Description

DNSenum is a pentesting tool that enumerates as much DNS information about domains as possible.

The program currently performs the following operations:

• Get the host's addresse (A record)
• Get the namservers (threaded)
• Get the MX record (threaded)
• Perform axfr queries on nameservers (threaded)
• Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain")
• Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded)
• Calculate C class domain network ranges and perform whois queries on them (threaded)
• Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded)
• Write to domain_ips.txt file ip-blocks.

Installation

Prerequistes

Install Perl

$ sudo apt-get install perl

Then install dependencies via CPAN:

$ sudo cpan
cpan[1]> install Getopt::Long
cpan[2]> install IO::File
cpan[3]> install Thread::Queue
cpan[4]> install Net::IP
cpan[5]> install Net::DNS
cpan[6]> install Net::Netmask
cpan[7]> install Net::Whois::IP
cpan[8]> install HTML::Parser
cpan[9]> install WWW::Mechanize

Dnsenum

$ cd /data/src/
$ wget http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz
$ mkdir -p /pentest/enumeration/
$ tar xzvf dnsenum1.2.tar.gz -C /pentest/enumeration/
$ mv /pentest/enumeration/dnsenum1.2/ /pentest/enumeration/dnsenum/

Usage

Syntax

dnsenum.pl [Options] <domain>

Options

General options

--dnsserver <server>

Use this DNS server for A, NS and MX queries.

--enum

Shortcut option equivalent to --threads 5 -s 20 -w.

-h, --help

Print this help message.

--noreverse

Skip the reverse lookup operations.

--private

Show and save private ips at the end of the file domain_ips.txt.

--subfile <file>

Write all valid subdomains to this file.

-t, --timeout <value>

The tcp and udp timeout values in seconds

(default: 10s).

--threads <value>

The number of threads that will perform different queries.

-v, --verbose

Be verbose: show all the progress and all the error messages.

Google scraping options

-p, --pages <value>

The number of google search pages to process when scraping names, the default is 20 pages, the -s switch must be specified.

-s, --scrap <value>

The maximum number of subdomains that will be scraped from google.

Brute force options

-f, --file <file>

Read subdomains from this file to perform brute force.

-u, --update <a|g|r|z>

Update the file specified with the -f switch with valid subdomains.

• a: Update using all results.
• g: Update using only google scraping results.
• r: Update using only reverse lookup results.
• z: Update using only zonetransfer results.

-r, --recursion

Recursion on subdomains, brute force all discovred subdomains that have an NS record.

Whois netrange options

-d, --delay <value>

The maximum value of seconds to wait between whois queries, the value is defined randomly

(default: 3s)

-w, --whois

Perform the whois queries on c class network ranges.

Warning: this can generate very large netranges and it will take lot of time to performe reverse lookups.

Reverse lookup options

-e, --exclude <regexp>

Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.

Example

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Comments