My favorites | Sign in
Project Home Downloads Issues Source
Checkout   Browse   Changes  
Changes to /trunk/README.txt
r29 vs. r30 Compare: vs.  Format:
Revision r30
Go to: 
Project members, sign in to write a code review
/trunk/README.txt   r29 /trunk/README.txt   r30
1 INTRODUCTION 1 INTRODUCTION
2 2
3 dnsmap was originally released back in 2006 and was inspired by the 3 dnsmap was originally released back in 2006 and was inspired by the
4 fictional story "The Thief No One Saw" by Paul Craig, which can be found 4 fictional story "The Thief No One Saw" by Paul Craig, which can be found
5 in the book "Stealing the Network - How to 0wn the Box" 5 in the book "Stealing the Network - How to 0wn the Box"
6 6
7 dnsmap is mainly meant to be used by pentesters during the information 7 dnsmap is mainly meant to be used by pentesters during the information
8 gathering/enumeration phase of infrastructure security assessments. During the 8 gathering/enumeration phase of infrastructure security assessments. During the
9 enumeration stage, the security consultant would typically discover the target 9 enumeration stage, the security consultant would typically discover the target
10 company's IP netblocks, domain names, phone numbers, etc ... 10 company's IP netblocks, domain names, phone numbers, etc ...
11 11
12 Subdomain brute-forcing is another technique that should be used in the 12 Subdomain brute-forcing is another technique that should be used in the
13 enumeration stage, as it's especially useful when other domain enumeration 13 enumeration stage, as it's especially useful when other domain enumeration
14 techniques such as zone transfers don't work (I rarely see zone transfers 14 techniques such as zone transfers don't work (I rarely see zone transfers
15 being *publicly* allowed these days by the way). 15 being *publicly* allowed these days by the way).
16 16
17 If you are interested in researching stealth computer intrusion techniques, 17 If you are interested in researching stealth computer intrusion techniques,
18 I suggest reading this excellent (and fun) chapter which you can find for 18 I suggest reading this excellent (and fun) chapter which you can find for
19 *free* on the web: 19 *free* on the web:
20 20
21 http://www.ethicalhacker.net/content/view/45/2/ 21 http://www.ethicalhacker.net/content/view/45/2/
22 22
23 I'm happy to say that dnsmap was included in Backtrack 2, 3 and 4 and has 23 I'm happy to say that dnsmap was included in Backtrack 2, 3 and 4 and has
24 been reviewed by the community: 24 been reviewed by the community:
25 25
26 http://backtrack.offensive-security.com/index.php?title=Tools 26 http://backtrack.offensive-security.com/index.php?title=Tools
27 http://www.networkworld.com/community/node/57543
27 http://www.linuxhaxor.net/2007/07/14/backtrack-2-information-gathering-all-dnsmap/ 28 http://www.linuxhaxor.net/2007/07/14/backtrack-2-information-gathering-all-dnsmap/
28 http://www.darknet.org.uk/2009/03/dnsmap-022-released-subdomain-bruteforcing-tool/ 29 http://www.darknet.org.uk/2009/03/dnsmap-022-released-subdomain-bruteforcing-tool/
29 http://www.gnucitizen.org/blog/new-version-of-dnsmap-out/ 30 http://www.gnucitizen.org/blog/new-version-of-dnsmap-out/
30 31
31 32
32 COMPILING 33 COMPILING
33 34
34 Compiling should be straightforward: 35 Compiling should be straightforward:
35 36
36 $ make 37 $ make
37 38
38 Or: 39 Or:
39 40
40 $ gcc -Wall dnsmap.c -o dnsmap 41 $ gcc -Wall dnsmap.c -o dnsmap
41 42
42 43
43 INSTALLATION 44 INSTALLATION
44 45
45 Example of manual installation: 46 Example of manual installation:
46 47
47 # cp ./dnsmap /usr/local/bin/dnsmap 48 # cp ./dnsmap /usr/local/bin/dnsmap
48 49
49 If you wish to bruteforce several target domains in bulk fashion, you can use the 50 If you wish to bruteforce several target domains in bulk fashion, you can use the
50 included dnsmap-bulk.sh script. Just copy the script to /usr/local/bin/ so you can 51 included dnsmap-bulk.sh script. Just copy the script to /usr/local/bin/ so you can
51 call it from any location. e.g.: 52 call it from any location. e.g.:
52 53
53 # cp ./dnsmap-bulk.sh /usr/local/bin/ 54 # cp ./dnsmap-bulk.sh /usr/local/bin/
54 55
55 And set execute permissions. e.g.: 56 And set execute permissions. e.g.:
56 57
57 # chmod ugo+x /usr/local/bin/dnsmap-bulk.sh 58 # chmod ugo+x /usr/local/bin/dnsmap-bulk.sh
58 59
59 60
60 LIMITATIONS 61 LIMITATIONS
61 62
62 Lack of multi-threading. This speed issue will hopefully be resolved in future versions. 63 Lack of multi-threading. This speed issue will hopefully be resolved in future versions.
