Before login

You are here: Home » DNSRecon

DNSRecon

/ by / Mr. P / on / June 30, 2010 @ 2:48 pm
References
URL: 
http://darkoperator.squarespace.com/tools-and-scripts/dnsrecon.rb
Sources: 
http://darkoperator.squarespace.com/tools-and-scripts/dnsrecon.rb
http://www.darkoperator.com/blog/2009/4/3/dns-recon-tool-written-in-ruby.html

Introduction

Ever needed to find out some more specifics about a certain domain? Ever needed to do a reverse lookup on a range of IP addresses? Ever needed to find out where else a similar domain is being hosted, or if there are other subdomains of a certain domain? Look no further, cause we've written up a tutorial on using DNSRecon to enumerate some information on any domain you choose.

DNSRecon is a Ruby based tool written by Carlos Perez of the DarkOperator.com website. Carlos has this to say about himself:

"I’m an IT Consultant working for a large IT Integrator in the areas of Security, Networking and Virtualization. I cover the region of Central America, Caribbean and Puerto Rico. I used to be a tactical instructor, and still train in that area of interest. Above all, I’m a father, a husband, and proud to be an American. I currently contribute to Open Source Projects like Metasploit and Backtrack, and I love to write code in Python, Ruby, Powershell, T-SQL and Bash.

My main area of interest is post exploitation - an area that I consider to be lacking in instruction, and one that is not practiced by many Penetration Testers and Security Professionals. I'm a strong believer that with the shell, the fun starts. That is the main reason for my website title."

http://www.darkoperator.com/about-me/ - Wednesday June 30th 2010, edited for grammatical and spelling accuracy

This tool provides a number of different enumeration options, including:

Now lets take a look at its usage in a little more depth.

 

Usage

Usage of this tool is relatively simple. If you're not running BackTrack Linux (which this tool comes built into), then you will need to head on over to here to download the tool.

At this point, I'm going to assume you have Ruby install. If not, Google it. Once you've got Ruby installed, you may need to run the following commands to install the appropriate Gems that this script uses:

gem install pNet-DNS

gem install ip

At this point, the fun begins. Simple run a ruby dnsrecon.rb command to see the following list of options:

root@bt:/pentest/enumeration/dnsrecon# ./dnsrecon.rb

Dnsrecon 1.6
By Carlos Perez
Email: carlos_perez[at]darkoperator.com

This is a simple tool writen for target enumeration during authorized penetration test
engaments. This tool provides diferent methods for enumerating targets thru DNS service.

-t, --type 
                Select the type of enumeration to be done.
                std     Query for SOA, NS and MX Record of a target domain.
                tld     Top Level Domain enumeration of a target domain.
                axf     Perform a Zone transfer against all NS server Records
                        of a target domain.
                rvs     Reverse Record Lookup enumeration against a targeted
                        IP range.
                srv     Service Record Enumeration of VOIP, Active Directory and
                        Network Services service records.
                brt     Bruteforce subdomain and host records using a wordlist.

-d, --target
                Domain to be targeted for enumeration.

-i, --ip
                Starting IP and end IP for a range to be used for reverse lookup
                enumeration of a targeted domain. Exmpl. 192.168.1.1,192.168.1.253

-w, --wordlist
                Wordlist to be use for brutforce enumeration of host names and subdomains.

-s, --dns
                Alternate DNS server to use.
-h, --help
                This help message.
 

This list gives us an overall view of what the various options/switches do, and explains them relatively well. I'll give you a few real world examples now.

