A tool written in Perl to enumerate information on a domain. It uses the Net::DNS module.
Things you can do with this program:
1. Finding interesting remote access servers (i.e.: https://extranet.targetdomain.com)
2. Finding badly configured and/or unpatched servers (i.e.: test.targetdomain.com)
3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
of your target organization (registry lookups – aka whois is your friend)
4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
(RFC 1918). This is great as sometimes they are real up-to-date A records which means that
it *is* possible to enumerate internal servers of a target organization from the Internet
by only using standard DNS resolving (as oppossed to zone transfers for instance).
Bruteforcing can be done either with dnsmap’s built-in wordlist or a user-supplied wordlist.
Example of subdomain bruteforcing using dnsmap’s built-in word-list:
Example of subdomain bruteforcing using a user-supplied wordlist:
dnsmap targetdomain.com wordlist.txt
* LIMITATIONS *
This tool won’t work with target domains which use wildcards. When a domain
uses wildcards, all bruteforced subdomains will resolve to the same IP address,
which makes enumerating target servers unfeasible.
dnsmap *does* however inform the user when wildcards have been detected and suggests
choosing a different target domain.
(source : README file that comes with the program)
Time for some handson: