:
____________________________


ns1.interpol.int                         10       IN    A        193.22.7.122
www.interpol.int                         10       IN    A        193.22.7.1


interpol.int class C netranges:
________________________________


 193.22.7.0/24


Performing reverse lookup on 256 ip addresses:
_______________________________________________


1.7.22.193.in-addr.arpa                  10       IN    PTR                
4.7.22.193.in-addr.arpa                  10       IN    PTR                
5.7.22.193.in-addr.arpa                  10       IN    PTR                
62.7.22.193.in-addr.arpa                 10       IN    PTR                
66.7.22.193.in-addr.arpa                 10       IN    PTR                
80.7.22.193.in-addr.arpa                 10       IN    PTR                
82.7.22.193.in-addr.arpa                 10       IN    PTR                
84.7.22.193.in-addr.arpa                 10       IN    PTR                
83.7.22.193.in-addr.arpa                 10       IN    PTR                
81.7.22.193.in-addr.arpa                 10       IN    PTR                
101.7.22.193.in-addr.arpa                10       IN    PTR                
102.7.22.193.in-addr.arpa                10       IN    PTR                
122.7.22.193.in-addr.arpa                10       IN    PTR                


13 results out of 256 IP addresses.


interpol.int ip blocks:
________________________


 193.22.7.1/32
 193.22.7.4/31
 193.22.7.62/32
 193.22.7.66/32
 193.22.7.80/30
 193.22.7.84/32
 193.22.7.101/32
 193.22.7.102/32
 193.22.7.122/32


done.
Post a Comment