BACKTRACK 5 R3 : dnsenum

1.  Coming to next good information gathering tool in Backtrack 5 R3...here I give the command run details and a sample result by a tool known as dnsenum

First a small Intro about the tool :

DNSenum is a tool that is designed with the purpose of enumerating DNS information about a domain.Then information that one obtain's from this tool is useful for the phase of information gathering when one is conducting a penetration test.Thus the basic purpose of Dnsenum is to gather as much information as possible about a domain. The program performs the following operations:

-  Get the host's addresse (A record)
-  Get the nameservers (threaded)
-  Get the MX record (threaded)
- Perform axfr (ie DNS zone transfer) queries on nameservers
- Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain")
- Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded)
- Calculate C class domain network ranges and perform whois queries on them (threaded)
- Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded)
- Write to domain_ips.txt file ip-blocks

(Click on the image to enlarge)

2.   So coming to executing the command,once you click the dnsenum available vide the following route :

Backtrack - Information Gathering - Network Analysis - DNS Analysis - dnsenum
you get to see the following screen...

(Click on the image to enlarge)

Now the run syntax for the command is pretty simple that goes like :

./dnsenum.pl sitename.com

(Click on the image to enlarge)

In the above sample run...I have taken a site dvwa.co.uk

(Click on the image to enlarge)

BACKTRACK 5 R3 : DNSDICT6

1.    I have been using and playing with BT5 R3 for quiet some time now...and having used and practised about 50% of them...I have decided to start sharing and how to use them on my blog for the firstimers..with screen shots and screen cast when required....although I have shown few tools and exploits of BT5 earlier .... now I wish to just make it all systematic....and in the first attempt here I am giving out a step by step screen shot of how to use the tool DNSDICT6...

2. The route to dnsdict6 is show in the screen shot below :

Backtrack - Information Gathering - Network Analysis - DNS Analysis - dnsdict6

3.  As can be made out from the Backtrack menu drop down...since it is listed in the information gathering sub menu..it is a Information Gathering tool. This tool is used to find all the sub-domains of a website or web server. The most advanced use of DSNDICT6 is to enumerate all IPv4 and IPv6 addresses and extract the dumps like sub-domains, IP information. This tool is quite a powerful tool because it also extracts those sub domains which are restricted or invisible for users.With respect to the usage and screens...they are seen below :

(Click on the image to Enlarge)

Once you click this dnsdict6...u get the following screen :

(Click on the image to Enlarge)

Before we execute the command,let us see the command syntax & switches available :

The switches details are seen below :

    - d is used to display information on Name Servers and MX Records
    - 4 is used to dump IPv4 addresses.

Four types of dictionary are inbuilt in this tool as follows :

     - s    (mall=50), 

     - m   (edium=796) (DEFAULT) 

     - l     (arge=1416), and

     - x    (treme=3211).
     - t      is used to specify no. of threads.

MX record ie mail exchanger record is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available. The set of MX records of a domain name specifies how email should be routed with the Simple Mail Transfer Protocol (SMTP).

So for example we run this command on http://certifiedhacker.com/

(Click on the image to Enlarge)

The command reads :

dnsdict6 -d46 -s -t 10 certifiedhacker.com

(Click on the image to Enlarge)

In the command above I have used the small dictionary with 10 threads to minimize the running time...so actually this is a limited result...would have been slightly different had the same been run with xtreme dict and large number of threads...

Power of PING

In our respective interactions with various networks accessible to us.....as administrators we keep pinging so many IPs for testing the connectivity at various times like ping 192.121.23.1 etc....and we get a response...but ping it self has so many switches that most of us hardly use......i came across a chart today that in a summarized form tells the switches of ping command with examples and a brief explanation.....sharing here with you...thanks http://www.activexperts.com

ping -c count	ping -c 10	Specify the number of echo requests to send.
Ping -d	ping -d	Set the SO_DEBUG option.
Ping -f	ping -f	Flood ping. Sends another echo request immediately after receiving a reply to the last one. Only the super-user can use this option.
Ping host	ping 121.4.3.2	Specify the host name (or IP address) of computer to ping
ping -i wait	ping -i 2	Wait time. The number of seconds to wait between each ping
ping -l preload	ping -l 4	Sends "preload" packets one after another.
Ping -n	ping -n	Numeric output, without host to symbolic name lookup.
Ping -p pattern	ping -p ff00	Ping Pattern. The example sends two bytes, one filled with ones, and one with zeros.
Ping -q	ping -q	Quiet output. Only summary lines at startup and completion
ping -r	ping -r	Direct Ping. Send to a host directly, without using routing tables. Returns an error if the host is not on a directly attached network.
Ping -R	Ping -R	Record Route. Turns on route recording for the Echo Request packets, and display the route buffer on returned packets (ignored by many routers).
ping -s PacketSize	ping -s 10	Sets the packet size in number of bytes, which will result in a total  packet size of PacketSize plus 8 extra bytes for the ICMP header
ping -v	ping -v	Verbose Output. Lists individual ICMP packets, as well     as Echo Responses

HOW TO ACCESS THOSE SITES(BLOCKED BY UR OFFICE)?

1.    It is so common to see and hear that offices and corp-orates block ur most desired websites....so the smart ones try using proxy.....but what to do when even those proxies are so configured that u cannot access.....here goes step by step

- Suppose ur office has blocked yahoo.com.

- Goto Command prompt and type ping yahoo.com

- You get the yahoo ip ie 209.191.122.70(it may be different for you)

- Now convert these 4 octets into binaries with the help of a calculator in programmers mode.

- So u get 

209 @ 11010001

191@  10111111

122@  1111010

70 @   1000110

- Now place zeros in front of octet converted binaries who are not complete 8 in number count 

- So it becomes 11010001101111110111101001000110

- Now convert this to decimal again  and u get 3518986822

- Go to the browser and write http://3518986822

Thats it..kaam khatam....all the best....

HIDEMYASS saves its own!!!

1.  The month of September 2011 went so full of embarassment for HMA(Hidemyass) that it would probably like October  to  follow  August  ( September  may just  vanish in the smoke....) All  its  claims  of  telling  being anonymous  and safe, maintaining privacy,being completely hidden etc etc hit a serious setback....the story goes like this...

 2.   The case pertains to Lulz Security aka LulzSec,a computer hacker group that claims responsibility for several high profile attacks including SONY,CIA etc.So in the month of September this year an alleged Lulzsec member who had carried out attacks on various organizations including Sony and the UK’s Serious Organised Crime Agency, had used this ‘anonymous’ VPN service supplied by HideMyAss.But his plan failed in the biggest way imaginable. HideMyAss (HMA) keeps all yourlogs and as a UK company when given a court order to cough up information, they did so. After matching timestamps to IP addresses, in the blink of an eye Luzlsec member ‘Recursion’ became 23-year-old Cody Kretsinger from Phoenix. The FBI got their man.....so whats the use.....!!!!

3.   But I feel that anything to do with some serious crime should always be contained....like this way...but what about you and me....our surfing habits will always be known....our info will always be under cloud....:-(

4.   This is what HMA had to say :

“Our VPN service and VPN services in general are not designed to be used to commit illegal activity,” said Hide My Ass. “It is very naive to think that by paying a subscription fee to a VPN service you are free to break the law without any consequences.”

5.  Thanks vpn-reviews.net and  Torrentfreak