Retrieve a standard list of DNS records:

root@bt:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -t std -d example.com
example.com,192.0.32.10,A
dns1.icann.org,192.0.34.17,SOA
b.iana-servers.net,193.0.0.236,NS
a.iana-servers.net,192.0.34.43,NS

Retrieve an expansion of the domain "example" on all TLD's:

root@bt:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -t tld -d example
example.com,192.0.32.10,A
example.org,192.0.32.10,A
example.net,192.0.32.10,A
example.be,80.169.63.221,A
example.bz,202.222.31.77,A
example.cm,74.54.82.187,A
example.cn,76.73.91.84,A
example.cc,74.53.37.146,A
example.cz,93.185.104.29,A
example.fr,64.77.49.164,A
example.fi,127.0.0.1,A
example.de,82.165.68.194,A
example.gd,173.15.30.209,A
example.gy,190.80.34.18,A
example.hu,212.92.23.43,A
example.it,94.23.233.45,A
example.ie,79.140.142.22,A
example.im,64.74.223.33,A
example.lv,69.163.151.106,A
example.kr,218.38.54.50,A
example.lt,79.98.26.181,A
example.lu,85.93.218.194,A
example.ms,208.113.176.224,A
example.nl,213.136.0.188,A
example.pw,70.87.29.150,A
example.pw,70.87.29.179,A
example.nu,81.171.111.87,A
example.mp,75.101.130.205,A
example.no,213.184.199.28,A
example.ph,74.220.207.104,A
example.pl,87.98.236.150,A
example.st,195.178.160.40,A
example.ws,64.95.64.197,A
example.ru,82.98.86.174,A
example.es,80.92.66.130,A
example.sk,81.31.47.101,A
example.ch,217.26.52.36,A
example.tw,69.72.142.98,A
example.tw,216.98.141.250,A
example.tk,94.103.151.195,A
example.tk,193.33.61.2,A
example.tk,209.172.59.196,A
example.tk,217.119.57.22,A
example.tv,74.117.116.94,A
example.vn,216.98.154.103,A
 

So as you can see, it goes through all its list of "TLD's" and confirms whether they're valid or not, and the IP address under which they're hosted.

Reverse lookup an IP Range - in this case, some of ICANN's range:

root@bt:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -t rvs -i 192.0.32.10,192.0.32.32
Reverse Lookup for IP Renge from 192.0.32.10 to 192.0.32.32
www.example.com,192.0.32.10
32-11.lax.icann.org,192.0.32.11
32-12.lax.icann.org,192.0.32.12
itar.iana.org,192.0.32.13
nomcom.icann.org,192.0.32.14
confirm.icann.org,192.0.32.15
dnscert.com,192.0.32.16
www.dnso.org,192.0.32.17
res-dom.iana.org,192.0.32.18
lroot.icann.org,192.0.32.19
www.atlargestudy.org,192.0.32.21
redirect.icann.org,192.0.32.22
idncctldrequest.icann.org,192.0.32.23
ta.icann.org,192.0.32.24
data.iana.org,192.0.32.25
forum.icann.org,192.0.32.26
community.icann.org,192.0.32.27
charts.icann.org,192.0.32.28
rrs.icann.org,192.0.32.29
radar.icann.org,192.0.32.30
drupal.icann.org,192.0.32.32

Subdomain Enumeration of Google.com:

