 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
Chris O'Connell wrote:
> I've been using DNSENUM.PL via BackTrack to do some information gathering
> on my work's network.
Never heard of it, but looks like Dnsenum is documented here:
http://code.google.com/p/dnsenum/
The purpose of Dnsenum is to gather as much information as possible
about a domain. The program currently performs the following
operations:
1) Get the host's addresse (A record).
2) Get the namservers.
3) Get the MX record.
4) Perform axfr queries on nameservers and get BIND versions...
5) Get extra names and subdomains via google scraping
(google query = "allinurl: -www site:domain").
6) Brute force subdomains from file, can also perform recursion on
subdomain that have NS records.
7) Calculate C class domain network ranges and perform whois queries
on them.
8) Perform reverse lookups on netranges...
9) Write to domain_ips.txt file ip-blocks.
> So, not all of my DNS sub domains show up in a simple scan.
(Lets set aside the "subdomain" terminology discussion. In my experience
the term is often used even for domains that aren't delegated, which is
likely a misuse of the term.)
My guess would be that Dnsenum is getting its initial list by looking at
names returned as a side effect of other queries. While zone transfers
used to be readily accessible, as Rich said they've been largely
disabled for security reasons (and at one time to avoid security holes
in BIND). However, that restriction might be IP sensitive, and you might
be allowed to do a zone transfer from your own LAN's IP range. You can
try playing around with a tool like 'dig' to explore this further yourself.
DNS is like a file system directory where you don't have permission to
list the directory contents, but if you know the file name you can
access the file contents. I'm assuming their brute force option simply
goes through a list of common names, looking to see if each exists.
But as implied by items #1 through #3 above, DNS intentionally reveals
some information in order to make it useful.
Disabling zone transfers is an attempts to hide the particulars within a
zone, but it is imperfect at best, as this information often leaks out
through other means (mail headers, for example). One possibility is to
scan through the range of IP addresses used by your target and do
reverse (PTR) queries on each IP (#8 above). Of course lots of DNS
entries lack corresponding PTR records, so that may not turn up much.
The source for Dnsenum can be viewed here:
http://code.google.com/p/dnsenum/source/browse/trunk/dnsenum.pl?r=2
and it looks like if you run it in verbose mode it'll tell you a bit
more about what queries it is performing.
The best way to answer this question would be to obtain your zone file
from whoever maintains your DNS and look at how the records vary between
the ones that Dnsenum finds and the ones it can't.
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
