Objective: perform thorough DNS enumeration and subdomain bruteforcing on a target. dnsrecon is true to its name, it’s written in Python, and judging from the number of stars on its Github repository, it’s a much more popular choice than the other candidates in Kali’s DNS section.
Version: 0.8.10
Usage: dnsrecon.py <options>
Options:
-h, --help Show this help message and exit.
-d, --domain <domain> Target domain.
-r, --range <range> IP range for reverse lookup brute force in formats (first-last) or in (range/bitmask).
-n, --name_server <name> Domain server to use. If none is given, the SOA of the target will be used.
-D, --dictionary <file> Dictionary file of subdomain and hostnames to use for brute force.
-f Filter out of brute force domain lookup, records that resolve to the wildcard defined
IP address when saving records.
-t, --type <types> Type of enumeration to perform:
std SOA, NS, A, AAAA, MX and SRV if AXRF on the NS servers fail.
rvl Reverse lookup of a given CIDR or IP range.
brt Brute force domains and hosts using a given dictionary.
srv SRV records.
axfr Test all NS servers for a zone transfer.
goo Perform Google search for subdomains and hosts.
snoop Perform cache snooping against all NS servers for a given domain, testing
all with file containing the domains, file given with -D option.
tld Remove the TLD of given domain and test against all TLDs registered in IANA.
zonewalk Perform a DNSSEC zone walk using NSEC records.
-a Perform AXFR with standard enumeration.
-s Perform a reverse lookup of IPv4 ranges in the SPF record with standard enumeration.
-g Perform Google enumeration with standard enumeration.
-w Perform deep whois record analysis and reverse lookup of IP ranges found through
Whois when doing a standard enumeration.
-z Performs a DNSSEC zone walk with standard enumeration.
--threads <number> Number of threads to use in reverse lookups, forward lookups, brute force and SRV
record enumeration.
--lifetime <number> Time to wait for a server to response to a query.
--db <file> SQLite 3 file to save found records.
--xml <file> XML file to save found records.
--iw Continue brute forcing a domain even if a wildcard records are discovered.
-c, --csv <file> Comma separated value file.
-j, --json <file> JSON file.
-v Show attempts in the brute force modes.
dnsrecon usage
general enumeration
123456789101112131415
dnsrecon -d asterisk.org
[*] Performing General Enumeration of Domain: asterisk.org
[-] DNSSEC is not configured for asterisk.org
[*] SOA ns.digium.com 216.207.245.18
[*] NS nsx3.digium.com 166.78.177.30
[*] Bind Version for 166.78.177.30 9.8.4-rpz2+rl005.12-P1
[*] NS nsx2.digium.com 216.207.245.19
[*] Bind Version for 216.207.245.19 9.8.1-P1
[*] NS nsx1.digium.com 216.207.245.18
[*] Bind Version for 216.207.245.18 9.8.1-P1
[*] MX mail.digium.com 216.207.245.2
[*] A asterisk.org 216.207.245.25
[*] Enumerating SRV Records
[*] SRV _sip._udp.asterisk.org sip.asterisk.org 204.91.156.60 5060 0
[*] 1 Records Found
For this example I selected a site that would also have SRV records. These records help with identifying certain services, in this case SIP for VoIP. Here you can see SIP being used on port 5060 on the host with the address 204.91.156.60.
dnsrecon -D /usr/share/wordlists/dnsmap.txt -t brt -d line.me
[*] Performing host and subdomain brute force against line.me
[*] A ads.line.me 203.104.153.62
[*] A agp.line.me 203.104.153.74
[*] CNAME api.line.me api.line.me.akadns.net
[*] CNAME api.line.me.akadns.net im.api.line.me.edgekey.net
[*] CNAME im.api.line.me.edgekey.net e1102.a1.akamaiedge.net
[*] A e1102.a1.akamaiedge.net 2.17.116.42
[*] A biz.line.me 125.6.149.168
[...]
reverse lookup
123456789101112131415161718192021222324
dnsrecon -d nmap.org -w
[...]
[*] Performing Whois lookup against records found.
