INTRODUCTION
If you want to gather information about a
target’s DNS, you should probably use a tool like dnsdict6 to help you to enumerate many of the
details which are not easily apparent for your average user or websurfer.
With dnsdict6 you find information such as:
·
Subdomain info
·
Enumerate all ipv4 and ipv6
addresses.
·
You can also enumerate details
of srv records.
·
Also you can enumerate details
of Name Server and Mail Exchanger records.
So, now we will jump into dnsdict6 on Kali
Linux, your best option for a penetration testing distribution.
HOW TO OPEN DNSDICT6 ON KALI LINUX
To open dnsdict6 goto > Kali Linux > Information Gathering > DNS
Analysis > dnsdict6
See the below image:
DNSDICT6 OPENED
Once you opened dnsdict6, you will find various options on your screen.
A good Pen Tester will always read and understand all options at his
disposal.
So lets see what kind of options we have, and some examples:
- -4 : dump ipv4 addresses : Try this example on your terminal >
Example > dnsdict6 -4 [url]
- -t
[#] : specify the number of threads.
Remember default is set to 8 and max threads you can use is 32. Ex :
dnsdict6 -d -t 18 [url]
- -d : it displays ipv6 info on NS, MX DNS domain information.
Example : dnsdict6 -d [url]
- -S : perform SRV service records. Example : dnsdict6
-S -t 21 [url]
- -[smlx] : This options is for
choose size of the inbuilt dictionary -s
: small, -m medium, -l
: large, -x: xtreme
For more information you can see the below image:
DNSDICT HELP OPTION
If you need help you can use the help option.
Command is :
dnsdict6 -h
See the result of this command in the below image:
EXAMPLE 1 : ENUMERATION WITH DEFAULT SETTINGS
This example shows the DNS entries of a given url.
Command is :
dnsdict6 facebook.com
When you run this command with options it automatically takes the default no
of threads i.e 8 and dictionary size
-m(eduim=796).
And in this command, it takes 1 – 2 minutes to complete this process.
See the below image:
EXAMPLE OUTPUT
Here is the output of the command which we just performed. It shows the
different DNS entries on your screen with their Ipv6 addresses.
This tool shows you big list of entries if you are enumerating a larger web
domain, such as facebook, google, etc…
See the below image:
EXAMPLE: ENUMERATING DNS RECORDS
In this example, you will find the nameserver (NS) and Mail exchange (MX)
records.
To see the NS & MX records, you have to use “
-d ”
option. As we have used in our example.
After running the command, it shows the dns records of google.com with ipv4
addresses.
Why Ipv4 addresses? Because we used the
-4 option with the
command which dump all the ipv4 addresses.
Remember: If we dont specified any threads and dictionary
size, it takes it default threads(8) and dictionary size (medium).
EXAMPLE 3 : ENUMERATE IPV4 IPV6, NAME SERVER, MAIL
SERVER WITH OPTIONS
This example is same as above in case of enumerating NS and MX records but
the mail difference is we are going to set the number of threads and
dictionary size manually.
Command is :
dnsdict6 -d46 -t 32 -z google.com
This command will display the NS and MX records with their ipv4 and ipv6
addresses and the number of threads we use is 32 and dictionary file size we
used is xtreme.
So try this example and you will be able to gather as much information as
you can
EXAMPLE 4 : ENUMERATE SRV SERVICE RECORDS
Finally, we will take a look at an SRV Record example.
First, we should understand what an SRV Record actually is: (according to
Wikipedia)
A Service record (SRV record) is a specification of data in
the Domain Name System defining the location, i.e.
the hostname and port number, of servers for specified services.
It is defined inRFC 2782, and its type code is 33. Some Internet protocols
such as the Session Initiation Protocol (SIP) and the Extensible
Messaging and Presence Protocol (XMPP) often require SRV support by
network elements.
An SRV record has the form:
_service._proto.name. TTL class SRV
priority weight port target
Now see the example and analyse SRV records.
- service: the symbolic name of the desired service.
- proto: the transport protocol of the desired service; this is
usually either TCP or UDP.
- name: the domain name for which this record is valid, ending in a
dot.
- TTL: standard DNS time to live field.
- class: standard DNS class field (this is always IN).
- priority: the priority of the target host, lower value means more
preferred.
- weight: A relative weight for records with the same priority.
- port: the TCP or UDP port on which the service is to be found.
- target: the canonical hostname of the machine providing the service,
ending in a dot.
CONCLUSION
This tool is used for enumerating DNS records.
Now that you have the basics, you can try more on your own!
This tool will help you better understand the workings and
compartmentalization of domains as well as how a the target business network is
organized. This information is for educational and legal Pen Testing
utilization. Do not do things that are evil and bad.