63 64
64 65
65 FUN THINGS THAT CAN HAPPEN 66 FUN THINGS THAT CAN HAPPEN
66 67
67 1. Finding interesting remote access servers (e.g.: https://extranet.targetdomain.com) 68 1. Finding interesting remote access servers (e.g.: https://extranet.targetdomain.com)
68 69
69 2. Finding badly configured and/or unpatched servers (e.g.: test.targetdomain.com) 70 2. Finding badly configured and/or unpatched servers (e.g.: test.targetdomain.com)
70 71
71 3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks 72 3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks
72 of your target organization (registry lookups - aka whois is your friend) 73 of your target organization (registry lookups - aka whois is your friend)
73 74
74 4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses 75 4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses
75 (RFC 1918). This is great as sometimes they are real up-to-date "A" records which means 76 (RFC 1918). This is great as sometimes they are real up-to-date "A" records which means
76 that it *is* possible to enumerate internal servers of a target organization from the 77 that it *is* possible to enumerate internal servers of a target organization from the
77 Internet by only using standard DNS resolving (as oppossed to zone transfers for instance). 78 Internet by only using standard DNS resolving (as oppossed to zone transfers for instance).
78 79
79 5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com). 80 5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com).
80 This method is an alternative to finding devices via Google hacking techniques 81 This method is an alternative to finding devices via Google hacking techniques
81 82
82 USAGE 83 USAGE
83 84
84 Bruteforcing can be done either with dnsmap's built-in wordlist or a user-supplied wordlist. 85 Bruteforcing can be done either with dnsmap's built-in wordlist or a user-supplied wordlist.
85 Results can be saved in CSV and human-readable format for further processing. dnsmap does 86 Results can be saved in CSV and human-readable format for further processing. dnsmap does
86 NOT require root privileges to be run, and should NOT be run with such privileges for 87 NOT require root privileges to be run, and should NOT be run with such privileges for
87 security reasons. 88 security reasons.
88 89
89 The usage syntax can be obtained by simply running dnsmap without any parameters: 90 The usage syntax can be obtained by simply running dnsmap without any parameters:
90 91
91 $ ./dnsmap 92 $ ./dnsmap
92 93
93 dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) 94 dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
94 95
95 usage: dnsmap <target-domain> [options] 96 usage: dnsmap <target-domain> [options]
96 options: 97 options:
97 -w <wordlist-file> 98 -w <wordlist-file>
98 -r <regular-results-file> 99 -r <regular-results-file>
99 -c <csv-results-file> 100 -c <csv-results-file>
100 -d <delay-millisecs> 101 -d <delay-millisecs>
101 -i <ips-to-ignore> (useful if you're obtaining false positives) 102 -i <ips-to-ignore> (useful if you're obtaining false positives)
102 103
103 Note: delay value is a maximum random value. e.g.: if you enter 1000, each DNS request 104 Note: delay value is a maximum random value. e.g.: if you enter 1000, each DNS request
104 will be delayed a *maximum* of 1 second. By default, dnsmap uses a value of 10 milliseconds 105 will be delayed a *maximum* of 1 second. By default, dnsmap uses a value of 10 milliseconds
105 of maximum delay between DNS lookups 106 of maximum delay between DNS lookups
106 107
107 108
108 EXAMPLES 109 EXAMPLES
109 Subdomain bruteforcing using dnsmap's built-in word-list: 110 Subdomain bruteforcing using dnsmap's built-in word-list:
110 111
111 $ ./dnsmap targetdomain.foo 112 $ ./dnsmap targetdomain.foo
112 113