[*] The following IP Ranges where found:
[*] 0) 162.158.0.0-162.159.255.255 Cloudflare, Inc.
[*] 1) 74.125.0.0-74.125.255.255 Google Inc.
[*] 2) 64.233.160.0-64.233.191.255 Google Inc.
[*] 3) 45.33.0.0-45.33.127.255 Linode
[*] What Range do you wish to do a Revers Lookup for?
[*] number, comma separated list, a for all or n for none
3
[*] Linode
[*] Performing Reverse Lookup of range 45.33.0.0-45.33.127.255
[*] Performing Reverse Lookup from 45.33.0.0 to 45.33.127.255
[*] PTR li954-9.members.linode.com 45.33.0.9
[*] PTR li954-4.members.linode.com 45.33.0.4
[*] PTR gw-li954.linode.com 45.33.0.1
[*] PTR li954-7.members.linode.com 45.33.0.7
[*] PTR cloud521.configrapp.com 45.33.0.8
[*] PTR mr2.linode.rbkmoney.net 45.33.0.10
[*] PTR li954-5.members.linode.com 45.33.0.5
[*] PTR rqdq.net 45.33.0.6
[*] PTR li954-12.members.linode.com 45.33.0.12
[...]
working zone transfer
Robin Wood has been nice enough to register a domain that allows zone transfers for testing purposes. It’s called zonetransfer.me, and here we’ll look at partial output from one of the name servers:
dnsrecon -d zonetransfer.me -z
[...]
[*] Performing NSEC Zone Walk for zonetransfer.me
[*] Getting SOA record for zonetransfer.me
[*] Name Server 81.4.108.41 will be used
[*] A zonetransfer.me 217.147.177.157
[*] SRV _sip._tcp.zonetransfer.me www.zonetransfer.me 217.147.177.157 5060 0
[*] A 157.177.147.217.IN-ADDR.ARPA.zonetransfer.me no_ip
[*] A asfdbauthdns.zonetransfer.me no_ip
[*] A asfdbbox.zonetransfer.me 127.0.0.1
[*] A asfdbvolume.zonetransfer.me no_ip
[*] A canberra-office.zonetransfer.me 202.14.81.230
[*] A cmdexec.zonetransfer.me no_ip
[*] A contact.zonetransfer.me no_ip
[*] A dc-office.zonetransfer.me 143.228.181.132
[*] AAAA deadbeef.zonetransfer.me dead:beaf::
[*] A dr.zonetransfer.me no_ip
[*] A DZC.zonetransfer.me no_ip
[*] A email.zonetransfer.me 74.125.206.26
[*] A Info.zonetransfer.me no_ip
[*] A internal.zonetransfer.me no_ip
[*] A intns1.zonetransfer.me 167.88.42.94
[*] A intns2.zonetransfer.me 167.88.42.94
[*] A office.zonetransfer.me 4.23.39.254
[*] AAAA ipv6actnow.org.zonetransfer.me 2001:67c:2e8:11::c100:1332
[*] A owa.zonetransfer.me 207.46.197.32
[*] A robinwood.zonetransfer.me no_ip
[*] A rp.zonetransfer.me no_ip
[*] A sip.zonetransfer.me no_ip
[*] A sqli.zonetransfer.me no_ip
[*] A sshock.zonetransfer.me no_ip
[*] A staging.zonetransfer.me 52.64.62.190
[*] A staging.zonetransfer.me 13.54.224.164
[*] A alltcpportsopen.firewall.test.zonetransfer.me 127.0.0.1
[*] CNAME testing.zonetransfer.me www.zonetransfer.me
[*] A www.zonetransfer.me 217.147.177.157
[*] A vpn.zonetransfer.me 174.36.59.154
[*] A www.zonetransfer.me 217.147.177.157
[*] A xss.zonetransfer.me no_ip
[*] 34 records found
sample CSV
12345678910111213
_________________________________________
/ The only way to keep your health is to \
| eat what you don't want, drink what you |
| don't like, and do what you'd rather |
| not. |
| |
\ -- Mark Twain /
-----------------------------------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||