Tools - DNSRecon

 1 root@kali:~# dnsrecon 
 2 Version: 0.8.8
 3 Usage: dnsrecon.py <options>
 4 
 5 Options:
 6    -h, --help                  Show this help message and exit
 7    -d, --domain      <domain>  Domain to Target for enumeration.
 8    -r, --range       <range>   IP Range for reverse look-up brute force in formats (first-last)
 9                                or in (range/bitmask).
10    -n, --name_server <name>    Domain server to use, if none is given the SOA of the
11                                target will be used
12    -D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for
13                                brute force.
14    -f                          Filter out of Brute Force Domain lookup records that resolve to
15                                the wildcard defined IP Address when saving records.
16    -t, --type        <types>   Specify the type of enumeration to perform:
17                                std      To Enumerate general record types, enumerates.
18                                         SOA, NS, A, AAAA, MX and SRV if AXRF on the
19                                         NS Servers fail.
20 
21                                rvl      To Reverse Look Up a given CIDR IP range.
22 
23                                brt      To Brute force Domains and Hosts using a given
24                                         dictionary.
25 
26                                srv      To Enumerate common SRV Records for a given
27 
28                                         domain.
29 
30                                axfr     Test all NS Servers in a domain for misconfigured
31                                         zone transfers.
32 
33                                goo      Perform Google search for sub-domains and hosts.
34 
35                                snoop    To Perform a Cache Snooping against all NS
36                                         servers for a given domain, testing all with
37                                         file containing the domains, file given with -D
38                                         option.
39 
40                                tld      Will remove the TLD of given domain and test against
41                                         all TLD's registered in IANA
42 
43                                zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.
44 
45    -a                          Perform AXFR with the standard enumeration.
46    -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
47                                targeted domain with the standard enumeration.
48    -g                          Perform Google enumeration with the standard enumeration.
49    -w                          Do deep whois record analysis and reverse look-up of IP
50                                ranges found thru whois when doing standard query.
51    -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
52    --threads          <number> Number of threads to use in Range Reverse Look-up, Forward
53                                Look-up Brute force and SRV Record Enumeration
54    --lifetime         <number> Time to wait for a server to response to a query.
55    --db               <file>   SQLite 3 file to save found records.
56    --xml              <file>   XML File to save found records.
57    --iw                        Continua bruteforcing a domain even if a wildcard record resolution is
58                                discovered.
59    -c, --csv          <file>   Comma separated value file.
60    -j, --json         <file>   JSON file.
61    -v                          Show attempts in the bruteforce modes.

 1 root@kali:~# dnsrecon -t std -d example.com
 2 [] Performing General Enumeration of Domain:
 3 [] DNSSEC is configured for example.com
 4 [] DNSKEYs:
 5 []   NSEC ZSK RSASHA256 03010001963ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7d459751c6683d972979f67a718d7fa1
 6 []   NSEC KSk RSASHA256 03010001b38503197e2e4b7450c82566 2cca102d40c54bbcce58fae4a61ab51e 7005632b875f136332bf8a0e98d6de58 4d608eebc6f29e8ae9
 7 []    SOA sns.dns.icann.org 199.4.28.26
 8 []    NS b.iana-servers.net 199.43.133.53
 9 []    Bind Version for 199.43.133.53 9.9.7-P2
10 []    NS b.iana-servers.net 2001:500:8d::53
11 []    Bind Version for 2001:500:8d::53 9.9.7-P2
12 []    NS a.iana-servers.net 199.43.132.53
13 []    Bind Version for 199.43.132.53 host
14 []    NS a.iana-servers.net 2001:500:8c::53
15 []    Bind Version for 2001:500:8c::53 host
16 [-] Could not Resolve MX Records for example.com
17 []    A example.com 93.184.216.34
18 []    AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
19 []    TXT example.com $Id: example.com 4415 2015-08-24 20:12:23Z davids $
20 []    TXT example.com v=spf1 -all
21 [] Enumerating SRV Records
22 [-] No SRV Records Found for example.com
23 [] 0 Records Found

