[BT5]資訊收集1-1 Dnsenum

0.工具介紹

The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:

1) Get the host's addresse (A record). 2) Get the namservers (threaded). 3) Get the MX record (threaded). 4) Perform axfr queries on nameservers and get BIND versions(threaded). 5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain"). 6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded). 7) Calculate C class domain network ranges and perform whois queries on them (threaded). 8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded). 9) Write to domain_ips.txt file ip-blocks.

1.工具位置

命令列 root@bt:/pentest/enumeration/dns/dnsenum# 

dir檢視目錄，有dns-big.txt、dns.txt兩個字典檔案，README.txt使用說明和dnsenum.pl主指令碼程式

圖形介面 Applications --> BackTrack --> Information Gathering --> Network Analysis --> Dnsanalysis --> Dnsenum

2.工具引數

-f dns.txt 指定暴力破解檔案，可替換為dns-big.txt

-dnsserver 指定dns伺服器

cisco.com 目標域名

-o cisco.xml 輸出結果到cisco.xml

3.部分使用示例

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl cisco.com
dnsenum.pl VERSION:1.2.2

-----   cisco.com   -----


Host's addresses:
__________________

cisco.com                                83265    IN    A        198.133.219.25


Name Servers:
______________

ns2.cisco.com                            5263     IN    A        64.102.255.44
ns1.cisco.com                            600      IN    A        72.163.5.201


Mail (MX) Servers:
___________________

ams-mx-01.cisco.com                      38590    IN    A        64.103.36.169
rtp-mx-01.cisco.com                      38590    IN    A        64.102.255.47
rcdn-mx-01.cisco.com                     75891    IN    A        72.163.7.166
alln-mx-01.cisco.com                     64280    IN    A        173.37.145.198


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for cisco.com on ns2.cisco.com ... 
AXFR record query failed: NOERROR

ns2.cisco.com Bind Version: 
                            Unavailable

Trying Zone Transfer for cisco.com on ns1.cisco.com ... 
AXFR record query failed: NOERROR

ns1.cisco.com Bind Version: 
                            Unavailable
 Wildcards detected, all subdomains will point to the same IP address, bye.

4.說明

直接用./dnsenum.pl cisco.com 檢測預設dns伺服器ip，也就是上面的ns1.cisco.com和ns2.cisco.com對應的IP。

接下來會用到，比如說這裡的72.163.5.201

這裡是Zone Transfers的介紹，不難理解，本機上做這個肯定是失敗

http://en.wikipedia.org/wiki/DNS_zone_transfer

5.完整使用示例

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl -f dns-big.txt -dnsserver 72.163.5.201 cisco.com -o cisco.xml

注意：使用dns-big.txt字典估計耗時得3小時以上