{"id":4099,"date":"2016-04-09T06:51:13","date_gmt":"2016-04-08T22:51:13","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4099"},"modified":"2016-04-09T06:51:39","modified_gmt":"2016-04-08T22:51:39","slug":"dnsrecon-dns-enumeration-script","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2016\/04\/dnsrecon-dns-enumeration-script\/","title":{"rendered":"DNSRecon – DNS Enumeration Script"},"content":{"rendered":"
DNSRecon is a Python based DNS enumeration script designed to help you audit your DNS security and configuration as part of information gathering stage of a pen-test. DNS reconnaissance is an important step when mapping out domain resources, sub-domains, e-mail servers and so on and can often lead to you finding an old DNS entry pointing to an unmaintained, insecure server.<\/p>\n
<\/p>\n
It’s also considered passive information gathering, as it’s a way to gather a map of company\/target resources without alerting IDS\/IPS systems by doing active probes\/scans.<\/p>\n
DNSRecon provides the ability to perform:<\/p>\n
root@box:~# dnsrecon -h\r\nUsage: dnsrecon.py\r\n\r\nOptions:\r\n-h, --help Show this help message and exit\r\n-d, --domain Domain to Target for enumeration.\r\n-r, --range IP Range for reverse look-up brute force in formats (first-last)\r\nor in (range\/bitmask).\r\n-n, --name_server Domain server to use, if none is given the SOA of the\r\ntarget will be used\r\n-D, --dictionary Dictionary file of sub-domain and hostnames to use for\r\nbrute force.\r\n-f Filter out of Brute Force Domain lookup records that resolve to\r\nthe wildcard defined IP Address when saving records.\r\n-t, --type Specify the type of enumeration to perform:\r\nstd To Enumerate general record types, enumerates.\r\nSOA, NS, A, AAAA, MX and SRV if AXRF on the\r\nNS Servers fail.\r\n\r\nrvl To Reverse Look Up a given CIDR IP range.\r\n\r\nbrt To Brute force Domains and Hosts using a given\r\ndictionary.\r\n\r\nsrv To Enumerate common SRV Records for a given\r\n\r\ndomain.\r\n\r\naxfr Test all NS Servers in a domain for misconfigured\r\nzone transfers.\r\n\r\ngoo Perform Google search for sub-domains and hosts.\r\n\r\nsnoop To Perform a Cache Snooping against all NS\r\nservers for a given domain, testing all with\r\nfile containing the domains, file given with -D\r\noption.\r\n\r\ntld Will remove the TLD of given domain and test against\r\nall TLD's registered in IANA\r\n\r\nzonewalk Will perform a DNSSEC Zone Walk using NSEC Records.\r\n\r\n-a Perform AXFR with the standard enumeration.\r\n-s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the\r\ntargeted domain with the standard enumeration.\r\n-g Perform Google enumeration with the standard enumeration.\r\n-w Do deep whois record analysis and reverse look-up of IP\r\nranges found thru whois when doing standard query.\r\n-z Performs a DNSSEC Zone Walk with the standard enumeration.\r\n--threads Number of threads to use in Range Reverse Look-up, Forward\r\nLook-up Brute force and SRV Record Enumeration\r\n--lifetime Time to wait for a server to response to a query.\r\n--db SQLite 3 file to save found records.\r\n--xml XML File to save found records.\r\n--iw Continua bruteforcing a domain even if a wildcard record resolution is discovered.\r\n-c, --csv Comma separated value file.\r\n-v Show attempts in the bruteforce modes.<\/pre>\nYou can download DNSRecon here:<\/p>\n