最新消息:阿啰哈,本人90后,目前单身,欢迎妹子们来撩!.(。→‿←。) 微信:frank01991

使用dnsenum.pl收集域名信息

OSS 林志斌 1003浏览

Project Home Page: http://code.google.com/p/dnsenum/

The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:

1) Get the host's addresse (A record). 

2) Get the namservers (threaded). 

3) Get the MX record (threaded). 

4) Perform axfr queries on nameservers and get BIND versions(threaded). 

5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain"). 

6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded). 

7) Calculate C class domain network ranges and perform whois queries on them (threaded). 

8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded). 9) Write to domain_ips.txt file ip-blocks.

baidu.com的私网dns也能看到(执行此工具比较耗时)

[email protected]:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl -f dns.txt --dnsserver 202.108.22.220 baidu.com 
dnsenum.pl VERSION:1.2.2
-----   baidu.com   -----
Host's addresses:
__________________
baidu.com                                600      IN    A        123.125.114.144
baidu.com                                600      IN    A        220.181.111.85
baidu.com                                600      IN    A        220.181.111.86
Name Servers:
______________
dns.baidu.com                            86400    IN    A        202.108.22.220
ns2.baidu.com                            86400    IN    A        61.135.165.235
ns3.baidu.com                            86400    IN    A        220.181.37.10
ns4.baidu.com                            86400    IN    A        220.181.38.10
Mail (MX) Servers:
___________________
mx1.baidu.com                            300      IN    A        61.135.163.61
jpmx.baidu.com                           7200     IN    A        61.208.132.13
mx50.baidu.com                           300      IN    A        220.181.50.208
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for baidu.com on ns4.baidu.com ... 
AXFR record query failed: NOERROR
ns4.baidu.com Bind Version:     baidu dns
Trying Zone Transfer for baidu.com on ns2.baidu.com ... 
AXFR record query failed: NOERROR
ns2.baidu.com Bind Version:     baidu dns
Trying Zone Transfer for baidu.com on dns.baidu.com ... 
AXFR record query failed: NOERROR
dns.baidu.com Bind Version:     baidu dns
Trying Zone Transfer for baidu.com on ns3.baidu.com ... 
AXFR record query failed: NOERROR
ns3.baidu.com Bind Version:     baidu dns
Brute forcing with dns.txt:
____________________________
999.baidu.com                            7200     IN    CNAME              
a.baidu.com                              7200     IN    CNAME              
abc.baidu.com                            600      IN    CNAME              
accounts.baidu.com                       7200     IN    A        10.11.252.74
act.baidu.com                            7200     IN    CNAME              
apps.baidu.com                           7200     IN    CNAME              
avatar.baidu.com                         7200     IN    A        10.26.137.29
census.baidu.com                         7200     IN    CNAME              
d.baidu.com                              7200     IN    CNAME              
dns.baidu.com                            86400    IN    A        202.108.22.220
dns1.baidu.com                           86400    IN    A        220.181.38.10
dnsmaster.baidu.com                      7200     IN    CNAME              
e.baidu.com                              7200     IN    CNAME              
f.baidu.com                              7200     IN    CNAME              
file.baidu.com                           7200     IN    CNAME              
finance.baidu.com                        7200     IN    CNAME              
g.baidu.com                              7200     IN    CNAME              
it.baidu.com                             7200     IN    A        172.22.5.26
it.baidu.com                             7200     IN    A        172.22.1.54
lab.baidu.com                            7200     IN    CNAME     
log.baidu.com                            7200     IN    CNAME              
log.internal.bae.baidu.com               5        IN    A        10.26.39.14
log.internal.bae.baidu.com               5        IN    A        10.81.45.245
logo.baidu.com                           7200     IN    CNAME              
mail.baidu.com                           7200     IN    CNAME              
map.baidu.com                            7200     IN    CNAME              
mobile.baidu.com                         7200     IN    CNAME              
mx.baidu.com                             300      IN    A        61.135.163.61
mx1.baidu.com                            300      IN    A        61.135.163.61
mx12.baidu.com                           300      IN    A        220.181.18.241
mx3.baidu.com                            300      IN    A        61.135.162.61
news.baidu.com                           1200     IN    CNAME              
nova.baidu.com                           7200     IN    CNAME              
nova.offline.bae.baidu.com               5        IN    A        10.23.250.25
nova.offline.bae.baidu.com               5        IN    A        10.23.247.91
ns1.baidu.com                            86400    IN    A        202.108.22.220
ns2.baidu.com                            86400    IN    A        61.135.165.235
pan.baidu.com                            7200     IN    CNAME              
portal.baidu.com                         7200     IN    A        172.22.1.82
smtp.baidu.com                           300      IN    CNAME              
survey.baidu.com                         7200     IN    A        202.108.22.67
test.baidu.com                           7200     IN    CNAME              
training.baidu.com                       7200     IN    A        10.23.1.162
tu.baidu.com                             7200     IN    CNAME              
w.baidu.com                              7200     IN    CNAME              
webmail.baidu.com                        1200     IN    CNAME              
win.baidu.com                            7200     IN    A        10.65.19.212
ww.baidu.com                             7200     IN    CNAME              
www.baidu.com                            1200     IN    CNAME              
wwww.baidu.com                           7200     IN    CNAME              
baidu.com class C netranges:
_____________________________
61.135.162.0/24
61.135.163.0/24
61.135.165.0/24
61.208.132.0/24
123.125.114.0/24
202.108.22.0/24
220.181.18.0/24
220.181.37.0/24
220.181.38.0/24
220.181.50.0/24
220.181.111.0/24
Performing reverse lookup on 2816 ip addresses:
________________________________________________
1.165.135.61.in-addr.arpa                7200     IN    PTR                
1 results out of 2816 IP addresses.
baidu.com ip blocks:
_____________________
61.135.165.1/32
done.

[email protected]:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl --help
dnsenum.pl VERSION:1.2.2
Usage: dnsenum.pl [Options] <domain> 
[Options]:
Note: the brute force -f switch is obligatory.
GENERAL OPTIONS:
--dnsserver   <server>
Use this DNS server for A, NS and MX queries.
--enum                Shortcut option equivalent to --threads 5 -s 20 -w.
-h, --help            Print this help message.
--noreverse           Skip the reverse lookup operations.
--private             Show and save private ips at the end of the file domain_ips.txt.
--subfile <file>      Write all valid subdomains to this file. -t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).
--threads <value>     The number of threads that will perform different queries.
-v, --verbose         Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
-p, --pages <value>   The number of google search pages to process when scraping names, 
the default is 20 pages, the -s switch must be specified.
-s, --scrap <value>   The maximum number of subdomains that will be scraped from Google.
BRUTE FORCE OPTIONS:
-f, --file <file>     Read subdomains from this file to perform brute force.
-u, --update  <a|g|r|z>
Update the file specified with the -f switch with valid subdomains.
a (all)         Update using all results.
g               Update using only google scraping results.
r               Update using only reverse lookup results.
z               Update using only zonetransfer results.
-r, --recursion       Recursion on subdomains, brute force all discovred subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
-d, --delay <value>   The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
-w, --whois           Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
REVERSE LOOKUP OPTIONS:
-e, --exclude <regexp>
Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
-o --output <file>    Output in XML format. Can be imported in MagicTree (www.gremwell.com)

转载请注明:林志斌 » 使用dnsenum.pl收集域名信息

发表评论
取消评论
表情

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址