0%

《Kali攻防》dnsenum(DNS信息收集工具)

介绍

dnsenum 是一款通过域名 查询IP地址、查询域名服务器、查询邮箱服务器、DNS区域传送漏洞检查、子域名暴力探测等等功能的工具

DNS区域传送

DNS服务器分为:主服务器、备份服务器和缓存服务器。在主备服务器之间同步数据库,需要使用“DNS域传送”。域传送是指后备服务器从主服务器拷贝数据,并用得到的数据更新自身数据库

DNS区域传送漏洞就是指:主服务器没有正确配置,导致任何人都可以通过请求主服务器去拷贝数据,从而可以获取到DNS服务器上所有数据

基本使用

帮助文档

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
[email protected]:~$ dnsenum --help
dnsenum VERSION:1.2.6
Usage: dnsenum [Options] <domain>
[Options]:
Note: If no -f tag supplied will default to /usr/share/dnsenum/dns.txt or
the dns.txt file in the same directory as dnsenum.pl
GENERAL OPTIONS:
--dnsserver <server>
Use this DNS server for A, NS and MX queries.
--enum Shortcut option equivalent to --threads 5 -s 15 -w.
-h, --help Print this help message.
--noreverse Skip the reverse lookup operations.
--nocolor Disable ANSIColor output.
--private Show and save private ips at the end of the file domain_ips.txt.
--subfile <file> Write all valid subdomains to this file.
-t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).
--threads <value> The number of threads that will perform different queries.
-v, --verbose Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
-p, --pages <value> The number of google search pages to process when scraping names,
the default is 5 pages, the -s switch must be specified.
-s, --scrap <value> The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
-f, --file <file> Read subdomains from this file to perform brute force. (Takes priority over default dns.txt)
-u, --update <a|g|r|z>
Update the file specified with the -f switch with valid subdomains.
a (all) Update using all results.
g Update using only google scraping results.
r Update using only reverse lookup results.
z Update using only zonetransfer results.
-r, --recursion Recursion on subdomains, brute force all discovered subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
-d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
-w, --whois Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges and it will take lot of time to perform reverse lookups.
REVERSE LOOKUP OPTIONS:
-e, --exclude <regexp>
Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
-o --output <file> Output in XML format. Can be imported in MagicTree (www.gremwell.com)

使用案例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
[email protected]:~$ dnsenum -f 1.txt --noreverse pefish.club  // 使用1.txt暴力枚举子域名,不进行反向查询(枚举IP,向IP发送域名查询,探测域名服务器)
dnsenum VERSION:1.2.6

----- pefish.club -----


Host's addresses:
__________________

pefish.club. 300 IN A 104.18.33.51
pefish.club. 300 IN A 104.18.32.51


Name Servers:
______________

alexia.ns.cloudflare.com. 86400 IN A 162.159.38.175
nitin.ns.cloudflare.com. 86400 IN A 173.245.59.215


Mail (MX) Servers:
___________________



Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for pefish.club on alexia.ns.cloudflare.com ...
AXFR record query failed: FORMERR

Trying Zone Transfer for pefish.club on nitin.ns.cloudflare.com ...
AXFR record query failed: FORMERR


Brute forcing with 1.txt:
__________________________

www.pefish.club. 300 IN A 104.18.33.51
www.pefish.club. 300 IN A 104.18.32.51


pefish.club class C netranges:
_______________________________

104.18.32.0/24
104.18.33.0/24


pefish.club ip blocks:
_______________________

104.18.32.51/32
104.18.33.51/32

done.

下篇预告

dnsrecon




微信关注我,及时接收最新技术文章