August 21, 2017, 06:38:53 PM
Welcome, Guest. Please login or register.

telnet towel.blinkenlights.nl

Author Topic: dnssurgery for DNS enumeration.  (Read 781 times)

Offline Amonsec

  • Top Hat Member
  • Prospect
  • ********
  • Posts: 48
  • Internets: +36/-0
  • 1336 working to become 1337
dnssurgery for DNS enumeration.
« on: February 25, 2017, 04:38:38 PM »
Hi boyz and girlz, it's always a great pleasure to post something here!  8)

Today I drop here a very basic shell project (four scriptq) to automate DNS subdomains researching.
You can find the folder here: https://github.com/amonsec/shell/tree/master/dnssurgery

  • generate-subdomains-lists
First you need to create the diffrent subdomains lists with the generate-subdomains-list.sh script. That gonna create four file:
- subdomains-100.txt
- subdomains-500.txt
- subdomains-1000.txt
- subdomains-10000.txt
With 100, 500, 1000 or 10000 entries on the file.
Of course you use your own list.
Code: [Select]
curl https://github.com/rbsec/dnscan/blob/master/subdomains-10000.txt |grep 'js-file-line">' |cut -d">" -f2 |cut -d"<" -f1 >> subdomains-10000.txt

This is the 'core' of the generate-subdomains-lists.sh script. We get the content of the following github page, we filter with few 'cut' the html code and we send elements in a file, here subdomains-10000.txt.

Code: [Select]
root@ths-amonsec:/opt/shell/dnsbruteforce# head subdomains-10000.txt
www
mail
ftp
localhost
webmail
smtp
pop
ns1
webdisk
ns2

  • dns-forward-lookup
Code: [Select]
#!/bin/bash

if [ -z $1 ] || [ -z $2 ] || [ ! -f $2 ]; then
echo -e "\n[+] DNS reverse lookup script"
echo -e "[+] Usage : $0 <domaine name> <file>\n"
exit 0
fi

echo -e "\n[+] Start DNS forward lookup resolution ...\n"
for x in $(cat $2); do
  (host $x.$1 |grep "has address" |cut -d" " -f1,4)
done
echo -e "\n[+] End DNS forward lookup.\n"

Nothing really complex here, we get two arguments, first the domain name, then the file.
First the script check if we have two arguments, then if the file exist. After that, we use a simple host command with the concatenation a subdomain from the file and the domain name. If we can grep 'has address', the subdomain exist and we get the IP address, else the domain don't exist.

Code: [Select]
root@ths-amonsec:/opt/shell/dnssurgery# ./dns-forward-lookup.sh megacorpone.com subdomains-100.txt
[+] Start DNS forward lookup resolution ...
www.megacorpone.com 38.100.193.76
mail.megacorpone.com 38.100.193.84
ns1.megacorpone.com 38.100.193.70
ns2.megacorpone.com 38.100.193.80
test.megacorpone.com 38.100.193.67
www2.megacorpone.com 38.100.193.79
admin.megacorpone.com 38.100.193.83
vpn.megacorpone.com 38.100.193.77
ns3.megacorpone.com 38.100.193.90
mail2.megacorpone.com 38.100.193.73
support.megacorpone.com 173.246.47.170
beta.megacorpone.com 38.100.193.69
intranet.megacorpone.com 38.100.193.81
[+] End DNS forward lookup.

  • dns-reverse-lookup
Code: [Select]
#!/bin/bash

if [ -z $1 ]; then
echo -e "\n[+] DNS reverse lookup script"
echo -e "[+] Usage : $0 <domaine name>\n"
exit 0
fi
nameserv=$(host -t NS $1 |cut -d" " -f4 |sed -n 2p)
addr=$(host $nameserv |cut -d" " -f4 |cut -d"." -f1,2,3)
filter=$(echo $1 |cut -d"." -f1)

echo -e "\n[+] Start DNS reverse lookup ...\n"
for x in $(seq 1 254); do
(host $addr.$x |grep -v "not found" |grep $filter)
done
echo -e "\n[+] End DNS reverse lookup.\n"

The dns-reverse-lookup script automatise DNS reverse enumeration if the DNS administrator configured PTR records[1] for the domain, that can help us to find more domain names that were missing during the forward lookup brute force phase, with the earlier script.

