A tool written in Perl to enumerate information on a domain. It uses the Net::DNS module.

Things you can do with this program:

1. Finding interesting remote access servers (i.e.: https://extranet.targetdomain.com)

2. Finding badly configured and/or unpatched servers (i.e.: test.targetdomain.com)

3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
of your target organization (registry lookups – aka whois is your friend)

4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
(RFC 1918). This is great as sometimes they are real up-to-date A records which means that
it *is* possible to enumerate internal servers of a target organization from the Internet
by only using standard DNS resolving (as oppossed to zone transfers for instance).

Bruteforcing can be done either with dnsmap’s built-in wordlist or a user-supplied wordlist.

Example of subdomain bruteforcing using dnsmap’s built-in word-list:

dnsmap targetdomain.com

Example of subdomain bruteforcing using a user-supplied wordlist:

dnsmap targetdomain.com wordlist.txt

* LIMITATIONS *

This tool won’t work with target domains which use wildcards. When a domain
uses wildcards, all bruteforced subdomains will resolve to the same IP address,
which makes enumerating target servers unfeasible.

dnsmap *does* however inform the user when wildcards have been detected and suggests
choosing a different target domain.

(source : README file that comes with the program)

Time for some handson:

That’s it!!

pavs