October 19, 2017, 06:24:15 PM
Welcome, Guest. Please login or register.

The user's going to pick dancing pigs over security every time. -- Bruce Schneier

Author Topic: dnssurgery for DNS enumeration.  (Read 873 times)

Offline Amonsec

  • Top Hat Member
  • Prospect
  • ********
  • Posts: 49
  • Internets: +36/-0
  • 1336 working to become 1337
dnssurgery for DNS enumeration.
« on: February 25, 2017, 04:38:38 PM »
Hi boyz and girlz, it's always a great pleasure to post something here!  8)

Today I drop here a very basic shell project (four scriptq) to automate DNS subdomains researching.
You can find the folder here: https://github.com/amonsec/shell/tree/master/dnssurgery

  • generate-subdomains-lists
First you need to create the diffrent subdomains lists with the generate-subdomains-list.sh script. That gonna create four file:
- subdomains-100.txt
- subdomains-500.txt
- subdomains-1000.txt
- subdomains-10000.txt
With 100, 500, 1000 or 10000 entries on the file.
Of course you use your own list.
Code: [Select]
curl https://github.com/rbsec/dnscan/blob/master/subdomains-10000.txt |grep 'js-file-line">' |cut -d">" -f2 |cut -d"<" -f1 >> subdomains-10000.txt

This is the 'core' of the generate-subdomains-lists.sh script. We get the content of the following github page, we filter with few 'cut' the html code and we send elements in a file, here subdomains-10000.txt.

Code: [Select]
root@ths-amonsec:/opt/shell/dnsbruteforce# head subdomains-10000.txt

  • dns-forward-lookup
Code: [Select]

if [ -z $1 ] || [ -z $2 ] || [ ! -f $2 ]; then
echo -e "\n[+] DNS reverse lookup script"
echo -e "[+] Usage : $0 <domaine name> <file>\n"
exit 0

echo -e "\n[+] Start DNS forward lookup resolution ...\n"
for x in $(cat $2); do
  (host $x.$1 |grep "has address" |cut -d" " -f1,4)
echo -e "\n[+] End DNS forward lookup.\n"

Nothing really complex here, we get two arguments, first the domain name, then the file.
First the script check if we have two arguments, then if the file exist. After that, we use a simple host command with the concatenation a subdomain from the file and the domain name. If we can grep 'has address', the subdomain exist and we get the IP address, else the domain don't exist.

Code: [Select]
root@ths-amonsec:/opt/shell/dnssurgery# ./dns-forward-lookup.sh megacorpone.com subdomains-100.txt
[+] Start DNS forward lookup resolution ...
[+] End DNS forward lookup.

  • dns-reverse-lookup
Code: [Select]

if [ -z $1 ]; then
echo -e "\n[+] DNS reverse lookup script"
echo -e "[+] Usage : $0 <domaine name>\n"
exit 0
nameserv=$(host -t NS $1 |cut -d" " -f4 |sed -n 2p)
addr=$(host $nameserv |cut -d" " -f4 |cut -d"." -f1,2,3)
filter=$(echo $1 |cut -d"." -f1)

echo -e "\n[+] Start DNS reverse lookup ...\n"
for x in $(seq 1 254); do
(host $addr.$x |grep -v "not found" |grep $filter)
echo -e "\n[+] End DNS reverse lookup.\n"

The dns-reverse-lookup script automatise DNS reverse enumeration if the DNS administrator configured PTR records[1] for the domain, that can help us to find more domain names that were missing during the forward lookup brute force phase, with the earlier script.

Code: [Select]
root@ths-amonsec:/opt/shell/dnssurgery# ./dns-reverse-lookup.sh megacorpone.com
[+] Start DNS reverse lookup ... domain name pointer syslog.megacorpone.com. domain name pointer beta.megacorpone.com. domain name pointer ns1.megacorpone.com. domain name pointer admin.megacorpone.com. domain name pointer mail2.megacorpone.com. domain name pointer www.megacorpone.com. domain name pointer vpn.megacorpone.com. domain name pointer ns2.megacorpone.com. domain name pointer mail.megacorpone.com. domain name pointer snmp.megacorpone.com. domain name pointer siem.megacorpone.com. domain name pointer ns3.megacorpone.com. domain name pointer router.megacorpone.com.
[+] End DNS reverse lookup.

  • dns-zone-transfers
Code: [Select]

if [ -z $1 ]; then
  echo -e "\n[+] DNS zone transfert script"
  echo -e "[+] Usage   : $0 <domain name>\n"
  exit 0

echo -e "\n[+] Start zone transfert test ...\n"
for server in $(host -t NS $1 |cut -d" " -f4); do
  host -l $1 $server |grep "has address"

echo -e "\n[+] Stop zone transfert test.\n"

The dns-zone-transfert.sh script try to get a copy of the zone file from a master DNS server to a slave server. That can give to use external DNS namespace and internatl DNS namespace. Its not directly a network breach, however it give to use juicy informations that can facilitate a pentest.

Code: [Select]
root@ths-amonsec:/opt/shell/dnssurgery# ./dns-zone-transfers.sh megacorpone.com
[+] Start zone transfert test ...
admin.megacorpone.com has address
beta.megacorpone.com has address
fs1.megacorpone.com has address
intranet.megacorpone.com has address
mail.megacorpone.com has address
mail2.megacorpone.com has address
ns1.megacorpone.com has address
ns2.megacorpone.com has address
ns3.megacorpone.com has address
router.megacorpone.com has address
siem.megacorpone.com has address
snmp.megacorpone.com has address
support.megacorpone.com has address
syslog.megacorpone.com has address
test.megacorpone.com has address
vpn.megacorpone.com has address
www.megacorpone.com has address
www2.megacorpone.com has address
[+] Stope zone transfert test.

So, it's a very basic tool that you can be use to automate subdomain searching.
If you have any question or any suggestions for improvements feel free  to live a comment with your suggestion or send a pull request. :)

Have Fun.

[1] http://help.dnsmadeeasy.com/managed-dns/dns-record-types/ptr-record/
« Last Edit: February 26, 2017, 05:20:47 AM by _amonsec »
"A computer is only as good as it's user" - R4V3N
OSCP (2017)