DNS Recon Tool written in Ruby
Friday, April 3, 2009 at 4:45PM I wrote this tool back in late 2006 and it has been my favorite tool for enumeration thru DNS, in great part because I wrote it and it gives the output in a way that I can manipulate it in my own style. One of the features that I used the most and gave me excellent results is the SRV record enumeration. The script will perform the following:
- Standard Record Enumeration for a given domain (A, NS, SOA and MX).
- Top Leven Domain Expansion for a given domain.
- Zone Transfer against all NS records of a given domain.
- Reverse Lookup against a given IP Range given a start and end IP.
- SRV Record enumeration, enumerating:
- _gc._tcp.
- _kerberos._tcp.
- _kerberos._udp.
- _ldap._tcp.
- _test._tcp.
- _sips._tcp.
- _sip._udp.
- _sip._tcp.
- _aix._tcp.
- _aix._tcp.
- _finger._tcp.
- _ftp._tcp.
- _http._tcp.
- _nntp._tcp.
- _telnet._tcp.
- _whois._tcp.
- _h323cs._tcp.
- _h323cs._udp.
- _h323be._tcp.
- _h323be._udp.
- _h323ls._tcp.
- _h323ls._udp.
- Brute force hostnames and subdomains of a given target domain using a wordlist.
To install the necessary ruby dependencies using ruby gems, run the following commands as root:
gem install pNet-DNSgem install ip
The script can be downloaded from dnsrecon.rb
I do hope that others find it as useful as I have, this tool will be included in BT4 among others of the tools that I have discussed in this blog.
Help Screen of the script:
root@bt:~# ./dnsrecon.rb
Dnsrecon 1.6
By Carlos Perez
Email: carlos_perez[at]darkoperator.comThis is a simple tool written for target enumeration during authorized penetration test
engagements. This tool provides different methods for enumerating targets thru DNS service.-t, --type
Select the type of enumeration to be done.
std Query for SOA, NS and MX Record of a target domain.
tld Top Level Domain enumeration of a target domain.
axf Perform a Zone transfer against all NS server Records
of a target domain.
rvs Reverse Record Lookup enumeration against a targeted
IP range.
srv Service Record Enumeration of VOIP, Active Directory and
Network Services service records.
brt Bruteforce subdomain and host records using a wordlist.-d, --target
Domain to be targeted for enumeration.-i, --ip
Starting IP and end IP for a range to be used for reverse lookup
enumeration of a targeted domain. Exmpl. 192.168.1.1,192.168.1.253-w, --wordlist
Wordlist to be use for brutforce enumeration of host names and subdomains.-s, --dns
Alternate DNS server to use.
-h, --help
This help message.
Here is an Example of the tool enumerating SRV Record and Standard Record.
root@bt:~# ./dnsrecon.rb -t srv -d avaya.com_sip._udp.avaya.com,198.152.17.90,5060_sip._tcp.avaya.com,198.152.17.90,5060
root@bt:~# ./dnsrecon.rb -t std -d google.comgoogle.com,209.85.171.100,Agoogle.com,74.125.67.100,Agoogle.com,74.125.45.100,Ans1.google.com,216.239.32.10,SOAns4.google.com,216.239.38.10,NSns1.google.com,216.239.32.10,NSns2.google.com,216.239.34.10,NSns3.google.com,216.239.36.10,NSsmtp4.google.com,72.14.221.25,MX,10smtp1.google.com,209.85.237.25,MX,10smtp2.google.com,64.233.165.25,MX,10smtp3.google.com,209.85.137.25,MX,10
Reader Comments (7)
Its 2:20 AM I looked for a solution before deciding to go to bed. Below is what I get when I try running your script.
/usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:31:in `gem_original_require': no such file to load -- Net/DNS (LoadError)
from /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:31:in `require'
from ./dnsrecon.rb:6
are you sure you did gem install pNet-DNS and gem install ip as root?
So I tried again installing as root. Installed succesfull then I get this when running the script:
./dnsrecon.rb
/usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:31:in `gem_original_require': no such file to load -- Net/DNS (LoadError)
from /usr/local/lib/site_ruby/1.8/rubygems/custom_require.rb:31:in `require'
from ./dnsrecon.rb:6
╟طع╓و▌ ╟ط╚┌و╧. - recvfrom(2) (Errno::ECONNRESET)
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:1365:in `send_udp'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:1362:in `each'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:1362:in `send_udp'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:1312:in `each'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:1312:in `send_udp'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:1299:in `times'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:1299:in `send_udp'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:1008:in `send'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:973:in `query'
from C:/Ruby/lib/ruby/gems/1.8/gems/pNet-DNS-1.0.2/lib/Net/DNS/Resolver.rb:870:in `search'
from C:/Ruby/dnsrecon.rb:138:in `genrcd'
from C:/Ruby/dnsrecon.rb:336
buy i use ruby 1.9.3-P125 , has error code,when i query srv recored
./dnsrecon.rb -t srv -d example.com
/dnsrecon.rb:237:in `srvqry': undefined method `target' for _gc._tcp.example.com. 600 IN SRV :Net::DNS::RR::SRV (NoMethodError)
from ./dnsrecon.rb:236:in `each'
from ./dnsrecon.rb:236:in `srvqry'
from ./dnsrecon.rb:232:in `each'
from ./dnsrecon.rb:232:in `srvqry'
from ./dnsrecon.rb:350