0.工具介紹
The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:
1) Get the host's addresse (A record). 2) Get the namservers (threaded). 3) Get the MX record (threaded). 4) Perform axfr queries on nameservers and get BIND versions(threaded). 5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain"). 6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded). 7) Calculate C class domain network ranges and perform whois queries on them (threaded). 8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded). 9) Write to domain_ips.txt file ip-blocks.
1.工具位置
命令列 root@bt:/pentest/enumeration/dns/dnsenum#
dir檢視目錄,有dns-big.txt、dns.txt兩個字典檔案,README.txt使用說明和dnsenum.pl主指令碼程式
圖形介面 Applications --> BackTrack --> Information Gathering --> Network Analysis --> Dnsanalysis --> Dnsenum
2.工具引數
-f dns.txt 指定暴力破解檔案,可替換為dns-big.txt
-dnsserver 指定dns伺服器
cisco.com 目標域名
-o cisco.xml 輸出結果到cisco.xml
3.部分使用示例
root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl cisco.com
dnsenum.pl VERSION:1.2.2
----- cisco.com -----
Host's addresses:
__________________
cisco.com 83265 IN A 198.133.219.25
Name Servers:
______________
ns2.cisco.com 5263 IN A 64.102.255.44
ns1.cisco.com 600 IN A 72.163.5.201
Mail (MX) Servers:
___________________
ams-mx-01.cisco.com 38590 IN A 64.103.36.169
rtp-mx-01.cisco.com 38590 IN A 64.102.255.47
rcdn-mx-01.cisco.com 75891 IN A 72.163.7.166
alln-mx-01.cisco.com 64280 IN A 173.37.145.198
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for cisco.com on ns2.cisco.com ...
AXFR record query failed: NOERROR
ns2.cisco.com Bind Version:
Unavailable
Trying Zone Transfer for cisco.com on ns1.cisco.com ...
AXFR record query failed: NOERROR
ns1.cisco.com Bind Version:
Unavailable
Wildcards detected, all subdomains will point to the same IP address, bye.
4.說明
直接用./dnsenum.pl cisco.com 檢測預設dns伺服器ip,也就是上面的ns1.cisco.com和ns2.cisco.com對應的IP。
接下來會用到,比如說這裡的72.163.5.201
這裡是Zone Transfers的介紹,不難理解,本機上做這個肯定是失敗
http://en.wikipedia.org/wiki/DNS_zone_transfer
5.完整使用示例
root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl -f dns-big.txt -dnsserver 72.163.5.201 cisco.com -o cisco.xml
注意:使用dns-big.txt字典估計耗時得3小時以上