DNS Enumeration Script: DNSRecon

2015-02-06T22:18:50
ID N0WHERE:26800
Type n0where
Reporter N0where
Modified 2015-02-06T22:18:50

Description

DNS reconnaissance is part of the information gathering stage on a penetration test engagement. When a penetration tester is performing a DNS reconnaissance he is trying to obtain as much information as he can regarding the DNS servers and their records. The information that can be gathered can disclose the network infrastructure of the company without alerting the IDS/IPS. This can happen because most of the organizations are not monitoring their DNS server traffic and those that do, only monitor the zone transfers attempts.

DNSRecon is a tool that was developed by Carlos Perez and it is designed to perform DNS reconnaissance. This tool is included on kali linux and it is written in python.

DNS Enumeration Script: DNSRecon

This script provides the ability to perform:

  • Check all NS Records for Zone Transfers.
  • Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).
  • Perform common SRV Record Enumeration.
  • Top Level Domain (TLD) Expansion.
  • Check for Wildcard Resolution.
  • Brute Force subdomain and host A and AAAA records given a domain and a wordlist.
  • Perform a PTR Record lookup for a given IP Range or CIDR.
  • Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check.
  • Enumerate Common mDNS records in the Local Network
  • Enumerate Hosts and Subdomains using Google

DNS Enumeration Script: DNSRecon v0.8.9 Released !

Standard Record Enumeration

In order to perform standard DNS enumeration with the DNSRecon we have to use the following syntax:

./dnsrecon.py -d <domain>

Zone Transfer

DNS zone transfer can be used to expose network topology. Specifically when a user is trying to perform a zone transfer, he sends a DNS query to list all DNS information like name servers, host names, MX and CNAME records, zone serial number, Time to Live records etc. Depending on the size and the type of a network, this can present significant security problem. The shear amount of information that can be obtained through DNS zone transfer is staggering. DNS zone transfers are now-days usually turned of by default and I would be surprised if you are find one. Nevertheless, DNSRecon provides the ability to perform Zone Transfers with the commands

./dnsrecon.py -d <domain> -a or
./dnsrecon.py -d <domain> -t axfr

Reverse Lookup

DNSRecon can perform a reverse lookup for PTR (Pointer) records against IPv4 and IPv6 address ranges. To run reverse lookup enumeration use:

./dnsrecon.py -r <startIP-endIP>

Also reverse lookup can be performed against all ranges in SPF records with the command .

/dnsrecon.py -d <domain> -s.

Domain Brute-Force

For performing this technique all we have to do is to give a name list and it will try to resolve the A, AAA and CNAME records against the domain by trying each entry one by one. In order to run the Domain Name Brute-Force we need to type:

./dnsrecon.py -d <domain> -D <namelist> -t brt

Cache Snooping

DNS cache snooping is occurred when the DNS server has a specific DNS record cached.This DNS record will often reveal plenty of information. However DNS cache snooping is not happening very often:

./dnsrecon.py -t snoop -n Sever -D <Dict>

Zone Walking

This technique may unveils internal records if zone is not configured properly.The information that can be obtained can help us to map network hosts by enumerating the contents of a zone:

./dnsrecon.py -d <host> -t zonewalk

DNS Enumeration Script: DNSRecon Installation

Installation instructions for Ubuntu 10.10 they should work with little to no modification on previous versions. Install needed packages, for Backtrack you only need to install git-core:

$ sudo apt-get install libavahi-compat-libdnssd1 git-core


$ sudo apt-get install python-setuptools

Once those packages are installed we will install the supporting libraries for python to be able to run the script:

$ sudo easy_install netaddr


$ sudo easy_install dnspython

Navigate to the folder you want to install the DNSRecon script and run the following command to download the script and files:

$ git clone git://github.com/darkoperator/dnsrecon.git

To keep the script and associated files updated just navigate into the dnsrecon folder and run:

$ git pull

Source && Download

dnsrecon download