DNS Information is crucial when Hacking / Pen-testing is your interest. Different servers related to a Organization or domain are very important to narrow the Hacking attack as in which server are are attacking has what information on it, it may be a mail server or name servers .
Lets see how we gather Information related to DNS from DNSEnum or say DNS-Enumerator.
DNSEnum is present in Kali Linux or any other Security / Hacking / Pentest Linux Distribution, navigate through Applications or in terminal type dnsenum and hit enter.
root@ETHICALHACKX:~# dnsenum Smartmatch is experimental at /usr/bin/dnsenum line 698. Smartmatch is experimental at /usr/bin/dnsenum line 698. dnsenum VERSION:1.2.4 Usage: dnsenum [Options] <domain> [Options]: Note: the brute force -f switch is obligatory. GENERAL OPTIONS: --dnsserver <server> Use this DNS server for A, NS and MX queries. --enum Shortcut option equivalent to --threads 5 -s 15 -w. -h, --help Print this help message. --noreverse Skip the reverse lookup operations. --nocolor Disable ANSIColor output. --private Show and save private ips at the end of the file domain_ips.txt. --subfile <file> Write all valid subdomains to this file. -t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s). --threads <value> The number of threads that will perform different queries. -v, --verbose Be verbose: show all the progress and all the error messages. GOOGLE SCRAPING OPTIONS: -p, --pages <value> The number of google search pages to process when scraping names, the default is 5 pages, the -s switch must be specified. -s, --scrap <value> The maximum number of subdomains that will be scraped from Google (default 15). BRUTE FORCE OPTIONS: -f, --file <file> Read subdomains from this file to perform brute force. -u, --update <a|g|r|z> Update the file specified with the -f switch with valid subdomains. a (all) Update using all results. g Update using only google scraping results. r Update using only reverse lookup results. z Update using only zonetransfer results. -r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record. WHOIS NETRANGE OPTIONS: -d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s. -w, --whois Perform the whois queries on c class network ranges. **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups. REVERSE LOOKUP OPTIONS: -e, --exclude <regexp> Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames. OUTPUT OPTIONS: -o --output <file> Output in XML format. Can be imported in MagicTree (www.gremwell.com)
Start with the simplest argument
dnsenum targetwebsite.com dnsenum google.com
Now we try getting the sub-domains of a domain which is very important, for this we need to have a file of the popular sub-domains, in this case to show i have created a small file which I will use to scan google.com
The following command in terminal will scan the sub-domains also (subdomain.txt is name of file you created)
dnsenum -f subdomain.txt google.com
The result is:
Hope this information was useful to you start information gathering and hacking, we will cover few more techniques to gather information related to our target victim in the upcoming tutorials.