1. Dnsrecon is another nice easy to use tool for pen testers for enumeration. The kinds of things dnsrecon can do are as follows:
- Reverse Lookup against IP range
- Perform general DNS query for NS,SOA and MX records
- Cache snooping against Name Servers
- Google Scanning for Sub Domains and Host
2. The command line usage and the few imp switch execution details are briefed here down :
-h --help Show this help message and exit
-d --domain Domain to Target for enumeration.
-c --cidr CIDR for reverse look-up brute force (range/bitmask).
-r --range IP Range for reverse look-up brute force
-n --name_server Domain server to use, if none is given the SOA of the
target will be used
-D --dictionary Dictionary file of sub-domain and hostnames to use for
brute force.
-t --type Specify the type of enumeration to perform:
Available through :
Backtrack -> Information Gathering -> Network Analysis -> DNS Analysis -> dnsrecon
In this blog post,I will be covering 3 enumeration techniques. These being:
SRV records Enumeration
Top Level Enumeration
Standard Enumeration
To perform an SRV records enumeration against a domain the following input command will be run:
Code:
./dnsrecon.py -t srv -d
As an example if we wanted to do this to certifiedhacker.com, our command would be as follows:
Code:
./dnsrecon.py -t srv -d google.com
Code:
./dnsrecon.py -t std -d
Using Google as an example again, our command would be:
Code:
./dnsrecon.py -t std -d google.com
- Reverse Lookup against IP range
- Perform general DNS query for NS,SOA and MX records
- Cache snooping against Name Servers
- Google Scanning for Sub Domains and Host
2. The command line usage and the few imp switch execution details are briefed here down :
-h --help Show this help message and exit
-d --domain Domain to Target for enumeration.
-c --cidr CIDR for reverse look-up brute force (range/bitmask).
-r --range IP Range for reverse look-up brute force
-n --name_server Domain server to use, if none is given the SOA of the
target will be used
-D --dictionary Dictionary file of sub-domain and hostnames to use for
brute force.
-t --type Specify the type of enumeration to perform:
Available through :
Backtrack -> Information Gathering -> Network Analysis -> DNS Analysis -> dnsrecon
In this blog post,I will be covering 3 enumeration techniques. These being:
SRV records Enumeration
Top Level Enumeration
Standard Enumeration
(Click on image to Enlarge) |
(Click on image to Enlarge) |
Code:
./dnsrecon.py -t srv -d
As an example if we wanted to do this to certifiedhacker.com, our command would be as follows:
Code:
./dnsrecon.py -t srv -d google.com
(Click on image to Enlarge) |
Top Level Enumeration
For performing a top level enumeration the following command will be used :
Code:
./dnsrecon.py -t tld -d
If the same command is run for google.com,the following command will be used
Code:
./dnsrecon.py -t tld -d google.com
For performing a top level enumeration the following command will be used :
Code:
./dnsrecon.py -t tld -d
If the same command is run for google.com,the following command will be used
Code:
./dnsrecon.py -t tld -d google.com
(Click on image to Enlarge) |
(Click on image to Enlarge) |
and similarly,to perform an STD (standard) enumeration,the following command is used :
Code:
./dnsrecon.py -t std -d
Using Google as an example again, our command would be:
Code:
./dnsrecon.py -t std -d google.com
The result as seen below in a standard enumeration :
(Click on image to Enlarge) |
(Click on image to Enlarge) |