dig (domain information groper) is a flexible tool for interrogating DNS name servers. It performs DNS lookups and displays the answers that are returned from the name server(s) that were queried. Most DNS administrators use dig

to troubleshoot DNS problems because of its flexibility, ease of use and clarity of output. Other lookup tools tend to have less functionality than dig.
(Source: http://linux.die.net/man/1/dig)

Dig has a huge list of options and itself will make a large howto. Which I will go through on a later date. For the sake of sanity I will just give you demonstration of the main intention of dig. There is however quite a large list of custom options.

That’s it!

pavs

Backtrack 2 Hacking Hacking Tools News Software Review

This PERL script, by Jimmy Neutron, is great for determining DNS names with Google. This tool, which is essential for network mapping, accepts two somewhat related words, and a domain name as arguments. The two words are sent through Google sets which expands the words into a list of related words. For example, “earth” and “mars” would expand to Venus, Mercury, Jupiter, Saturn, Neptune, Uranus, Pluto. If fed domain foo.com, dnspredict would then attempt to DNS resolve venus.foo.com, mercury.foo.com, etc. This Windows version is standalone, and requires nothing other than this executable.

(Source)

We will try to predict dns name for domain google.com with these arguments:

dnspredict.pl –domain google.com -item1 1 -item2 2

That’s all!!!

pavs

Backtrack 2 Hacking Hacking Tools News Software Review

A tool written in Perl to enumerate information on a domain. It uses the Net::DNS module.

Things you can do with this program:

1. Finding interesting remote access servers (i.e.: https://extranet.targetdomain.com)

2. Finding badly configured and/or unpatched servers (i.e.: test.targetdomain.com)

3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
of your target organization (registry lookups - aka whois is your friend)

4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
(RFC 1918). This is great as sometimes they are real up-to-date A records which means that
it *is* possible to enumerate internal servers of a target organization from the Internet
by only using standard DNS resolving (as oppossed to zone transfers for instance).

Bruteforcing can be done either with dnsmap’s built-in wordlist or a user-supplied wordlist.

Example of subdomain bruteforcing using dnsmap’s built-in word-list:

dnsmap targetdomain.com

Example of subdomain bruteforcing using a user-supplied wordlist:

dnsmap targetdomain.com wordlist.txt

* LIMITATIONS *

This tool won’t work with target domains which use wildcards. When a domain
uses wildcards, all bruteforced subdomains will resolve to the same IP address,
which makes enumerating target servers unfeasible.

dnsmap *does* however inform the user when wildcards have been detected and suggests
choosing a different target domain.

(source : README file that comes with the program)

Time for some handson:

That’s it!!

pavs

Backtrack 2 Hacking Hacking Tools News Software Review

This tool is used to made a brute force on name resolution.The idea of that tool is to resolve all words dot domain name. To be more useful the tool uses multi threading; one thread for each name server. Classical brute forcers are sequential. With this method we cut the dictionary in n blocs ( n is the number of dns servers) and distribute these blocs to name servers. The tool is now in the project revhosts, new updates are only available in revhosts.

(Source: http://www.revhosts.org/DNSBruteforce)

Ok this one’s kinda tricky.

You need a list of dns servers and save it as server.lst , than you need a list of hosts you want to bruteforce and save it as hosts-txt . They have to be saved in the same directory as the dns-bruteforce.py script, which is “/pentest/enumeration/dns-bruteforce” directory in backtrack 2. Well they don’t have to be saved in the same directory, but it makes life and the example I will show, easier.

I used this dns server 208.67.222.222 , you can make a list and put in the server.lst file in seperate lines.

Than I need a hosts-txt file with a list of hosts I want to bruteforce. Dns-bruteforce comes with a host-txt file , I made my own and cut it short with these, in seperate lines: www, pop, mail, dns, apache, gateway.

We used this command: ./DNSBruteforce.py yahoo server.lst hosts-txt

Here is the screen shot:

That all!!

pavs

Backtrack 2 Hacking Hacking Tools Linux News Software Review