DNSenum: A command-line Information Gathering Tool
Olá👋 I’m Ankita Sinha, an MTech CSE student doing a specialization in Information Security. You can connect with me on LinkedIn, and Github.DNSenum is a command-line tool that automatically identifies essential DNS records such as MX, mail exchange servers, NS, domain name servers, or A - the address record for a domain. It also attempts zone transfers on all identified servers. It can try reverse resolution (that is, getting the hostname given an IP address) and brute-forcing (querying for the existence of hostnames to get their IP address) of subdomains and hostnames. DNSenum is a multi-threaded Perl script to enumerate a domain’s DNS information and discover non-contiguous IP blocks.
Operations:
1) Get the host’s address (A record).
2) Get the name servers (threaded).
3) Get the MX record (threaded).
4) Perform axfr queries on name servers and get BIND VERSION (threaded).
5) Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
6) Brute force subdomains from the file can also perform recursion on a subdomain with NS records, i.e., threaded.
7) Calculate C class domain network ranges and run whois queries on them (thread).
8) Run reverse lookups on entrances (class C or/and whois) (threaded).
9) Write IP-blocks to domain_ips.txt.
Commands:
- dnsenum -h: This command is used for help in order to find more usages of dnsenum tool. One can easily refer to this help command for the usage of dnsenum.
2. dnsenum zonetransfer.me: This command is used to get the details of a particular domain name and fetch information like host addresses, servers, MX servers along with the IP addresses for the hostnames.
3. dnsenum hackthissite.org: This command is also the same as the previous command but here the hostname is different that is ‘hackthissite.org’.
4. dnsenum –private hackthissite.org: This command is mainly used in order to view the private addresses for the hostname which is mentioned. We can also get multiple subdomains along with the private address.
5. dnsenum –dnsserver 8.8.8.8 -f wordlist.txt google.com: This command line is having the combination of two and more commands which is “ — dnsserver” specifies the DNS server as we have used 8.8.8.8 which is the public server for the “google.com”. We have also used ‘-f’ command from the set of wordlists it will perform brute force for all the subdomains which are present in the list.
6. dnsenum — noreverse -o mydomain.xml google.com: This command is used for non-reverse for the domain addresses present for the hostname. The “-o” command is refer to the output file format and here the destination will be the present working directory. The format specified here will be “xml”.
7. dnsenum –whois hackthissite.org: This is a general command which is used to take the information about “who” is logged into the hostname and the IP addresses for those users will be displayed in the terminal.
8. sudo dnsenum — enum -f “/usr/share/doc/dnsenum/dns.txt” salesforce.com: This command is used for the enumeration purpose which means that set of all the commands which dnsenum is providing will be compacted to one place. Here we can also see that the “dns.txt” file is having the list of all the keywords which can be used against the set of commands for which hostname is searched.
9. sudo dnsenum -p 5 -s 5 — threads 2 google.com: This command is a combination of three instances which is -p , -s and –threads. Each instance is having various functionality. Here -p refers to the pages which are available for the particular hostname. Next -s refers to google scraping which is also used for URL harvesting for the websites. Lastly –threads refer to the hardware-related command line which is used to speed up the process based upon CPU configuration.
10. Dnsenum hacker.om -v –thread 9: This command is a combination of two instances which are -v and –thread. Here -v refers to verbose command.
11. dnsenum -p 4 -s 5 -f wordlist.txt google.com : This is the last command where the page is given as 4, scraping is given as 5 and brute force will be carried out based on the wordlist for “google.com”
Conclusion:
DNSenum is a great tool to be used in the information-gathering stage of penetration testing. We have performed the DNSenum tool having a set of command lines. We have done an analysis of forward lookup, reverse lookup along with the private servers as well as reconnaissance for various domains.