Code: [Select]
root@ths-amonsec:/opt/shell/dnssurgery# ./dns-reverse-lookup.sh megacorpone.com
[+] Start DNS reverse lookup ...
66.193.100.38.in-addr.arpa domain name pointer syslog.megacorpone.com.
69.193.100.38.in-addr.arpa domain name pointer beta.megacorpone.com.
70.193.100.38.in-addr.arpa domain name pointer ns1.megacorpone.com.
72.193.100.38.in-addr.arpa domain name pointer admin.megacorpone.com.
73.193.100.38.in-addr.arpa domain name pointer mail2.megacorpone.com.
76.193.100.38.in-addr.arpa domain name pointer www.megacorpone.com.
77.193.100.38.in-addr.arpa domain name pointer vpn.megacorpone.com.
80.193.100.38.in-addr.arpa domain name pointer ns2.megacorpone.com.
84.193.100.38.in-addr.arpa domain name pointer mail.megacorpone.com.
85.193.100.38.in-addr.arpa domain name pointer snmp.megacorpone.com.
89.193.100.38.in-addr.arpa domain name pointer siem.megacorpone.com.
90.193.100.38.in-addr.arpa domain name pointer ns3.megacorpone.com.
91.193.100.38.in-addr.arpa domain name pointer router.megacorpone.com.
[+] End DNS reverse lookup.

  • dns-zone-transfers
Code: [Select]
#!/bin/bash

if [ -z $1 ]; then
  echo -e "\n[+] DNS zone transfert script"
  echo -e "[+] Usage   : $0 <domain name>\n"
  exit 0
fi

echo -e "\n[+] Start zone transfert test ...\n"
for server in $(host -t NS $1 |cut -d" " -f4); do
  host -l $1 $server |grep "has address"
done

echo -e "\n[+] Stop zone transfert test.\n"

The dns-zone-transfert.sh script try to get a copy of the zone file from a master DNS server to a slave server. That can give to use external DNS namespace and internatl DNS namespace. Its not directly a network breach, however it give to use juicy informations that can facilitate a pentest.

Code: [Select]
root@ths-amonsec:/opt/shell/dnssurgery# ./dns-zone-transfers.sh megacorpone.com
[+] Start zone transfert test ...
admin.megacorpone.com has address 38.100.193.83
beta.megacorpone.com has address 38.100.193.69
fs1.megacorpone.com has address 38.100.193.82
intranet.megacorpone.com has address 38.100.193.81
mail.megacorpone.com has address 38.100.193.84
mail2.megacorpone.com has address 38.100.193.73
ns1.megacorpone.com has address 38.100.193.70
ns2.megacorpone.com has address 38.100.193.80
ns3.megacorpone.com has address 38.100.193.90
router.megacorpone.com has address 38.100.193.91
siem.megacorpone.com has address 38.100.193.89
snmp.megacorpone.com has address 38.100.193.85
support.megacorpone.com has address 173.246.47.170
syslog.megacorpone.com has address 38.100.193.66
test.megacorpone.com has address 38.100.193.67
vpn.megacorpone.com has address 38.100.193.77
www.megacorpone.com has address 38.100.193.76
www2.megacorpone.com has address 38.100.193.79
[+] Stope zone transfert test.


So, it's a very basic tool that you can be use to automate subdomain searching.
If you have any question or any suggestions for improvements feel free  to live a comment with your suggestion or send a pull request. :)

Have Fun.
_amonsec


Links:
[1] http://help.dnsmadeeasy.com/managed-dns/dns-record-types/ptr-record/
« Last Edit: February 26, 2017, 05:20:47 AM by _amonsec »
"A computer is only as good as it's user" - R4V3N
OSCP (2017)