Dnsenum

Description

Dnsenum – Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

Usage

1) Get the host's addresse (A record).

2) Get the namservers (threaded).

3) Get the MX record (threaded).

4) Perform axfr queries on nameservers and get BIND VERSION (threaded).

5) Get extra names and subdomains via google scraping
   (google query = "allinurl: -www site:domain").

6) Brute force subdomains from file, can also perform recursion
   on subdomain that have NS records (all threaded).

7) Calculate C class domain network ranges and perform whois
   queries on them (threaded).

8) Perform reverse lookups on netranges
   ( C class or/and whois netranges) (threaded).

9) Write to domain_ips.txt file ip-blocks.

Syntax

dnsenum.pl [Options] <domain>

Options

GENERAL OPTIONS:
  --dnsserver    	<server> Dnsenum 
			Use this DNS server for A, NS and MX queries.
  --enum		Shortcut option equivalent to --threads 5 -s 15 -w.
  -h, --help		Print this help message. Dnsenum
  --noreverse		Skip the reverse lookup operations.
  --nocolor		Disable ANSIColor output. Dnsenum 
  --private		Show and save private ips at the end of the file domain_ips.txt.
  --subfile <file>	Write all valid subdomains to this file.Dnsenum 
  -t, --timeout <value>	The tcp and udp timeout values in seconds (default: 10s).
  --threads <value>	The number of threads that will perform different queries.
  -v, --verbose		Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
  -p, --pages <value>	The number of google search pages to process when scraping names, 
			the default is 5 pages, the -s switch must be specified.
  -s, --scrap <value>	The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
  -f, --file <file>	Read subdomains from this file to perform brute force. Dnsenum 
  -u, --update	<a|g|r|z>
			Update the file specified with the -f switch with valid subdomains.
	a (all)		Update using all results.
	g		Update using only google scraping results.
	r		Update using only reverse lookup results. Dnsenum 
	z		Update using only zonetransfer results. Dnsenum 
  -r, --recursion	Recursion on subdomains, brute force all discovred subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
  -d, --delay <value>	The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
  -w, --whois		Perform the whois queries on c class network ranges.
			 **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
REVERSE LOOKUP OPTIONS:
  -e, --exclude	<regexp>
			Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
  -o --output <file>	Output in XML format. Can be imported in MagicTree (www.gremwell.com)

Example

cyborg@cyborg:~$ dnsenum --enum -f -r google.com
dnsenum.pl VERSION:1.2.3
Warning: can't load Net::Whois::IP module, whois queries disabled.

-----   google.com   -----


Host's addresses:
__________________

google.com.                              34       IN    A        216.58.196.110


Wildcard detection using: hbuyvfjgcrma
_______________________________________

hbuyvfjgcrma.google.com.                 60       IN    A        92.242.132.27


!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 Wildcards detected, all subdomains will point to the same IP address
 Omitting results containing 92.242.132.27.
 Maybe you are using OpenDNS servers.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!


Name Servers:
______________

ns1.google.com.                          345600   IN    A        216.239.32.10
ns4.google.com.                          345600   IN    A        216.239.38.10
ns3.google.com.                          345600   IN    A        216.239.36.10
ns2.google.com.                          345600   IN    A        216.239.34.10


Mail (MX) Servers:
___________________

alt2.aspmx.l.google.com.                 242      IN    A        74.125.25.26
aspmx.l.google.com.                      215      IN    A        74.125.130.27
alt1.aspmx.l.google.com.                 117      IN    A        173.194.72.26
alt4.aspmx.l.google.com.                 293      IN    A        74.125.193.27
alt3.aspmx.l.google.com.                 293      IN    A        173.194.64.27


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for google.com on ns2.google.com ... 
AXFR record query failed: Response code from server: REFUSED

Trying Zone Transfer for google.com on ns1.google.com ... 
AXFR record query failed: Response code from server: REFUSED

Trying Zone Transfer for google.com on ns3.google.com ... 
AXFR record query failed: Response code from server: REFUSED

Trying Zone Transfer for google.com on ns4.google.com ... 
AXFR record query failed: Response code from server: REFUSED


Scraping google.com subdomains from Google:
____________________________________________


 ----   Google search page: 1   ---- 


 ----   Google search page: 2   ---- 


 ----   Google search page: 3   ---- 


 ----   Google search page: 4   ---- 


 ----   Google search page: 5   ---- 



Google Results:
________________

  perhaps Google is blocking our queries.
 Check manually.


Brute forcing with -r:
_______________________
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?