113 Subdomain bruteforcing using a user-supplied wordlist: 114 Subdomain bruteforcing using a user-supplied wordlist:
114 115
115 $ ./dnsmap targetdomain.foo -w wordlist.txt 116 $ ./dnsmap targetdomain.foo -w wordlist.txt
116 117
117 Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ : 118 Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ :
118 119
119 $ ./dnsmap targetdomain.foo -r /tmp/ 120 $ ./dnsmap targetdomain.foo -r /tmp/
120 121
121 Since no filename was provided in the previous example, but rather only a path, dnsmap would 122 Since no filename was provided in the previous example, but rather only a path, dnsmap would
122 create an unique filename which includes the current timestamp. e.g.: 123 create an unique filename which includes the current timestamp. e.g.:
123 /tmp/dnsmap_targetdomain_foo_2009_12_15_234953.txt 124 /tmp/dnsmap_targetdomain_foo_2009_12_15_234953.txt
124 125
125 Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/, 126 Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/,
126 and waiting a random maximum of 3 milliseconds between each request: 127 and waiting a random maximum of 3 milliseconds between each request:
127 128
128 $ ./dnsmap targetdomain.foo -r /tmp/ -d 300 129 $ ./dnsmap targetdomain.foo -r /tmp/ -d 300
129 130
130 It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is 131 It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is
131 interfering with your online experience. i.e.: killing your bandwidth 132 interfering with your online experience. i.e.: killing your bandwidth
132 133
133 Subdomain bruteforcing with 0.8 seconds delay, saving results in regular and CSV format, 134 Subdomain bruteforcing with 0.8 seconds delay, saving results in regular and CSV format,
134 filtering 2 user-provided IP and using a user-supplied wordlist: 135 filtering 2 user-provided IP and using a user-supplied wordlist:
135 136
136 $ ./dnsmap live.com -d 800 -r /tmp/ -c /tmp/ -i 65.55.206.154,65.55.24.100 -w ./wordlist_TLAs.txt 137 $ ./dnsmap targetdomain.foo -d 800 -r /tmp/ -c /tmp/ -i 10.55.206.154,10.55.24.100 -w ./wordlist_TLAs.txt
137 138
138 For bruteforcing a list of target domains in a bulk fashion use the bash script provided. e.g.: 139 For bruteforcing a list of target domains in a bulk fashion use the bash script provided. e.g.:
139 140
140 $ ./dnsmap-bulk.sh domains.txt /tmp/results/ 141 $ ./dnsmap-bulk.sh domains.txt /tmp/results/
141 142
142 143
143 WORDLISTS 144 WORDLISTS
144 145
145 http://packetstormsecurity.org/Crackers/wordlists/dictionaries/ 146 http://packetstormsecurity.org/Crackers/wordlists/dictionaries/
146 http://www.cotse.com/tools/wordlists1.htm 147 http://www.cotse.com/tools/wordlists1.htm
147 http://wordlist.sourceforge.net/ 148 http://wordlist.sourceforge.net/
148 149
149 150
150 OTHER SIMILAR TOOLS - choice is freedom! 151 OTHER SIMILAR TOOLS - choice is freedom!
151 152
152 WS-DNS-BFX 153 WS-DNS-BFX
153 http://ws.hackaholic.org/tools/WS-DNS-BFX.tgz 154 http://ws.hackaholic.org/tools/WS-DNS-BFX.tgz
154 155
155 DNSDigger 156 DNSDigger
156 http://www.ernw.de/download/dnsdigger.zip 157 http://www.ernw.de/download/dnsdigger.zip
157 158
158 Fierce Domain Scan 159 Fierce Domain Scan
159 http://ha.ckers.org/fierce/ 160 http://ha.ckers.org/fierce/
160 161
161 Desperate 162 Desperate
162 http://www.sensepost.com/research_misc.html 163 http://www.sensepost.com/research_misc.html
163 164
164 DNSenum 165 DNSenum
165 http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz 166 http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz
166 167
167 ReverseRaider 168 ReverseRaider
168 http://complemento.sourceforge.net/ 169 http://complemento.sourceforge.net/
169 170
170 Knock 171 Knock
171 http://knock.gianniamato.it/ 172 http://knock.gianniamato.it/
172 173
173 174
174 -- 175 --
175 pagvac | GNUCITIZEN.org 176 pagvac | GNUCITIZEN.org
176 Feb 2010 177 Feb 2010
Powered by Google Project Hosting