1 root@kali:~# echo "www" > enreg.txt
2 root@kali:~# dnsrecon -d example.com -t brt -D enreg.txt                                                                
3 [] Performing host and subdomain brute force against example.com
4 []      A www.example.com 93.184.216.34
5 []      AAAA www.example.com 2606:2800:220:1:248:1893:25c8:1946
6 [] 2 Records Found

 1 root@kali:~# dnsrecon -d example.com -t brt -D enreg.txt --db sql3
 2 [] Performing host and subdomain brute force against example.com
 3 []      A www.example.com 93.184.216.34
 4 []      AAAA www.example.com 2606:2800:220:1:248:1893:25c8:1946
 5 [] 2 Records Found
 6 [] Saving records to SQLite3 file: sql3
 7 
 8 root@kali:~# sqlite3 sql3
 9 SQLite version 3.7.16.2 2013-04-12 11:52:43
10 Enter ".help" for instructions
11 Enter SQL statements terminated with a ";"
12 sqlite> .tables
13 data
14 sqlite> SELECT  FROM data;
15 1|A|www.example.com|93.184.216.34||||
16 2|AAAA|www.example.com|2606:2800:220:1:248:1893:25c8:1946||||
17 sqlite>

 1 root@kali:~# dnsrecon -d example.com -a
 2 [] Performing General Enumeration of Domain: example.com
 3 [] Checking for Zone Transfer for example.com name servers
 4 [] Resolving SOA Record
 5 []    SOA sns.dns.icann.org 199.4.28.26
 6 [] Resolving NS Records
 7 [] NS Servers found:
 8 []   NS a.iana-servers.net 199.43.132.53
 9 []   NS a.iana-servers.net 2001:500:8c::53
10 []   NS b.iana-servers.net 199.43.133.53
11 []   NS b.iana-servers.net 2001:500:8d::53
12 [] Removing any duplicate NS server IP Addresses...
13 []

14 [] Trying NS server 199.4.28.26
15 [] 199.4.28.26 Has port 53 TCP Open
16 [-] Zone Transfer Failed!
17 [-]
18 []

19 [] Trying NS server 199.43.133.53
20 [] 199.43.133.53 Has port 53 TCP Open
21 [-] Zone Transfer Failed!
22 [-]
23 []

24 [] Trying NS server 199.43.132.53
25 [] 199.43.132.53 Has port 53 TCP Open
26 [-] Zone Transfer Failed!
27 [-]
28 []

29 [] Trying NS server 2001:500:8d::53
30 [-] Zone Transfer Failed for 2001:500:8d::53!
31 [-] Port 53 TCP is being filtered
32 []

33 [] Trying NS server 2001:500:8c::53
34 [-] Zone Transfer Failed for 2001:500:8c::53!
35 [-] Port 53 TCP is being filtered
36 [] Checking for Zone Transfer for example.com name servers
37 [] Resolving SOA Record
38 []    SOA sns.dns.icann.org 199.4.28.26
39 [] Resolving NS Records
40 [] NS Servers found:
41 []   NS a.iana-servers.net 199.43.132.53
42 []   NS a.iana-servers.net 2001:500:8c::53
43 []   NS b.iana-servers.net 199.43.133.53
44 []   NS b.iana-servers.net 2001:500:8d::53
45 [] Removing any duplicate NS server IP Addresses...
46 []

47 [] Trying NS server 199.4.28.26
48 [] 199.4.28.26 Has port 53 TCP Open
49 [-] Zone Transfer Failed!
50 [-]
51 []

52 [] Trying NS server 199.43.133.53
53 [] 199.43.133.53 Has port 53 TCP Open
54 [-] Zone Transfer Failed!
55 [-]
56 []

57 [] Trying NS server 199.43.132.53
58 [] 199.43.132.53 Has port 53 TCP Open
59 [-] Zone Transfer Failed!
60 [-]
61 []

62 [] Trying NS server 2001:500:8d::53
63 [-] Zone Transfer Failed for 2001:500:8d::53!
64 [-] Port 53 TCP is being filtered
65 []

