Description

Dnsrecon is a Ruby script written by Carlos Perez. It enables to gather DNS-oriented information on a given target. At the time of this writing (version 1.6), the tool supports following types:

• Brute force hostnames and subdomains of a given target domain using a wordlist.
• Standard Record Enumeration for a given domain (A, NS, SOA and MX).
• Top Leven Domain Expansion for a given domain.
• Zone Transfer against all NS records of a given domain.
• Reverse Lookup against a given IP Range given a start and end IP.
• SRV Record enumeration, enumerating:
  • _gc._tcp.
  • _kerberos._tcp.
  • _kerberos._udp.
  • _ldap._tcp.
  • _test._tcp.
  • _sips._tcp.
  • _sip._udp.
  • _sip._tcp.
  • _aix._tcp.
  • _aix._tcp.
  • _finger._tcp.
  • _ftp._tcp.
  • _http._tcp.
  • _nntp._tcp.
  • _telnet._tcp.
  • _whois._tcp.
  • _h323cs._tcp.
  • _h323cs._udp.
  • _h323be._tcp.
  • _h323be._udp.
  • _h323ls._tcp.
  • _h323ls._udp.

Installation

Prerequisites

First of all, install Ruby and Rubygems

$ sudo apt-get install ruby rubygems

Install Ruby dependencies:

$ sudo gem install pNet-DNS
$ sudo gem install ip

Warning

Dnsrecon seems not to be compatible with Ruby 1.9.1. To ensure full compatibility, install Ruby 1.8.7.

Dnsrecon

Download dnsrecon (no install needed):

$ mkdir -p /pentest/enumeration/dnsrecon/
$ cd /pentest/enumeration/dnsrecon/
$ wget http://darkoperator.squarespace.com/tools-and-scripts/dnsrecon.rb

Make the script executable:

$ chmod +x dnsrecon.rb

Test that you don't get any error:

$ ./dnsrecon.rb

Usage

Basic syntax

$ ./dnsrecon.rb -t <type> -d <target> [options]

Options

-t, --type

Select the type of enumeration to be done.

• std: Query for SOA, NS and MX Record of a target domain.
• tld: Top Level Domain enumeration of a target domain.
• axfr: Perform a Zone transfer against all NS server Records of a target domain.
• rvs: Reverse Record Lookup enumeration against a targeted IP range.
• srv: Service Record Enumeration of VOIP, Active Directory and Network Services service records.
• brt: Bruteforce subdomain and host records using a wordlist.

Note

Notice that syntax is -t axfr and not -t axf as displayed in the help.

-d, --target

Domain to be targeted for enumeration.

-i, --ip

Starting IP and end IP for a range to be used for reverse lookup enumeration of a targeted domain.

Example: 192.168.1.1,192.168.1.253

-w, --wordlist

Wordlist to be use for brutforce enumeration of host names and subdomains.

-s, --dns

Alternate DNS server to use.

-h, --help

This help message.

Examples

Standard (-t std)

$ sudo ./dnsrecon.rb -t std -d google.com
google.com,66.249.92.104,A 
ns1.google.com,216.239.32.10,SOA
ns2.google.com,216.239.34.10,NS
ns3.google.com,216.239.36.10,NS
ns4.google.com,216.239.38.10,NS
ns1.google.com,216.239.32.10,NS
google.com.s9b1.psmtp.com,74.125.148.13,MX,300
google.com.s9a1.psmtp.com,74.125.148.10,MX,100
google.com.s9a2.psmtp.com,74.125.148.11,MX,200
google.com.s9b2.psmtp.com,74.125.148.14,MX,400

Top Level Domain (-t tld)

$ ./dnsrecon.rb -t tld -d aldeid
aldeid.com,80.14.163.161,A 
aldeid.kr,222.231.8.226,A 
aldeid.mp,199.34.127.242,A 
aldeid.pw,70.87.29.179,A 
aldeid.pw,70.87.29.150,A 
aldeid.ph,203.119.6.249,A 
aldeid.ws,64.70.19.33,A 
aldeid.st,195.178.160.40,A 
aldeid.tk,217.119.57.22,A 
aldeid.tk,94.103.151.195,A 
aldeid.tk,209.172.59.196,A

Zone transfer (-t axfr)

Note

Notice that the parameter to use is -t axfr (not -t axf as specified in the help).

$ ./dnsrecon.rb -t axfr -d ??????club.net
Zone Transfer Succesfull on Nameserver 88.191.???.?? 

??????club.net. 14400   IN      SOA     ns0.online.net. hostmaster.proxad.net. (
                                        1276843806      ; Serial
                                        3600    ; Refresh
                                        1800    ; Retry
                                        1209600 ; Expire
                                        14400 ) ; Minimum TTL
??????club.net. 14400   IN      A       88.190.???.???
??????club.net. 14400   IN      MX      20 mx-cache.online.net
??????club.net. 14400   IN      MX      10 mx.online.net
??????club.net. 14400   IN      NS      ns0.online.net.
??????club.net. 14400   IN      NS      ns1.online.net.
*.??????club.net.       14400   IN      A       88.190.???.???
??????clubnet.??????club.net.   14400   IN      CNAME   pf7-mysql.online.net.
sql.??????club.net.     14400   IN      CNAME   pf7-mysql.online.net.

Service Record Enumeration (-t srv)

This parameter enables to identify a list of services via DNS requests.

Note

I haven't been able to find a working example. Any help would be appreciated. Feel free to post in comments. Thanks.

Reverse Record Enumeration (-t rvs)

This parameter enables to get the reverse DNS from an IP range. You must combine it with the -i parameter to specify the IP range.

$ ./dnsrecon.rb -t rvs -i 66.249.92.100,66.249.92.150
Reverse Lookup for IP Renge from 66.249.92.100 to 66.249.92.150
par03s01-in-f100.1e100.net,66.249.92.100
par03s01-in-f104.1e100.net,66.249.92.104
par03s01-in-f112.1e100.net,66.249.92.112
par03s01-in-f115.1e100.net,66.249.92.115
par03s01-in-f116.1e100.net,66.249.92.116
par03s01-in-f118.1e100.net,66.249.92.118
par03s01-in-f120.1e100.net,66.249.92.120
par03s01-in-f123.1e100.net,66.249.92.123
par03s01-in-f128.1e100.net,66.249.92.128
par03s01-in-f132.1e100.net,66.249.92.132
par03s01-in-f137.1e100.net,66.249.92.137
par03s01-in-f141.1e100.net,66.249.92.141
par03s01-in-f142.1e100.net,66.249.92.142
par03s01-in-f143.1e100.net,66.249.92.143
par03s01-in-f146.1e100.net,66.249.92.146
par03s01-in-f148.1e100.net,66.249.92.148

Brute force (-t brt)

This parameter enables to brute force DNS from a given target to check the existence of DNS.

In the following example, we use a dictionary containing some words:

$ cat dict
aaa
bbb
ccc
earth
forum
gmail
google
gtalk
mail

We use our dictionary (dict):

$ ./dnsrecon.rb -t brt -w dict -d google.com
earth.google.com,66.249.92.100
gmail.google.com,66.249.92.100
mail.google.com,66.249.92.83

Comments