MODULE 4:- Information Gathering
- How to use dnsenum for dns enumeration – Kali
- How to use dig command in Kali Linux
- whois Kali Linux commands with example
- Enumerating DNS Records through dnsenum tool in Kali Linux
- Email Harvesting by theharvester tool in Kali Linux
- Google Hacking | Open Web Information Gathering
- dnsmap | DNS Domain name system brute force attacks
- Zone Transfer using dnswalk tool
- Website information Gathering through Nikto tool
- Search Senstive Data through Metagoofil Kali Linux 2.0
- 8 Steps to run Maltego Kali Linux – beginner guide
Brute Force on domain name for subdomain
Brute force attacks on dns name to find out subdomains or domain suggestion, and it check domain status and dns records. Before start learning about dnsmap you should know what is domain name server and sobdomain? Domain name system is a server which resolve dns name quiry into Ip Address and vice versa IP address to domain name. Most of dns servers have two part primary dns and secondery dns. Subdomain is a domain related with domain like www.aa.example.com is a subdomain of www.example.com.
dnsmap was originally released back in 2006 and was inspired by the fictional story “The Thief No One Saw” by Paul Craig, which can be found in the book “Stealing the Network – How to 0wn the Box”.
dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …
Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).
Key features of DNSMAP Tool
- Obtain all A records (i.e. IP addresses) associated to each successfully brute forced sub domain, rather than just one IP address per sub domain.
- Abort the brute forcing process in case the target domain uses wildcards.
- Ability to be able to run the tool without providing a word list by using a built-in list of keywords.
- Brute forcing by using a user-supplied word list (as opposed to the built-in word list).
- Saving the results in human-readable and CSV format for easy processing.
- Improved built-in subdomains wordlist.
- New bash script (dnsmap-bulk.sh) included which allows running Dnsmap against a list of domains from a user-supplied file. i.e.: brute forcing several domains in a bulk fashion.
- Bypassing of signature-based Dnsmap detection by generating a proper pseudo-random sub domain when checking for wildcards (Unique Feature).
What find after using dnsmap?
Dnsmap Usage Example
See included packages in dnsmap by run following command
scan domain name (example.com) for sub domain and see the result by executing following command
Scan example.com using a wordlist (-w /usr/share/wordlists/dnsmap.txt)
#dnsmap example.com -w /usr/share/wordlists/dnsmap.txt