04 March 2012

BackTrack tool review: dnsrecon

Note: This is part of a series on BackTrack 5 tool reviews. It is not meant to be an exhaustive analysis of any tool, just a demonstration of the tool using real-world targets.


root@bt:/pentest/enumeration/dns/dnsrecon# ./dnsrecon.py 
Version: 0.6.9
Usage: dnsrecon.py


Options:
   -h, --help                  Show this help message and exit
   -d, --domain        Domain to Target for enumeration.
   -c, --cidr           CIDR for reverse look-up brute force (range/bitmask).
   -r, --range         IP Range for reverse look-up brute force in formats (first-last)
                               or in (range/bitmask).
   -n, --name_server    Domain server to use, if none is given the SOA of the
                               target will be used
   -D, --dictionary      Dictionary file of sub-domain and hostnames to use for
                               brute force.
   -f                          Filter out of Brute Force Domain lookup records that resolve to
                               the wildcard defined IP Address when saving records.
   -t, --type           Specify the type of enumeration to perform:
                               std      To Enumerate general record types, enumerates.
                                        SOA, NS, A, AAAA, MX and SRV if AXRF on the
                                        NS Servers fail.


                               rvl      To Reverse Look Up a given CIDR IP range.


                               brt      To Brute force Domains and Hosts using a given
                                        dictionary.


                               srv      To Enumerate common SRV Records for a given 


                                        domain.


                               axfr     Test all NS Servers in a domain for misconfigured
                                        zone transfers.


                               goo      Perform Google search for sub-domains and hosts.


                               snoop    To Perform a Cache Snooping against all NS 
                                        servers for a given domain, testing all with
                                        file containing the domains, file given with -D
                                        option.


                               tld      Will remove the TLD of given domain and test against
                                        all TLD's registered in IANA


                               zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.


   -a                          Perform AXFR with the standard enumeration.
   -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
                               targeted domain with the standard enumeration.
   -g                          Perform Google enumeration with the standard enumeration.
   -w                          Do deep whois record analysis and reverse look-up of IP
                               ranges found thru whois when doing standard query.
   -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
   --threads           Number of threads to use in Range Reverse Look-up, Forward
                               Look-up Brute force and SRV Record Enumeration
   --lifetime         Time to wait for a server to response to a query.
   --db                 SQLite 3 file to save found records.
   --xml                 XML File to save found records.
   --csv                 Comma separated value file.
   -v                          Show attempts in the bruteforce modes.

Check out the results from un.org:

root@bt:/pentest/enumeration/dns/dnsrecon# ./dnsrecon.py -d un.org -D namelist.txt -t std -a
[*] Performing General Enumeration of Domain:
[*] Checking for Zone Transfer for un.org name servers
[*] Resolving SOA Record
[*] SOA ns1.un.org 157.150.185.28
[*] Resolving NS Records
[*] NS Servers found:
[*] NS ns3.un.org 85.159.200.204
[*] NS ns2.un.org 157.150.34.57
[*] NS ns1.un.org 157.150.185.28
[*] Removing any duplicate NS server IP Addresses...
[*] Trying NS server 85.159.200.204
[-] Zone Transfer Failed for 85.159.200.204!
[-] Port 53 TCP is being filtered
[*] Trying NS server 157.150.185.28
[-] Zone Transfer Failed for 157.150.185.28!
[-] Port 53 TCP is being filtered
[*] Trying NS server 157.150.34.57
[-] Zone Transfer Failed for 157.150.34.57!
[-] Port 53 TCP is being filtered
[-] DNSSEC is not configured for
[*] SOA ns1.un.org 157.150.185.28
[*] NS ns3.un.org 85.159.200.204
[*] NS ns2.un.org 157.150.34.57
[*] NS ns1.un.org 157.150.185.28
[*] MX unasav4.un.org 157.150.34.66
[*] MX unasav1.un.org 157.150.185.201
[*] MX unasav2.un.org 157.150.185.202
[*] MX unasav3.un.org 157.150.34.65
[*] A un.org 157.150.34.32
[*] A un.org 157.150.185.49
[*] TXT un.org v=spf1 ip4:157.150.185.0/27 ip4:157.150.34.0/26 a:mx3901.un.org a:mx3902.un.org -all
[*] Enumerating SRV Records
[*] SRV _sip._udp.un.org vcs.un.org. 157.150.195.203 5060 0
[*] SRV _sips._tcp.un.org vcs.un.org. 157.150.195.203 5061 0
[*] SRV _sip._tcp.un.org vcs.un.org. 157.150.195.203 5060 0
[*] SRV _h323cs._tcp.un.org vcs.un.org. 157.150.195.203 1720 0
[*] SRV _h323ls._udp.un.org vcs.un.org. 157.150.195.203 1719 0
[*] 5 Records Found

