[BT5]信息收集1-1 Dnsenum

0.工具介绍

The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:

1) Get the host's addresse (A record). 2) Get the namservers (threaded). 3) Get the MX record (threaded). 4) Perform axfr queries on nameservers and get BIND versions(threaded). 5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain"). 6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded). 7) Calculate C class domain network ranges and perform whois queries on them (threaded). 8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded). 9) Write to domain_ips.txt file ip-blocks.

1.工具位置

命令行 root@bt:/pentest/enumeration/dns/dnsenum# 

dir查看目录，有dns-big.txt、dns.txt两个字典文件，README.txt使用说明和dnsenum.pl主脚本程序

图形界面 Applications --> BackTrack --> Information Gathering --> Network Analysis --> Dnsanalysis --> Dnsenum

2.工具参数

-f dns.txt 指定暴力破解文件，可替换为dns-big.txt

-dnsserver 指定dns服务器

cisco.com 目标域名

-o cisco.xml 输出结果到cisco.xml

3.部分使用示例

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl cisco.com

dnsenum.pl VERSION:1.2.2

 

-----   cisco.com   -----

 

 

Host's addresses:

__________________

 

cisco.com                                83265    IN    A        198.133.219.25

 

 

Name Servers:

______________

 

ns2.cisco.com                            5263     IN    A        64.102.255.44

ns1.cisco.com                            600      IN    A        72.163.5.201

 

 

Mail (MX) Servers:

___________________

 

ams-mx-01.cisco.com                      38590    IN    A        64.103.36.169

rtp-mx-01.cisco.com                      38590    IN    A        64.102.255.47

rcdn-mx-01.cisco.com                     75891    IN    A        72.163.7.166

alln-mx-01.cisco.com                     64280    IN    A        173.37.145.198

 

 

Trying Zone Transfers and getting Bind Versions:

_________________________________________________

 

 

Trying Zone Transfer for cisco.com on ns2.cisco.com ...

AXFR record query failed: NOERROR

 

ns2.cisco.com Bind Version:

                            Unavailable

 

Trying Zone Transfer for cisco.com on ns1.cisco.com ...

AXFR record query failed: NOERROR

 

ns1.cisco.com Bind Version:

                            Unavailable

 Wildcards detected, all subdomains will point to the same IP address, bye.

4.说明

直接用./dnsenum.pl cisco.com 检测默认dns服务器ip，也就是上面的ns1.cisco.com和ns2.cisco.com对应的IP。

接下来会用到，比如说这里的72.163.5.201

这里是Zone Transfers的介绍，不难理解，本机上做这个肯定是失败

http://en.wikipedia.org/wiki/DNS_zone_transfer

5.完整使用示例

root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl -f dns-big.txt -dnsserver 72.163.5.201 cisco.com -o cisco.xml

注意：使用dns-big.txt字典估计耗时得3小时以上