root@bt:/pentest/enumeration/dnsrecon# ./dnsrecon.rb -t brt -d google.com -w hosts.txt
academico.google.com,66.102.11.104
ads.google.com,66.102.11.112
alerts.google.com,150.101.98.208
alerts.google.com,150.101.98.209
alerts.google.com,150.101.98.218
alerts.google.com,150.101.98.219
ap.google.com,150.101.98.211
apps.google.com,150.101.98.219
apps.google.com,150.101.98.208
apps.google.com,150.101.98.209
apps.google.com,150.101.98.218
asia.google.com,66.249.89.99
asia.google.com,66.249.89.104
blog.google.com,66.102.11.191
calendar.google.com,150.101.98.218
calendar.google.com,150.101.98.219
calendar.google.com,150.101.98.208
calendar.google.com,150.101.98.209
catalog.google.com,150.101.98.209
catalog.google.com,150.101.98.218
catalog.google.com,150.101.98.219
catalog.google.com,150.101.98.208
code.google.com,66.102.11.100
d.google.com,150.101.98.208
d.google.com,150.101.98.209
d.google.com,150.101.98.218
d.google.com,150.101.98.219
desktop.google.com,66.102.11.104
directory.google.com,150.101.98.219
directory.google.com,150.101.98.208
directory.google.com,150.101.98.209
directory.google.com,150.101.98.218
dir.google.com,150.101.98.218
dir.google.com,150.101.98.219
dir.google.com,150.101.98.208
dir.google.com,150.101.98.209
docs.google.com,150.101.98.208
docs.google.com,150.101.98.209
docs.google.com,150.101.98.218
docs.google.com,150.101.98.219
downloads.google.com,150.101.98.211
download.google.com,150.101.98.211
earth.google.com,150.101.98.209
earth.google.com,150.101.98.218
earth.google.com,150.101.98.219
earth.google.com,150.101.98.208
email.google.com,150.101.98.208
email.google.com,150.101.98.209
email.google.com,150.101.98.218
email.google.com,150.101.98.219
europe.google.com,150.101.98.219
europe.google.com,150.101.98.208
europe.google.com,150.101.98.209
europe.google.com,150.101.98.218
feeds.google.com,74.125.54.213
gd.google.com,150.101.98.211
gmail.google.com,150.101.98.218
gmail.google.com,150.101.98.219
gmail.google.com,150.101.98.208
gmail.google.com,150.101.98.209
gg.google.com,74.125.155.100
gg.google.com,74.125.155.101
gg.google.com,74.125.155.102
gg.google.com,74.125.155.113
gg.google.com,74.125.155.138
gg.google.com,74.125.155.139
group.google.com,66.102.11.100
gw1.google.com,66.102.11.104
help.google.com,150.101.98.209
help.google.com,150.101.98.218
help.google.com,150.101.98.219
help.google.com,150.101.98.208
id.google.com,150.101.98.208
id.google.com,150.101.98.209
id.google.com,150.101.98.218
id.google.com,150.101.98.219
images.google.com,150.101.98.211
investor.google.com,150.101.98.208
investor.google.com,150.101.98.209
investor.google.com,150.101.98.218
investor.google.com,150.101.98.219
investors.google.com,150.101.98.219
investors.google.com,150.101.98.208
investors.google.com,150.101.98.209
investors.google.com,150.101.98.218
jobs.google.com,150.101.98.218
jobs.google.com,150.101.98.219
jobs.google.com,150.101.98.208
jobs.google.com,150.101.98.209
kh.google.com,150.101.98.208
kh.google.com,150.101.98.209
kh.google.com,150.101.98.218
kh.google.com,150.101.98.219
labs.google.com,150.101.98.209
labs.google.com,150.101.98.218
labs.google.com,150.101.98.219
labs.google.com,150.101.98.208
m.google.com,66.102.11.193
mail.google.com,66.102.11.83
map.google.com,150.101.98.211
maps.google.com,150.101.98.211
mobile.google.com,66.102.11.193
moon.google.com,150.101.98.208
moon.google.com,150.101.98.209
moon.google.com,150.101.98.218
moon.google.com,150.101.98.219
movies.google.com,150.101.98.219
movies.google.com,150.101.98.208
movies.google.com,150.101.98.209
movies.google.com,150.101.98.218
news.google.com,150.101.98.211
newsfeed.google.com,74.125.47.140
ns3.google.com,216.239.36.10
ns1.google.com,216.239.32.10
ns4.google.com,216.239.38.10
ns2.google.com,216.239.34.10
pages.google.com,150.101.98.218
pages.google.com,150.101.98.219