Now see the results from zonetransfer.me, a domain set up with zone transfers enabled:

root@bt:/pentest/enumeration/dns/dnsrecon# ./dnsrecon.py -d zonetransfer.me -t axfr
[*] Testing NS Servers for Zone Transfer
[*] Checking for Zone Transfer for zonetransfer.me name servers
[*] Resolving SOA Record
[*] SOA ns16.zoneedit.com 69.64.68.41
[*] Resolving NS Records
[*] NS Servers found:
[*] NS ns16.zoneedit.com 69.64.68.41
[*] NS ns12.zoneedit.com 209.62.64.46
[*] Removing any duplicate NS server IP Addresses...
[*] Trying NS server 69.64.68.41
[*] 69.64.68.41 Has port 53 TCP Open
[*] Zone Transfer was successful!!
[*] SOA ns16.zoneedit.com. 69.64.68.41
[*] NS ns16.zoneedit.com. 69.64.68.41
[*] NS ns12.zoneedit.com. 209.62.64.46
[*] TXT Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes
[*] TXT google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] TXT AbCdEfG
[*] TXT ZoneTransfer.me service provided by Robin Wood - robin@digininja.org. See www.digininja.org/projects/zonetransferme.php for more information.
[*] PTR www.zonetransfer.me 217.147.180.162
[*] MX @.zonetransfer.me ASPMX.L.GOOGLE.COM. 74.125.115.26
[*] MX @.zonetransfer.me ALT1.ASPMX.L.GOOGLE.COM. 74.125.79.26
[*] MX @.zonetransfer.me ALT2.ASPMX.L.GOOGLE.COM. 173.194.69.26
[*] MX @.zonetransfer.me ASPMX2.GOOGLEMAIL.COM. 74.125.43.27
[*] MX @.zonetransfer.me ASPMX3.GOOGLEMAIL.COM. 74.125.127.27
[*] MX @.zonetransfer.me ASPMX4.GOOGLEMAIL.COM. 209.85.229.27
[*] MX @.zonetransfer.me ASPMX5.GOOGLEMAIL.COM. 74.125.157.27
[*] A @.zonetransfer.me 217.147.180.162
[*] A canberra_office.zonetransfer.me 202.14.81.230
[*] A dc_office.zonetransfer.me 143.228.181.132
[*] A www.zonetransfer.me 217.147.180.162
[*] A owa.zonetransfer.me 207.46.197.32
[*] A alltcpportsopen.firewall.test.zonetransfer.me 127.0.0.1
[*] A vpn.zonetransfer.me 174.36.59.154
[*] A office.zonetransfer.me 4.23.39.254
[*] CNAME staging.zonetransfer.me www.sydneyoperahouse.com. 203.32.178.10
[*] SRV _sip._tcp.zonetransfer.me www 5060 0 no_ip
[*] Trying NS server 209.62.64.46
[*] 209.62.64.46 Has port 53 TCP Open
[*] Zone Transfer was successful!!
[*] SOA ns16.zoneedit.com. 69.64.68.41
[*] NS ns16.zoneedit.com. 69.64.68.41
[*] NS ns12.zoneedit.com. 209.62.64.46
[*] TXT Remember to call or email Pippa on +44 123 4567890 or pippa@zonetransfer.me when making DNS changes
[*] TXT google-site-verification=tyP28J7JAUHA9fw2sHXMgcCC0I6XBmmoVi04VlMewxA
[*] TXT AbCdEfG
[*] TXT ZoneTransfer.me service provided by Robin Wood - robin@digininja.org. See www.digininja.org/projects/zonetransferme.php for more information.
[*] PTR www.zonetransfer.me 217.147.180.162
[*] MX @.zonetransfer.me ASPMX.L.GOOGLE.COM. 74.125.115.26
[*] MX @.zonetransfer.me ALT1.ASPMX.L.GOOGLE.COM. 74.125.79.26
[*] MX @.zonetransfer.me ALT2.ASPMX.L.GOOGLE.COM. 173.194.69.26
[*] MX @.zonetransfer.me ASPMX2.GOOGLEMAIL.COM. 74.125.43.27
[*] MX @.zonetransfer.me ASPMX3.GOOGLEMAIL.COM. 74.125.127.27
[*] MX @.zonetransfer.me ASPMX4.GOOGLEMAIL.COM. 209.85.229.27
[*] MX @.zonetransfer.me ASPMX5.GOOGLEMAIL.COM. 74.125.157.27
[*] A @.zonetransfer.me 217.147.180.162
[*] A canberra_office.zonetransfer.me 202.14.81.230
[*] A dc_office.zonetransfer.me 143.228.181.132
[*] A www.zonetransfer.me 217.147.180.162
[*] A owa.zonetransfer.me 207.46.197.32
[*] A alltcpportsopen.firewall.test.zonetransfer.me 127.0.0.1
[*] A vpn.zonetransfer.me 174.36.59.154
[*] A office.zonetransfer.me 4.23.39.254
[*] CNAME staging.zonetransfer.me www.sydneyoperahouse.com. 203.32.178.10
[*] SRV _sip._tcp.zonetransfer.me www 5060 0 no_ip
Post a Comment