Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
12 changed files
with
20,023 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
Main author: | ||
pagvac (gnucitizen.org) | ||
|
||
Patches, bug hunting and general feedback: | ||
Borys Lacki (www.bothunters.pl) | ||
Philipp Winter (7c0.org) | ||
meathive (kinqpinz.info) | ||
David Kierznowski (withdk.com) | ||
GNa (gnanet.net) | ||
srl (security.research.labs@gmail.com) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
20/02/2010: dnsmap 0.30 released at www.gnucitizen.org | ||
* IPv6 support | ||
* Makefile included | ||
* delay option (-d) added. This is useful in cases where dnsmap is killing your bandwidth | ||
* ignore IPs option (-i) added. This allows ignoring user-supplied IPs from the results. Useful for domains which cause dnsmap to produce false positives | ||
* changes made to make dnsmap compatible with OpenDNS | ||
* disclosure of internal IP addresses (RFC 1918) are reported | ||
* updated built-in wordlist | ||
* included a standalone three-letter acronym (TLA) subdomains wordlist | ||
* domains susceptible to "same site" scripting (http://snipurl.com/etbcv) are reported | ||
* completion time is now displayed to the user | ||
* mechanism to attempt to bruteforce wildcard-enabled domains | ||
* unique filename containing timestamp is now created when no specific output filename is supplied by user | ||
* various minor bugs fixed | ||
|
||
22/02/2009: dnsmap 0.22 released at www.gnucitizen.org | ||
* saving the results in human-readable and CSV format for easy processing | ||
* fixed bug that disallowed reading wordlists with DOS CRLF format | ||
* improved built-in subdomains wordlist | ||
* new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion | ||
* bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards | ||
|
||
17/08/2006: dnsmap 0.1 (first public version) released at foro.elhacker.net | ||
* bruteforcing based on builtin list and user-supplied wordlist | ||
* obtain all available A records for each bruteforced (sub)domain (rather than only one) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
CC=gcc | ||
CFLAGS=-I. | ||
BINDIR=/usr/local/bin | ||
|
||
dnsmap: dnsmap.c dnsmap.h | ||
$(CC) $(CFLAGS) -o dnsmap dnsmap.c | ||
|
||
install: dnsmap | ||
mkdir -p $(DESTDIR)$(BINDIR) | ||
install -m 0755 dnsmap $(DESTDIR)$(BINDIR) | ||
install -m 0755 dnsmap-bulk.sh $(DESTDIR)$(BINDIR)/dnsmap-bulk | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,177 @@ | ||
INTRODUCTION | ||
|
||
dnsmap was originally released back in 2006 and was inspired by the | ||
fictional story "The Thief No One Saw" by Paul Craig, which can be found | ||
in the book "Stealing the Network - How to 0wn the Box" | ||
|
||
dnsmap is mainly meant to be used by pentesters during the information | ||
gathering/enumeration phase of infrastructure security assessments. During the | ||
enumeration stage, the security consultant would typically discover the target | ||
company's IP netblocks, domain names, phone numbers, etc ... | ||
|
||
Subdomain brute-forcing is another technique that should be used in the | ||
enumeration stage, as it's especially useful when other domain enumeration | ||
techniques such as zone transfers don't work (I rarely see zone transfers | ||
being *publicly* allowed these days by the way). | ||
|
||
If you are interested in researching stealth computer intrusion techniques, | ||
I suggest reading this excellent (and fun) chapter which you can find for | ||
*free* on the web: | ||
|
||
http://www.ethicalhacker.net/content/view/45/2/ | ||
|
||
I'm happy to say that dnsmap was included in Backtrack 2, 3 and 4 and has | ||
been reviewed by the community: | ||
|
||
http://backtrack.offensive-security.com/index.php?title=Tools | ||
http://www.networkworld.com/community/node/57543 | ||
http://www.linuxhaxor.net/2007/07/14/backtrack-2-information-gathering-all-dnsmap/ | ||
http://www.darknet.org.uk/2009/03/dnsmap-022-released-subdomain-bruteforcing-tool/ | ||
http://www.gnucitizen.org/blog/new-version-of-dnsmap-out/ | ||
|
||
|
||
COMPILING | ||
|
||
Compiling should be straightforward: | ||
|
||
$ make | ||
|
||
Or: | ||
|
||
$ gcc -Wall dnsmap.c -o dnsmap | ||
|
||
|
||
INSTALLATION | ||
|
||
Example of manual installation: | ||
|
||
# cp ./dnsmap /usr/local/bin/dnsmap | ||
|
||
If you wish to bruteforce several target domains in bulk fashion, you can use the | ||
included dnsmap-bulk.sh script. Just copy the script to /usr/local/bin/ so you can | ||
call it from any location. e.g.: | ||
|
||
# cp ./dnsmap-bulk.sh /usr/local/bin/ | ||
|
||
And set execute permissions. e.g.: | ||
|
||
# chmod ugo+x /usr/local/bin/dnsmap-bulk.sh | ||
|
||
|
||
LIMITATIONS | ||
|
||
Lack of multi-threading. This speed issue will hopefully be resolved in future versions. | ||
|
||
|
||
FUN THINGS THAT CAN HAPPEN | ||
|
||
1. Finding interesting remote access servers (e.g.: https://extranet.targetdomain.com) | ||
|
||
2. Finding badly configured and/or unpatched servers (e.g.: test.targetdomain.com) | ||
|
||
3. Finding new domain names which will allow you to map non-obvious/hard-to-find netblocks | ||
