DRIL has a simple user friendly interface which will be helpful for penetration tester to do their work fast without a mess, this is only tested on Linux but as it is JAVA it should work on Windows too.

There are various other tools which carry out similar tasks, especially utilizing the Bing API.

• FindDomains v0.1.1 Released – Discover Domains/Sites/Hosts (This would be the most similar to DRIL).
• FOCA – Network Infrastructure Mapping Tool (Also contains this feature amongst others).
• hostmap 0.2 – Automatic Hostname & Virtual Hosts Discovery Tool (Does the same job but uses multiple techniques.)

You can download DRIL here:

DomainReverseIPLookup.jar

Or read more here.

FindDomains is a multithreaded search engine discovery tool that will be very useful for penetration testers dealing with discovering domain names/web sites/virtual hosts which are located on too many IP addresses. Provides a console interface so you can easily integrate this tool to your pentest automation system.

It retrieves domain names/web sites which are located on specified ip address/hostname.

In order to use FindDomains you need to:

1. Create an appid from “Bing Developers” at this link.
2. It’ll be like that : 32AFB589D1C8B4FEC73D4BCB6EA0AD810E0FA2C7
3. When you have registered an appid, enter it to the “appid.txt” which is in the program directory.

Features

• Uses Bing search engine. Works with first 1000 records.
• Multithreaded on crawling and DNS resolution.
• Performs DNS resolution for extracted domains to eleminate cached/old records.
• Has a console interface so it can be very useful with some command-line foo.
• Works with Mono. But running under Windows is more efficient.

Sample usage

FindDomains.exe 1.2.3.4

FindDomains.exe www.hotmail.com 

Requirements

• .NET Framework 3.5. Also working with Mono.

You can dowload FindDomains v.0.1.1 here:

FindDomainsv0.1.1.rar

Or read more here.

We first wrote about Complemento 0.4b a little while ago when it first hit the public domain just last month (December 2008).

Now there have been 2 major updated versions, the latest being 0.6.

What is Complemento?

Complemento is a collection of tools that the author originally created for his own personal toolchain for solving some problems or just for fun. Now he has decided to release it to the public.

LetDown is a TCP flooder written after the author read the article by fyodor entitled article “TCP Resource Exhaustion and Botched Disclosure“. It has an (experimental) userland TCP/IP stack, and support multistage payloads for complex protocols, fragmentation of packets and variable TCP window.

ReverseRaider is a domain scanner that uses brute force wordlist scanning for finding a target sub-domains or reverse resolution for a range of ip addresses. This is similar to some of the functionality in DNSenum. It supports permutation on wordlist and IPv6.

Httsquash is an HTTP server scanner, banner grabber and data retriever. It can be used for scanning large ranges of IP addresses and finding devices or HTTP servers (there is an alpha version of a GUI for this). It supports IPv6 and personalized HTTP requests.

Improvements for v0.6

LetDown:

• New (experimental) userland TCP stack
• Support for multistage payloads (for complex and stateful protocol, such as FTP, SMTP…)
• Variable TCP Window size
• Fragmentation of packets
• Polite mode (ACK received packets and/or closing the connection with FIR or RST packets)

ReverseRaider:

• Support for IPv6

HttSquash:

• Support for IPv6

You can download Complemento v0.6 here:

complemento-0.6

Or read more here.

An interesting collection of tools for pen-testing including a DoS tool (something you don’t often see publicly released).

Complemento is a collection of tools that the author originally created for his own personal toolchain for solving some problems or just for fun. Now he has decided to release it to the public.

The Tools

LetDown is a TCP flooder written after the author read the article by fyodor entitled article “TCP Resource Exhaustion and Botched Disclosure“.

ReverseRaider is a domain scanner that uses brute force wordlist scanning for finding a target sub-domains or reverse resolution for a range of ip addresses. This is similar to some of the functionality in DNSenum.

Httsquash is an HTTP server scanner, banner grabber and data retriever. It can be used for scanning large ranges of IP addresses and finding devices or HTTP servers (there is an alpha version of a GUI for this).

You can download Complemento v0.4b here:

complemento-0.4b

Or read more here.

Fierce domain scan was born out of personal frustration after performing a web application security audit. It is traditionally very difficult to discover large swaths of a corporate network that is non-contiguous. It’s terribly easy to run a scanner against an IP range, but if the IP ranges are nowhere near one another you can miss huge chunks of networks.

First what fierce is not. Fierce is not an IP scanner, it is not a DDoS tool, it is not designed to scan the whole internet or perform any un-targeted attacks. It is meant specifically to locate likely targets both inside and outside a corporate network. Only those targets are listed. No exploitation is performed. Fierce is a reconnaissance tool. Fierce is a PERL script that quickly scans domains (usually in just a few minutes, assuming no network lag) using several tactics.

First it queries your DNS for the DNS servers of the target. It then switches to using the target’s DNS server (you can use a different one if you want using the -dnsserver switch). Fierce then attempts to dump the SOA records for the domain in the very slim hope that the DNS server that your target uses may be misconfigured.

Once that fails (because it almost always will) it attempts to “guess” names that are common amongst a lot of different companies. Don’t ask me where I got the list, it’s just a list of names that id and I have seen all over the place. I thought about adding a dictionary to this, but I think that would take a lot longer, and given that very few of the words are dictionary words I don’t think this would add a lot of value.

The syntax is something like this:

perl fierce.pl -dns widget.com -search widgetcompany,nutsandbolts

You can download Fierce Domain Scanner here:

fierce.pl – Download host list: hosts.txt

More info here:

Fierce Domain Scanner

Written by RSnake with input from id, Vacuum and Robert E Lee.