A tool written in Perl to enumerate information on a domain. It uses the Net::DNS module.

Things you can do with this program:

1. Finding interesting remote access servers (i.e.: https://extranet.targetdomain.com)

2. Finding badly configured and/or unpatched servers (i.e.: test.targetdomain.com)

3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
of your target organization (registry lookups – aka whois is your friend)

4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
(RFC 1918). This is great as sometimes they are real up-to-date A records which means that
it *is* possible to enumerate internal servers of a target organization from the Internet
by only using standard DNS resolving (as oppossed to zone transfers for instance).

Bruteforcing can be done either with dnsmap’s built-in wordlist or a user-supplied wordlist.

Example of subdomain bruteforcing using dnsmap’s built-in word-list:

dnsmap targetdomain.com

Example of subdomain bruteforcing using a user-supplied wordlist:

dnsmap targetdomain.com wordlist.txt

* LIMITATIONS *

This tool won’t work with target domains which use wildcards. When a domain
uses wildcards, all bruteforced subdomains will resolve to the same IP address,
which makes enumerating target servers unfeasible.

dnsmap *does* however inform the user when wildcards have been detected and suggests
choosing a different target domain.

(source : README file that comes with the program)

Time for some handson:

That’s it!!

pavs

This tool is used to made a brute force on name resolution.The idea of that tool is to resolve all words dot domain name. To be more useful the tool uses multi threading; one thread for each name server. Classical brute forcers are sequential. With this method we cut the dictionary in n blocs ( n is the number of dns servers) and distribute these blocs to name servers. The tool is now in the project revhosts, new updates are only available in revhosts.

(Source: http://www.revhosts.org/DNSBruteforce)

Ok this one’s kinda tricky.

You need a list of dns servers and save it as server.lst , than you need a list of hosts you want to bruteforce and save it as hosts-txt . They have to be saved in the same directory as the dns-bruteforce.py script, which is “/pentest/enumeration/dns-bruteforce” directory in backtrack 2. Well they don’t have to be saved in the same directory, but it makes life and the example I will show, easier.

I used this dns server 208.67.222.222 , you can make a list and put in the server.lst file in seperate lines.

Than I need a hosts-txt file with a list of hosts I want to bruteforce. Dns-bruteforce comes with a host-txt file , I made my own and cut it short with these, in seperate lines: www, pop, mail, dns, apache, gateway.

We used this command: ./DNSBruteforce.py yahoo server.lst hosts-txt

Here is the screen shot:

That all!!

pavs

Dnswalk is a DNS debugger. It performs zone transfers of specified
domains, and checks the database in numerous ways for internal
consistency, as well as accuracy.

dnswalk is not for the faint of heart. It should NOT be
used without a firm knowledge of the DNS RFC’s. If you use this
tool for cracking or otherwise evil purposes, the author hereby
considers you a slime-ball. See the end of this README file for
a list of good reading material.

dnswalk [-fradm] domain [> logfile]

dnswalk tends to produce lots of output, so I’d suggest
redirecting this into a file of your choice. I debated using doc’s
strategy of automatically putting it in a logfile, but decided not
to. (The author reserves the right to change his mind) For small,
mostly-correct domains it is pretty manageable, however. For larger
domains, use the included ‘do-dnswalk’ script as a guide.

Options:
-f Force a zone transfer from an authoritative nameserver.
dnswalk normally will look in its saved ‘axfr’ file
for each domain and use that. (if it exists)
-r Recursively descend sub-domains of the specified
domain. Use with caution and care.
-a Turn on warning of duplicate A records. (see below)
-d Some debugging. (Use only if redirecting stdout)
-m Perform checks only if the zone has been modified since
the previous run.
-F perform “fascist” checking. When checking an A record,
compare the PTR name for each IP address with the forward
name and report mismatches. (see below) I recommend
you try this option at least once to see what sorts of
errors pop up – you might be surprised!.
-l Perform “lame delegation” checking. For every NS record,
check to see that the listed host is indeed returning
authoritative answers for this domain. Inspiration for
this comes from the great guys at U-M.

The domain name specified on the command line MUST end with a ‘.’.
You can specify a forward domain, such as “dnswalk pop.psu.edu.”
or a reverse domain, such as “dnswalk 155.118.128.in-addr.arpa.”

(Source: http://www.cpan.org/scripts/netstuff/dnswalk)

Thats all!!

pavs

It is a tool that allows you to make a consultation by means of IP ranks to obtain DNS names of this IPs in addition with simplicity and speed.

(Source: http://backtrack.offensive-security.com/index.php?title=Tools#DNS-Ptr)

We used this command: dns-ptr 69.41.185.195 20

That all!

pavs