of your target organization (registry lookups - aka whois is your friend) | ||
|
||
4. Sometimes you find that some bruteforced subdomains resolve to internal IP addresses | ||
(RFC 1918). This is great as sometimes they are real up-to-date "A" records which means | ||
that it *is* possible to enumerate internal servers of a target organization from the | ||
Internet by only using standard DNS resolving (as oppossed to zone transfers for instance). | ||
|
||
5. Discover embedded devices configured using Dynamic DNS services (e.g.: linksys-cam.com). | ||
This method is an alternative to finding devices via Google hacking techniques | ||
|
||
USAGE | ||
|
||
Bruteforcing can be done either with dnsmap's built-in wordlist or a user-supplied wordlist. | ||
Results can be saved in CSV and human-readable format for further processing. dnsmap does | ||
NOT require root privileges to be run, and should NOT be run with such privileges for | ||
security reasons. | ||
|
||
The usage syntax can be obtained by simply running dnsmap without any parameters: | ||
|
||
$ ./dnsmap | ||
|
||
dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org) | ||
|
||
usage: dnsmap <target-domain> [options] | ||
options: | ||
-w <wordlist-file> | ||
-r <regular-results-file> | ||
-c <csv-results-file> | ||
-d <delay-millisecs> | ||
-i <ips-to-ignore> (useful if you're obtaining false positives) | ||
|
||
Note: delay value is a maximum random value. e.g.: if you enter 1000, each DNS request | ||
will be delayed a *maximum* of 1 second. By default, dnsmap uses a value of 10 milliseconds | ||
of maximum delay between DNS lookups | ||
|
||
|
||
EXAMPLES | ||
Subdomain bruteforcing using dnsmap's built-in word-list: | ||
|
||
$ ./dnsmap targetdomain.foo | ||
|
||
Subdomain bruteforcing using a user-supplied wordlist: | ||
|
||
$ ./dnsmap targetdomain.foo -w wordlist.txt | ||
|
||
Subdomain bruteforcing using the built-in wordlist and saving the results to /tmp/ : | ||
|
||
$ ./dnsmap targetdomain.foo -r /tmp/ | ||
|
||
Since no filename was provided in the previous example, but rather only a path, dnsmap would | ||
create an unique filename which includes the current timestamp. e.g.: | ||
/tmp/dnsmap_targetdomain_foo_2009_12_15_234953.txt | ||
|
||
Example of subdomain bruteforcing using the built-in wordlist, saving the results to /tmp/, | ||
and waiting a random maximum of 3 milliseconds between each request: | ||
|
||
$ ./dnsmap targetdomain.foo -r /tmp/ -d 300 | ||
|
||
It is recommended to use the -d (delay in milliseconds) option in cases where dnsmap is | ||
interfering with your online experience. i.e.: killing your bandwidth | ||
|
||
Subdomain bruteforcing with 0.8 seconds delay, saving results in regular and CSV format, | ||
filtering 2 user-provided IP and using a user-supplied wordlist: | ||
|
||
$ ./dnsmap targetdomain.foo -d 800 -r /tmp/ -c /tmp/ -i 10.55.206.154,10.55.24.100 -w ./wordlist_TLAs.txt | ||
|
||
For bruteforcing a list of target domains in a bulk fashion use the bash script provided. e.g.: | ||
|
||
$ ./dnsmap-bulk.sh domains.txt /tmp/results/ | ||
|
||
|
||
WORDLISTS | ||
|
||
http://packetstormsecurity.org/Crackers/wordlists/dictionaries/ | ||
http://www.cotse.com/tools/wordlists1.htm | ||
http://wordlist.sourceforge.net/ | ||
|
||
|
||
OTHER SIMILAR TOOLS - choice is freedom! | ||
|
||
WS-DNS-BFX | ||
http://ws.hackaholic.org/tools/WS-DNS-BFX.tgz | ||
|
||
DNSDigger | ||
http://www.ernw.de/download/dnsdigger.zip | ||
|
||
Fierce Domain Scan | ||
http://ha.ckers.org/fierce/ | ||
|
||
Desperate | ||
http://www.sensepost.com/research_misc.html | ||
|
||
DNSenum | ||
http://dnsenum.googlecode.com/files/dnsenum1.2.tar.gz | ||
|
||
ReverseRaider | ||
http://complemento.sourceforge.net/ | ||
|
||
Knock | ||
http://knock.gianniamato.it/ | ||
|
||
|
||
-- | ||
pagvac | GNUCITIZEN.org | ||
Feb 2010 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
* multi-threading - use pthread.h? | ||
* can't handle wildcarded domains that return more than one IP address on non-existing subdomains | ||
test domain: proboards.com | ||
* allow using a customized list of DNS server to share network load | ||
* allow using DNS server supplied on the command line | ||
* for openDNS users: document how to permanently change DNS server settings so they are not overwritten by DHCP settings | ||
* convert hostent structs to addrinfo ? | ||
* replace inet_ntoa(*((struct in_addr *)host->h_addr_list[j])) with ipstr | ||
* obtain aliases for each domain (CNAME records)? | ||
* clever numerical domain bruteforce for clusters. i.e.: www2, www3 | ||
* pickup new subdomains via reverse lookups (PTR records) | ||
* better input validation | ||
* improve function that validates target domain |
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/bash | ||
if [[ $# -ne 1 && $# -ne 2 ]] | ||
then | ||
echo "usage: `basename $0` <domains-file> [results-path]"; | ||
echo "e.g.:"; | ||
echo "`basename $0` domains.txt"; | ||
echo "`basename $0` domains.txt /tmp/"; | ||
exit | ||
fi | ||
for i in `cat $1` | ||
do | ||
if [[ $# -eq 1 ]] | ||
then | ||
dnsmap $i | ||
elif [[ $# -eq 2 ]] | ||
then | ||
dnsmap $i -r $2 | ||
fi | ||
done |
Oops, something went wrong.