Exploit and shellcode Course

dnsmap | DNS Domain name system brute force attacks

MODULE 4:- Information Gathering

  1. How to use dnsenum for dns enumeration – Kali
  2. How to use dig command in Kali Linux
  3. whois Kali Linux commands with example
  4. Enumerating DNS Records through dnsenum tool in Kali Linux
  5. Email Harvesting by theharvester tool in Kali Linux
  6. Google Hacking | Open Web Information Gathering
  7. dnsmap | DNS Domain name system brute force attacks
  8. Zone Transfer using dnswalk tool
  9. Website information Gathering through Nikto tool
  10. Search Senstive Data through Metagoofil Kali Linux 2.0
  11. 8 Steps to run Maltego Kali Linux – beginner guide

Brute Force on domain name for subdomain

Brute force attacks on dns name to find out subdomains or domain suggestion, and it check domain status and dns records. Before start learning about dnsmap you should know what is domain name server and sobdomain? Domain name system is a server which resolve dns name quiry into Ip Address and vice versa IP address to domain name. Most of dns servers have two part primary dns and secondery dns. Subdomain is a domain related with domain like www.aa.example.com is a subdomain of www.example.com.

dnsmap Overview

dnsmap was originally released back in 2006 and was inspired by the fictional story “The Thief No One Saw” by Paul Craig, which can be found in the book “Stealing the Network – How to 0wn the Box”.

dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company’s IP netblocks, domain names, phone numbers, etc …

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it’s especially useful when other domain enumeration techniques such as zone transfers don’t work (I rarely see zone transfers being publicly allowed these days by the way).

Source: http://code.google.com/p/dnsmap/

Key features of DNSMAP Tool

  • Obtain all A records (i.e. IP addresses) associated to each successfully brute forced sub domain, rather than just one IP address per sub domain.
  • Abort the brute forcing process in case the target domain uses wildcards.
  • Ability to be able to run the tool without providing a word list by using a built-in list of keywords.
  • Brute forcing by using a user-supplied word list (as opposed to the built-in word list).
  • Saving the results in human-readable and CSV format for easy processing.
  • Improved built-in subdomains wordlist.
  • New bash script (dnsmap-bulk.sh) included which allows running Dnsmap against a list of domains from a user-supplied file. i.e.: brute forcing several domains in a bulk fashion.
  • Bypassing of signature-based Dnsmap detection by generating a proper pseudo-random sub domain when checking for wildcards (Unique Feature).

What find after using dnsmap?

 1. Finding interesting remote access servers.
2. Finding badly configured and/or unpatched servers.
3. Finding new domain names which will allow you to map non-obvious/hard-to-find net blocks.
4. Sometimes you find that some brute forced sub domains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that it *is* possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving (as opposed to zone transfers for instance).
5. Discover embedded devices configured using Dynamic DNS services.

Dnsmap Usage Example

See included packages in dnsmap by run following command

#dnsmap

dnsmap included tools

 

scan domain name (example.com) for sub domain and see the result by executing following command

dnasmap scan for subdomain

dnasmap result

Scan example.com using a wordlist (-w /usr/share/wordlists/dnsmap.txt)

#dnsmap example.com -w /usr/share/wordlists/dnsmap.txt

dnsmap using wordlist

 

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top