pages.google.com,150.101.98.208
pages.google.com,150.101.98.209
page.google.com,150.101.98.209
page.google.com,150.101.98.218
page.google.com,150.101.98.219
page.google.com,150.101.98.208
photos.google.com,150.101.98.208
photos.google.com,150.101.98.209
photos.google.com,150.101.98.218
photos.google.com,150.101.98.219
products.google.com,150.101.98.208
products.google.com,150.101.98.209
products.google.com,150.101.98.218
products.google.com,150.101.98.219
proxy.google.com,64.233.161.4
proxy.google.com,64.233.165.4
proxy.google.com,64.233.167.4
proxy.google.com,64.233.169.4
proxy.google.com,64.233.171.4
proxy.google.com,64.233.179.4
proxy.google.com,64.233.184.4
proxy.google.com,64.233.187.4
proxy.google.com,66.102.0.4
proxy.google.com,66.102.9.4
proxy.google.com,66.102.14.225
proxy.google.com,66.102.14.241
proxy.google.com,216.239.42.4
proxy.google.com,216.239.53.4
proxy.google.com,216.239.55.5
proxy.google.com,216.239.57.4
proxy.google.com,216.239.59.4
relay.google.com,150.101.98.211
research.google.com,150.101.98.219
research.google.com,150.101.98.208
research.google.com,150.101.98.209
research.google.com,150.101.98.218
sb.google.com,66.102.11.91
sb.google.com,66.102.11.93
sb.google.com,66.102.11.136
sb.google.com,66.102.11.190
search.google.com,150.101.98.218
search.google.com,150.101.98.219
search.google.com,150.101.98.208
search.google.com,150.101.98.209
services.google.com,150.101.98.209
services.google.com,150.101.98.218
services.google.com,150.101.98.219
services.google.com,150.101.98.208
shopping.google.com,150.101.98.208
shopping.google.com,150.101.98.209
shopping.google.com,150.101.98.218
shopping.google.com,150.101.98.219
sms.google.com,150.101.98.219
sms.google.com,150.101.98.208
sms.google.com,150.101.98.209
sms.google.com,150.101.98.218
smtp.google.com,72.14.225.72
smtp.google.com,74.125.121.57
smtp.google.com,216.239.44.95
sprint.google.com,150.101.98.218
sprint.google.com,150.101.98.219
sprint.google.com,150.101.98.208
sprint.google.com,150.101.98.209
support.google.com,150.101.98.209
support.google.com,150.101.98.218
support.google.com,150.101.98.219
support.google.com,150.101.98.208
talk.google.com,72.14.203.125
tools.google.com,66.102.11.100
videos.google.com,150.101.98.208
videos.google.com,150.101.98.209
videos.google.com,150.101.98.218
videos.google.com,150.101.98.219
vpn.google.com,64.9.224.68
vpn.google.com,64.9.224.69
vpn.google.com,64.9.224.70
voice.google.com,66.102.11.118
w.google.com,150.101.98.208
w.google.com,150.101.98.209
w.google.com,150.101.98.218
w.google.com,150.101.98.219
wam.google.com,72.14.224.24
wam.google.com,72.14.224.25
w1.google.com,66.102.9.100
web.google.com,150.101.98.219
web.google.com,150.101.98.208
web.google.com,150.101.98.209
web.google.com,150.101.98.218
webmaster.google.com,150.101.98.218
webmaster.google.com,150.101.98.219
webmaster.google.com,150.101.98.208
webmaster.google.com,150.101.98.209
www.google.com,150.101.98.211
ww.google.com,150.101.98.209
ww.google.com,150.101.98.218
ww.google.com,150.101.98.219
ww.google.com,150.101.98.208
www3.google.com,64.233.179.104
www2.google.com,64.233.179.104

So as you can see, there are a great number of options for gather more information.

 

Real World Usage?

At first glance, some of you may see this as a relatively useless application. However, with a little bit of thought, it can be realised that by using this tool in the Information Gathering stage of a penetration test, you will possibly find a large number of targets you didn't know existed, and this will enhance your chances of a successful penetration test (and a more thorough one). As always, only use this tool in ways that you are legally licensed too (i.e., during a legal penetration test, or in your own home network or lab) and never use it to perform anything illegal. Thanks,

 

-Mr. P

/tags/