Category: Enumeration tools

Posted on by

Complete guide to DNSrecon

Hello, aspiring ethical hackers. This is a complete guide to dnsrecon tool. In our previous blogpost on DNS enumeration, you read what DNS is, what are the various types of DNS records, what is the information about the network can DNS enumeration reveal to a pen tester or a Black Hat Hacker. DNSrecon is one such tool used for enumerating DNS.

DNSrecon is written by Carlos Perez. He wrote it initially in Ruby to learn about that programming language and about DNS way back in 2007. As time passed by, he wanted to learn python and he posted dnsrecon tool to python.

The features of DNSrecon tool are,

  1. Checks all NS Records for Zone Transfers.
  2. Enumerates general DNS Records for a given domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  3. Performs common SRV Record enumeration.
  4. Top Level Domain (TLD) expansion.
  5. Checks for Wildcard resolution.
  6. Brute forces subdomains and host A and AAAA records given in a domain and a wordlist.
  7. Performs PTR record lookup for a given IP Range or CIDR.
  8. Checks a DNS server’s cached records for A, AAAA and CNAME.
  9. Records provided a list of host records in a text file to check.

Let’s see how to enumerate DNS with DNSrecon. DNSrecon is installed by default in Kali Linux. To use DNSrecon, all we have to do is use the command below.

dnsenum -d <domain>

DNSrecon 12

–name_server (-n)

By default, DNSrecon will use SOA of the target server to enumerate DNS. You can use a different server, you can use it using this option.

DNSrecon 3

-a

This option is used to do a zone transfer along with standard enumeration performed above.

DNSrecon 4

As expected it failed.

DNSrecon 5

-y, -b, -k

Similarly, you can perform yandex (-y), bing(-b), crt.sh (-k) enumeration along with standard enumeration.

DNSrecon 7
DNSrecon 8
DNSrecon 9
DNSrecon 10

-w

This option is used to perform deep whois record analysis and reverse lookup of IP ranges found when doing standard enumeration.

DNSrecon 11

-z

This option is used to perform a DNSSEC zone walk along with standard enumeration.

DNSrecon 12 1
DNSrecon 13

–dictionary (-d)

This option is used to use a dictionary file containing subdomains and hostnames to use for brute force.

DNSrecon 14

–range (-r)

Specify a IP range to perform reverse lookup.

DNSrecon 15

–type (-t)

This option is used to perform a specific type of enumeration only. The various possible types of enumeration that can be performed using dnsrecon are,

  • Std: all SOA, NS, A, AAAA, MX and SRV.
  • rvl: reverse lookup
  • brt: brute force using a given dictionary
  • srv: SRV records.
  • axfr: zone transfer from NS server.
  • bing: Bing search for hosts and subdomains.
  • Yand: Yandex search for hosts and subdomains.
  • Crt: crt.sh enumeration for subdomains and hosts.
  • Snoop: cache snooping argument at NS server.
  • tld: test against all TLD’s registered with IANA.
  • Zonewalk: perform DNS sec Zone using NSEC records.
DNSrecon 16
DNSrecon 17
DNSrecon 18
DNSrecon 19
DNSrecon 20

Saving results

You can save the results of the found records to a database (-db), XML (-X), CSV (-c) and Json(-j) files.

DNSrecon 21
DNSrecon 22 1
DNSrecon 23

–lifetime

This option is used to set the time the tool has to wait until the target server responds. The default time is 3 seconds.

DNSrecon 24

–threads

This option is useful to specify the number of threads to be used while performing reverse lookup, forward lookup, brute force and SRV record enumeration.

DNSrecon 25

That’s all about DNSrecon.

Posted on by

Complete guide to DNSenum

Hello, aspiring ethical hackers. In the previous blogpost on DNS enumeration, you learnt what DNS service is used for, different types of records it has, what information can DNS enumeration reveal to hackers or pentesters. In this blogpost you will learn about a tool named DNSenum that can be used to enumerate DNS. DNSenum is a multithreaded perl script that is used to gather information from target DNS servers.

The features of DNSenum are,

  1. Get the host’s address (A record).
  2. Get the nameservers (NS).
  3. Get the MX record (MX).
  4. Perform axfr queries on nameservers and get BIND VERSION.
  5. Get extra names and subdomains via google scraping (google query = “-www site:domain”).
  6. Brute force subdomains from file, can also perform recursion on subdomain that have NS records.
  7. Calculate C class domain network ranges and perform whois queries on them.
  8. Perform reverse lookups on netranges (C class or/and whois netranges).

Let’s see how to perform DNS enumeration with DNSenum. DNSenum is included by default in Kali Linux. If you want to enumerate a domain with DNSenum. all you have to do is supply a domain name as shown below.

dnsenum <domain>

When run in default mode, DNSnum first enumerates the host address, then the name servers, then MX records, ACFR queries, extra names and subdomains via google scraping, brute forces subdomains from them, calculates the class C IP network ranges from the results and performs whois queries on them and performs reverse lookup on these IP addresses.

DNSenum 1
DNSenum 2
DNSenum 3
DNSenum 4
DNSenum 5
DNSenum 67

–dnsserver

In some cases, the result from the enumeration can vary depending on the server that is queried. Using DNSenum, we can perform a query by using another DNS server as shown below.

DNSenum 8

When you first use dnsenum on a domain to perform enumeration, you will notice that there will be a considerable delay at some stages. The delay occurs while dnsenum is brute forcing the subdomain names and then while performing reverse lookup on the IP address range.

While brute forcing the subdomain names, there is a delay because the file used by DNSenum (“/usr/share/dnsenum/dns.txt”) has over 1506 entries. So, until the tool checks all the entries, there will definitely be a delay. Can we reduce this data? Yes, by using another file instead of the default one. For example, we can create our own “dns.txt” file with entries of subdomains gathered from other type of enumeration.

DNSenum 11

–file(f)

We can specify this custom file with the (-f) option as shown below.

DNSenum 12

–subfile

We can also save the output of subdomain brute forcing in a file using the subfile option as shown below.

DNSenum 17
DNSenum 18

–noreverse

Coming to reverse lookup, while performing reverse lookup on 512 IP addresses (in this case) definitely takes time. But don’t worry. We can skip the reverse lookup by using the normal option.

DNSenum 13

–private

This option enumerates and saves the private IP addresses of a domain in the file named <domain_name>_ips.txt.

DNSenum 14
DNSenum 15

–timeout (-t)

The default timeout option of TCP queries and UDP queries for dnsenum is 10 seconds. The timeout option allows us to change it.

DNSenum 16

–threads (va)

This option is used to specify the number of threads to perform different queries.

DNSenum 19

–verbose (-v)

You already know what this option does. It reveals more information. See the differences.

DNSenum 20
DNSenum 21

–scrape (-s)

Used to specify the number of subdomains to be scraped from Google.

DNSenum 23
DNSenum 24

Here’s the result.

DNSenum 25

–page (-p)

While scraping the subdomain with dnsenum above, you should have noticed that it queries Google search pages for subdomains related to the domain. By default, it is 20 pages. Using this option, it can be changed. For example, lets set it to 10.

DNSenum 26
DNSenum 2728

–recursion (-r)

This option can be used to perform recursion on subdomain gathering.

DNSenum 29

–whois (-w)

As you might have expected, this option is used to perform whois queries on class C network ranges. It can be time consuming. Use wisely. Learn what is whois footpriting.

DNSenum 30
DNSenum 31

–delay (-d)

This option is used to specify the maximum delay between each whois query. The default delay is 3 seconds.

DNSenum 32

That’s all about DNSenum.