1. Another useful tool for information gathering is dnsmap....few of you guys may wonder of why to use a variety of tools for information gathering when most of them give more or less the same result.The answer lies in the fact that any kind of additional information can be a hole to exploit later...so in the stage of information gathering,it is always better to collect as much info as possible...so few quickies about what is the purpose of this tool...
- Get IP addresses associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain.
- Bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards.
- Abort the bruteforcing process in case the target domain uses wildcards.
- Ability to be able to run the tool without providing a wordlist by using a built-in list of keywords.
- Saving the results in human-readable and CSV format for easy processing.
- Improved built-in subdomains wordlist.
- New bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion.
[ Source : http://stylodj.wordpress.com/category/how-to-use-dnsmap-tool-backtrack-5-rx/]
2. So to get to this tool...we need to follow the same route as we have been doing it in past...vide the information gathering sub menu as shown below :
Backtrack - Information Gathering - Network Analysis - DNS Analysis - dnsmap
(Click on the image to enlarge) |
3. The basic syntax and switches for the tool are :
./dnsmap sitename.com [options]
and the switches are :
- w for wordlist file)
- r for regular results file
- c for csv results file
- d for delay millisec
- i for ip's to ignore
4. The screens below show the usage and execution part as it happens on the screen.
(Click on the image to enlarge) |
(Click on the image to enlarge) |
(Click on the image to enlarge) |
5. What we are attempting vide the command executed is to bruteforce all of the subdomains of certifiedhacker.com and saving them to a file called result. I have truncated the output since its very long and thus avoided.So I have only shown some part from the beginning and then as it ends.IN addition if one has a custom wordlist of subdomains he/she can use that as well simply by specifying the -w argument and then the path to the wordlist.So after the run is executed,the final results are seen in a manner shown below vide the screenshots :
(Click on the image to enlarge) |
So as seen in the results above...we see there are 924 subdomains with their respective IP addresses.Though in the screen shots above,we see a common IP address since it is a site for CEH testers.
(Click on the image to enlarge) |
(Click on the image to enlarge) |
In the screen shots above,the result file created is seen and read...so u can see the kind of contents that are stored in the file so generated....
0 comments:
Post a Comment