·
Obtain
all A records (i.e. IP addresses) associated to each
successfully brute forced sub domain, rather than just one IP address per sub
domain.
·
Abort
the brute forcing process in case the target domain uses wildcards.
·
Ability
to be able to run the tool without providing a word list
by using a built-in list of keywords.
·
Brute
forcing by using a user-supplied word list (as opposed to the built-in word
list).
·
Improved
built-in subdomains wordlist.
·
New
bash script (dnsmap-bulk.sh) included which allows running Dnsmap against a list of domains from a user-supplied file. i.e.: brute
forcing several domains in a bulk fashion.
·
Bypassing of
signature-based Dnsmap detection by generating a proper pseudo-random sub domain
when checking for wildcards (Unique
Feature).
Why
to use DNSMAP Tool ?
1. Finding
interesting remote access servers.
2. Finding badly
configured and/or unpatched servers.
3. Finding new
domain names which will allow you to map non-obvious/hard-to-find net blocks.
4. Sometimes you
find that some brute forced sub domains resolve to internal IP addresses (RFC
1918). This is great as sometimes they are real up-to-date “A” records which means
that it *is* possible to enumerate internal servers of a target organization
from the Internet by only using standard DNS resolving (as opposed to zone
transfers for instance).
5. Discover
embedded devices configured using Dynamic DNS services.
How
to use DNSMAP tool on Kali Linux
Step 1 : Open the
DNSMAP Tool on Kali Linux
There are multiple
ways to open the DNSMAP tool over the Kali Linux:
a. Using GUI Menu:
Go to Menu Bar and Click on Applications --> Kali Linux -->
Information Gathering --> DNS
Analysis --> DNSMAP
b. Using Terminal :
Run the below command in terminal
cd
/pentest/enumeration/dns/dnsmap/
Step 2 : Select the
Target and Start the Scan
Say we want to
gather information regarding Google. Then in order to run the DNSMAP we have to
run below command @ DNSMAP:
./dnsmap
google.com
When you press
enter button you will see the results like below :
root@VH0:~# dnsmap
google.com
dnsmap 0.30 - DNS
Network Mapper by pagvac (gnucitizen.org)
[+] searching
(sub)domains for google.com using built-in wordlist
[+] using maximum
random delay of 10 millisecond(s) between requests
accounts.google.com
IPv6 address #1:
2404:6800:4003:c00::54
accounts.google.com
IP address #1:
74.125.200.84
admin.google.com
IPv6 address #1:
2404:6800:4003:805::1005
admin.google.com
IP address #1:
173.194.117.3
IP address #2:
173.194.117.4
IP address #3:
173.194.117.5
IP address #4:
173.194.117.6
IP address #5:
173.194.117.7
IP address #6:
173.194.117.8
IP address #7:
173.194.117.9
IP address #8:
173.194.117.14
IP address #9:
173.194.117.0
IP address #10:
173.194.117.1
IP address #11:
173.194.117.2
ap.google.com
IPv6 address #1:
2404:6800:4003:806::1010
ap.google.com
IP address #1:
173.194.117.52
IP address #2:
173.194.117.48
IP address #3:
173.194.117.49
IP address #4:
173.194.117.50
IP address #5:
173.194.117.51
As you all can see
above that DNSMAP has scanned all the sub domains of Google along with all A
records i.e. IP address of Google sub domains.
Now the above was a
simplest way of using DNSMAP. In order to perform more deep search there are
several Advanced options available in DNSMAP tool which are listed below :
-w
<wordlist-file>
Input file to use for brute force
Input file to use for brute force
-r
<regular-results-file>
Export results as text format
Export results as text format
-c
<csv-results-file>
Save files as csv format
Save files as csv format
-d
<delay-millisecs>
Maximum delay (in ms) between 2 DNS lookups(default: 10 ms)
Maximum delay (in ms) between 2 DNS lookups(default: 10 ms)
-i
<ips-to-ignore>
Useful if you're obtaining false positives
Useful if you're obtaining false positives
Examples
for using advanced options :
If
you have a custom wordlist of subdomains you can use that as well simply by
specifying the -w argument and then the path to the wordlist.
./dnsmap
google.com -w yourwordlist.txt -r /tmp/domainbf_results.txt
./dnsmap
google.com -r /tmp/ -d 3000
./dnsmap
google.com -r ./subdomainbruteforce_results.txt
No comments:
Post a Comment