Saturday, March 29, 2014

DNSMAP Tool on Kali linux

·      Obtain all A records (i.e. IP addresses) associated to each successfully brute forced sub domain, rather than just one IP address per sub domain.
·      Abort the brute forcing process in case the target domain uses wildcards.
·      Ability to be able to run the tool without providing a word list by using a built-in list of keywords.
·      Brute forcing by using a user-supplied word list (as opposed to the built-in word list).
·      Saving the results in human-readable and CSV format for easy processing.
·      Improved built-in subdomains wordlist.
·      New bash script ( included which allows running Dnsmap against a list of domains from a user-supplied file. i.e.: brute forcing several domains in a bulk fashion.
·      Bypassing of signature-based Dnsmap detection by generating a proper pseudo-random sub domain when checking for wildcards (Unique Feature).

Why to use DNSMAP Tool ?

1. Finding interesting remote access servers.

2. Finding badly configured and/or unpatched servers.

3. Finding new domain names which will allow you to map non-obvious/hard-to-find net blocks.

4. Sometimes you find that some brute forced sub domains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that it *is* possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving (as opposed to zone transfers for instance).

5. Discover embedded devices configured using Dynamic DNS services.

How to use DNSMAP tool on Kali Linux

Step 1 : Open the DNSMAP Tool on Kali Linux
There are multiple ways to open the DNSMAP tool over the Kali Linux:
a. Using GUI Menu:  Go to Menu Bar and Click on Applications --> Kali Linux --> Information Gathering  --> DNS Analysis --> DNSMAP

b. Using Terminal : Run the below command in terminal

cd /pentest/enumeration/dns/dnsmap/ 
Step 2 : Select the Target and Start the Scan
Say we want to gather information regarding Google. Then in order to run the DNSMAP we have to run below command @ DNSMAP:

When you press enter button you will see the results like below :

root@VH0:~# dnsmap 
dnsmap 0.30 - DNS Network Mapper by pagvac (

[+] searching (sub)domains for using built-in wordlist
[+] using maximum random delay of 10 millisecond(s) between requests
IPv6 address #1: 2404:6800:4003:c00::54
IP address #1:
IPv6 address #1: 2404:6800:4003:805::1005
IP address #1:
IP address #2:
IP address #3:
IP address #4:
IP address #5:
IP address #6:
IP address #7:
IP address #8:
IP address #9:
IP address #10:
IP address #11:
IPv6 address #1: 2404:6800:4003:806::1010
IP address #1:
IP address #2:
IP address #3:
IP address #4:
IP address #5:

As you all can see above that DNSMAP has scanned all the sub domains of Google along with all A records i.e. IP address of Google sub domains.

Now the above was a simplest way of using DNSMAP. In order to perform more deep search there are several Advanced options available in DNSMAP tool which are listed below :

-w <wordlist-file>
Input file to use for brute force

-r <regular-results-file>
Export results as text format

-c <csv-results-file>
Save files as csv format

-d <delay-millisecs>
Maximum delay (in ms) between 2 DNS lookups(default: 10 ms)

-i <ips-to-ignore>
Useful if you're obtaining false positives

Examples for using advanced options :

If you have a custom wordlist of subdomains you can use that as well simply by specifying the -w argument and then the path to the wordlist.
./dnsmap -w yourwordlist.txt -r /tmp/domainbf_results.txt

./dnsmap -r /tmp/ -d 3000

./dnsmap -r ./subdomainbruteforce_results.txt

No comments:

Post a Comment

Google+ Followers

Contact Form


Email *

Message *