66 [] Trying NS server 2001:500:8c::53
67 [-] Zone Transfer Failed for 2001:500:8c::53!
68 [-] Port 53 TCP is being filtered
69 [] DNSSEC is configured for example.com
70 [] DNSKEYs:
71 []   NSEC KSk RSASHA256 03010001b38503197e2e4b7450c82566 2cca102d40c54bbcce58fae4a61ab51e 7005632b875f136332bf8a0e98d6de58 4d608eebc6f29e8ae936ef5fa8d1402d 7edb565f7f8326c0d2fd04845f9d8179 a851f457ee4b0c1a006fb5f6b6fd8f5a de495734baa44eccc84383c43150a3b6 bca5d7d05ef7f3e415e0bd2138e03114 2c421981dfd7b23189da97e7f76d4c4a 9387eaedcb8453475b469b9ee07fcdea 33ee71758ec22300913261821aa0cbea 3d15f229fad47f7a629aa3de3fc29557 0dc3dfe41d7c8fbc73d92bd34f18aea8 2cc232db319e29191dca21d63e20f98d 41f3320c22fac433ea591a187f62e7f8 47008181a6028bd86988c595bd2e1607 3c74fe55
72 []   NSEC ZSK RSASHA256 03010001963ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7d459751c6683d972979f67a718d7fa1 c76fbf349cae43d265c9558dd5792c3c 0fbd213af4b99fb7face8491e2e80f06 2b374506aba404fb2be5c01d2a5518b1 0a615f734b363b3128263d01919e20fc fdc9cf7f1badd7
73 []    SOA sns.dns.icann.org 199.4.28.26
74 []    NS b.iana-servers.net 199.43.133.53
75 []    Bind Version for 199.43.133.53 9.9.7-P2
76 []    NS b.iana-servers.net 2001:500:8d::53
77 []    Bind Version for 2001:500:8d::53 9.9.7-P2
78 []    NS a.iana-servers.net 199.43.132.53
79 []    Bind Version for 199.43.132.53 host
80 []    NS a.iana-servers.net 2001:500:8c::53
81 []    Bind Version for 2001:500:8c::53 host
82 [-] Could not Resolve MX Records for example.com
83 []    A example.com 93.184.216.34
84 []    AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
85 []    TXT example.com v=spf1 -all
86 []    TXT example.com $Id: example.com 4415 2015-08-24 20:12:23Z davids $
87 [] Enumerating SRV Records
88 [-] No SRV Records Found for example.com
89 [] 0 Records Found

1 root@kali:~# dnsrecon -r 212.27.32.5-212.27.32.10
2 [] Reverse Look-up of a Range
3 [] Performing Reverse Lookup from 212.27.32.5 to 212.27.32.10
4 []     PTR pchd1-g14.proxad.net 212.27.32.7
5 []     PTR dnscache-1.proxad.net 212.27.32.5
6 []     PTR cdr7-g15.proxad.net 212.27.32.8
7 []     PTR dnscache-1.proxad.net 212.27.32.6
8 [*] 4 Records Found

1 root@kali:~# dnsrecon -d example.com -t zonewalk
2 [] Performing NSEC Zone Walk for example.com
3 [] Getting SOA record for example.com
4 [] Name Server 199.4.28.26 will be used
5 []     A example.com 93.184.216.34
6 []     AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
7 [] 2 records found

 1 root@kali:~# dnsrecon -d example.com -t tld
 2 [] Performing TLD Brute force Enumeration against example.com
 3 [] The operation could take up to: 00:01:06
 4 []    A example.biz.af 103.56.100.33
 5 []    A example.am 50.87.153.245
 6 []    A example.com.ar 200.58.122.126
 7 []    A example.as 199.73.55.35
 8 []    A example.co.at 78.142.141.40
 9 []    A example.biz.at 78.46.90.98
10 []    A example.com.au 98.124.245.24
11 []    A example.net.au 192.185.159.145
12 [*]    A example.co.ba 176.9.45.78
13 --SNiP--