DNS Information is crucial when Hacking / Pen-testing is your interest. Different servers related to a Organization or domain are very important to narrow the Hacking attack as in which server are are attacking has what information on it, it may be a mail server or name servers .

Lets see how we gather Information related to DNS from DNSEnum or say DNS-Enumerator.

DNSEnum is present in Kali Linux or any other Security / Hacking / Pentest Linux Distribution, navigate through Applications or in terminal type dnsenum and hit enter.

Next Step is going through the available Options and Arguments of DNSEnum

root@ETHICALHACKX:~# dnsenum
Smartmatch is experimental at /usr/bin/dnsenum line 698.
Smartmatch is experimental at /usr/bin/dnsenum line 698.
dnsenum VERSION:1.2.4
Usage: dnsenum [Options] <domain> 
Note: the brute force -f switch is obligatory.
  --dnsserver   <server>
            Use this DNS server for A, NS and MX queries.
  --enum        Shortcut option equivalent to --threads 5 -s 15 -w.
  -h, --help        Print this help message.
  --noreverse       Skip the reverse lookup operations.
  --nocolor     Disable ANSIColor output.
  --private     Show and save private ips at the end of the file domain_ips.txt.
  --subfile <file>    Write all valid subdomains to this file.
  -t, --timeout <value>   The tcp and udp timeout values in seconds (default: 10s).
  --threads <value>   The number of threads that will perform different queries.
  -v, --verbose     Be verbose: show all the progress and all the error messages.
  -p, --pages <value> The number of google search pages to process when scraping names, 
            the default is 5 pages, the -s switch must be specified.
  -s, --scrap <value> The maximum number of subdomains that will be scraped from Google (default 15).
  -f, --file <file>   Read subdomains from this file to perform brute force.
  -u, --update  <a|g|r|z>
            Update the file specified with the -f switch with valid subdomains.
    a (all)     Update using all results.
    g       Update using only google scraping results.
    r       Update using only reverse lookup results.
    z       Update using only zonetransfer results.
  -r, --recursion   Recursion on subdomains, brute force all discovred subdomains that have an NS record.
  -d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
  -w, --whois       Perform the whois queries on c class network ranges.
             **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
  -e, --exclude <regexp>
            Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
  -o --output <file>  Output in XML format. Can be imported in MagicTree (www.gremwell.com)

Start with the simplest argument

dnsenum targetwebsite.com
dnsenum google.com

Now we try getting the sub-domains of a domain which is very important, for this we need to have a file of the popular sub-domains, in this case to show i have created a small file which I will use to scan google.com

The following command in terminal will scan the sub-domains also (subdomain.txt is name of file you created)

dnsenum -f subdomain.txt google.com

The result is:

Like wise the arguments can be used to run multiple threads for scanning.

Hope this information was useful to you start information gathering and hacking, we will cover few more techniques to gather information related to our target victim in the upcoming tutorials.


Please enter your comment!
Please enter your name here