BACKTRACK 5 R3 : dnsmap

1.  Another useful tool for information gathering is dnsmap....few of you guys may wonder of why to use a variety of tools for information gathering when most of them give more or less the same result.The answer lies in the fact that any kind of additional information can be a hole to exploit later...so in the stage of information gathering,it is always better to collect as much info as possible...so few quickies about what is the purpose of this tool...

-  Get IP addresses associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain.
   
-  Bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards.

-  Abort the bruteforcing process in case the target domain uses wildcards.
   
-  Ability to be able to run the tool without providing a wordlist by using a built-in list of keywords.
   
-  Saving the results in human-readable and CSV format for easy processing.
   
-  Improved built-in subdomains wordlist.
   
-  New bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion.
   
[ Source : http://stylodj.wordpress.com/category/how-to-use-dnsmap-tool-backtrack-5-rx/]

2.  So to get to this tool...we need to follow the same route as we have been doing it in past...vide the information gathering sub menu as shown below :

Backtrack - Information Gathering - Network Analysis - DNS Analysis - dnsmap

 

(Click on the image to enlarge)

(Click on the image to enlarge)

 

 

3.   The basic syntax and switches for the tool are :

./dnsmap sitename.com [options]

and the switches are :

- w for wordlist file)
- r for regular results file
- c for csv results file
- d for delay millisec
-  i for ip's to ignore

4.   The screens below show the usage and execution part as it happens on the screen.

(Click on the image to enlarge)

(Click on the image to enlarge)

(Click on the image to enlarge)

5.    What we are attempting vide the command executed is to bruteforce all of the subdomains of certifiedhacker.com and saving them to a file called result. I have truncated the output since its very long and thus avoided.So I have only shown some part from the beginning and then as it ends.IN addition if one has a custom wordlist of subdomains he/she can use that as well simply by specifying the -w argument and then the path to the wordlist.So after the run is executed,the final results are seen in a manner shown below vide the screenshots :

(Click on the image to enlarge)

So as seen in the results above...we see there are 924 subdomains with their respective IP addresses.Though in the  screen shots above,we see a common IP address since it is a site for CEH testers.

(Click on the image to enlarge)

(Click on the image to enlarge)

In the screen shots above,the result file created is seen and read...so u can see the kind of contents that are stored in the file so generated....