Thursday, 23 June 2011

dns enumeration

Quick note on DNS enumeration since I might not remember this tool in the morning..

Fierce will use the hosts.txt file that lives in the directory below to lookup any possible DNS A records
root@bt:/pentest/enumeration/dns/fierce# ./fierce.pl -dns domain.com -threads 5 -wide
DNS Servers for domain.com:
xns1.domain.com
xns2.domain.com

Trying zone transfer first...
Testing xns1.domain.com
Request timed out or transfer not allowed.
Testing xns2.domain.com
Request timed out or transfer not allowed.

Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way... brute force

Checking for wildcard DNS...
Nope. Good.
Now performing 1895 test(s)...

result snip

Subnets found (may want to probe here using nmap or unicornscan):
127.0.0.0-255 : 1 hostnames found.
194.xxx.xxx.0-255 : 8 hostnames found.
194.xxx.xxx.0-255 : 9 hostnames found.
194.xxx.xxx.0-255 : 19 hostnames found.
194.xxx.xxx.0-255 : 2 hostnames found.
212.xxx.xxx.0-255 : 3 hostnames found.

Done with Fierce scan: http://ha.ckers.org/fierce/
Found 42 entries.

Have a nice day.

Indeed we will :)

No comments:

Post a Comment