DNS Enumeration – Bash Scripting

Make sure you know the legalities of enumerating DNS for subdomain resolution – This is considered brute force and it is an active (not passive) scan, which could result in legal issues if you do not have permission to perform the security check.

CONCEPT

You want to get an idea what an attacker might discover in your network.  An attack would probably want to get a look at the machines in the network.  The layout can be determined by passive means (using some google “hacks” queries), or by brute force means.

LINUX HOST COMMAND

One command that is useful to see if a subdomain or DNS exists is the “host” command in Linux.

From the command line, you could use host on a DNS you have permission to work with, like so:

host [valid domain]

which will return mail servers.  You can set some flags like -t mx (mail servers) or -t ns for name servers.

There’s plenty of other parameters you can use… check out host -h for more.

If you use host on a subdomain, you’ll get back it’s ip address and information regarding if it’s a valid location.  In other words:

host [sub].[domain] 

would return [sub].[domain] has address x.x.x.x

DNS ENUMERATION

 As a reminder, be sure to check the legalities of any DNS enumeration scripting.  Even if you own the domain, this can be a legal issue with the hosting provider, etc.  Be sure that you have covered all legal aspects before attempting.

By enumeration, we’re talking about taking guess after guess to see if a host exists.  Thereby getting hits of what exists and what doesn’t.  You could come up with 5 or 10 words you think are common to domains, like:

admin

ads

mail

Then try them with host admin.[domain], etc.

An attack would likely use many different words to try and guess a variety of useful domains/sbudomains.  You could run them one by one… or you could write a script to do the work for you.

Bash Script

 

#!/bin/bash

while read p; do

    if host $p.[some domain] | grep "has address"; then echo "$p.[some domain]"; fi

done < dns.txt

Where dns.txt is a dictionary file of words that I’m iterating over.  You can find such dictionaries all over by searching for, “dns enumeration dictionary” – some files are small 20k, and some are huge (3MB.)  The larger the file, the more traffic this will produce, as you could be running millions of calls to look up subdomains info.

The if statement above checks if the words “has address” are returned.  If it is, it’s printed out, if it isn’t, its dropped… that way we don’t get spam of every failed subdomain check.

By changing our script to executable (chmod 755), we can then run it to output to a file: ./ourscript.sh > dns_result.txt

Our dictionary file might have some gems, which might return valid entries for:

admin.somedomain.abc

blog.somedomain.abc

intranet.somedomain.abc

mail.somedomain.abc

ns1.somedomain.abc

ns2.somedomain.abc

router.somedomain.abc

vpn.somedomain.abc

www.somedomain.abc

 

Leave a Reply

Your email address will not be published. Required fields are marked *