Rappel :

Attention dans cet article l'outils est utilisé pour la recherche et l'apprentissage. Ce type d'outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali. DNSRecon est installé de base sur Kali.

Utilisation :

La commande et ses options

 1 root@kali:~# dnsrecon 
 2 Version: 0.8.8
 3 Usage: dnsrecon.py <options>
 4 
 5 Options:
 6    -h, --help                  Show this help message and exit
 7    -d, --domain      <domain>  Domain to Target for enumeration.
 8    -r, --range       <range>   IP Range for reverse look-up brute force in formats (first-last)
 9                                or in (range/bitmask).
10    -n, --name_server <name>    Domain server to use, if none is given the SOA of the
11                                target will be used
12    -D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for
13                                brute force.
14    -f                          Filter out of Brute Force Domain lookup records that resolve to
15                                the wildcard defined IP Address when saving records.
16    -t, --type        <types>   Specify the type of enumeration to perform:
17                                std      To Enumerate general record types, enumerates.
18                                         SOA, NS, A, AAAA, MX and SRV if AXRF on the
19                                         NS Servers fail.
20 
21                                rvl      To Reverse Look Up a given CIDR IP range.
22 
23                                brt      To Brute force Domains and Hosts using a given
24                                         dictionary.
25 
26                                srv      To Enumerate common SRV Records for a given 
27 
28                                         domain.
29 
30                                axfr     Test all NS Servers in a domain for misconfigured
31                                         zone transfers.
32 
33                                goo      Perform Google search for sub-domains and hosts.
34 
35                                snoop    To Perform a Cache Snooping against all NS 
36                                         servers for a given domain, testing all with
37                                         file containing the domains, file given with -D
38                                         option.
39 
40                                tld      Will remove the TLD of given domain and test against
41                                         all TLD's registered in IANA
42 
43                                zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.
44 
45    -a                          Perform AXFR with the standard enumeration.
46    -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
47                                targeted domain with the standard enumeration.
48    -g                          Perform Google enumeration with the standard enumeration.
49    -w                          Do deep whois record analysis and reverse look-up of IP
50                                ranges found thru whois when doing standard query.
51    -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
52    --threads          <number> Number of threads to use in Range Reverse Look-up, Forward
53                                Look-up Brute force and SRV Record Enumeration
54    --lifetime         <number> Time to wait for a server to response to a query.
55    --db               <file>   SQLite 3 file to save found records.
56    --xml              <file>   XML File to save found records.
57    --iw                        Continua bruteforcing a domain even if a wildcard record resolution is 
58                                discovered.
59    -c, --csv          <file>   Comma separated value file.
60    -j, --json         <file>   JSON file.
61    -v                          Show attempts in the bruteforce modes.

La commande par l'exemple

 1 root@kali:~# dnsrecon -t std -d example.com
 2 [*] Performing General Enumeration of Domain:
 3 [*] DNSSEC is configured for example.com
 4 [*] DNSKEYs:
 5 [*]   NSEC ZSK RSASHA256 03010001963ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7d459751c6683d972979f67a718d7fa1 
 6 [*]   NSEC KSk RSASHA256 03010001b38503197e2e4b7450c82566 2cca102d40c54bbcce58fae4a61ab51e 7005632b875f136332bf8a0e98d6de58 4d608eebc6f29e8ae9
 7 [*]    SOA sns.dns.icann.org 199.4.28.26
 8 [*]    NS b.iana-servers.net 199.43.133.53
 9 [*]    Bind Version for 199.43.133.53 9.9.7-P2
10 [*]    NS b.iana-servers.net 2001:500:8d::53
11 [*]    Bind Version for 2001:500:8d::53 9.9.7-P2
12 [*]    NS a.iana-servers.net 199.43.132.53
13 [*]    Bind Version for 199.43.132.53 host
14 [*]    NS a.iana-servers.net 2001:500:8c::53
15 [*]    Bind Version for 2001:500:8c::53 host
16 [-] Could not Resolve MX Records for example.com
17 [*]    A example.com 93.184.216.34
18 [*]    AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
19 [*]    TXT example.com $Id: example.com 4415 2015-08-24 20:12:23Z davids $
20 [*]    TXT example.com v=spf1 -all
21 [*] Enumerating SRV Records
22 [-] No SRV Records Found for example.com
23 [*] 0 Records Found

On demande à DNSRecon de rechercher les enregistrements de type standard (SOA, A, NS, AAA, MX, SRV) pour le domaine example.com.

Par brute force

Le brute force fonctionne avec un fichier contenant les hostnames.

1 root@kali:~# echo "www" > enreg.txt
2 root@kali:~# dnsrecon -d example.com -t brt -D enreg.txt                                                                
3 [*] Performing host and subdomain brute force against example.com
4 [*]      A www.example.com 93.184.216.34
5 [*]      AAAA www.example.com 2606:2800:220:1:248:1893:25c8:1946
6 [*] 2 Records Found

Sortie de commande dans une base SQL3

 1 root@kali:~# dnsrecon -d example.com -t brt -D enreg.txt --db sql3
 2 [*] Performing host and subdomain brute force against example.com
 3 [*]      A www.example.com 93.184.216.34
 4 [*]      AAAA www.example.com 2606:2800:220:1:248:1893:25c8:1946
 5 [*] 2 Records Found
 6 [*] Saving records to SQLite3 file: sql3
 7 
 8 root@kali:~# sqlite3 sql3
 9 SQLite version 3.7.16.2 2013-04-12 11:52:43
10 Enter ".help" for instructions
11 Enter SQL statements terminated with a ";"
12 sqlite> .tables
13 data
14 sqlite> SELECT * FROM data;
15 1|A|www.example.com|93.184.216.34||||
16 2|AAAA|www.example.com|2606:2800:220:1:248:1893:25c8:1946||||
17 sqlite>

Test les transferts de zone

 1 root@kali:~# dnsrecon -d example.com -a
 2 [*] Performing General Enumeration of Domain: example.com
 3 [*] Checking for Zone Transfer for example.com name servers
 4 [*] Resolving SOA Record
 5 [*]    SOA sns.dns.icann.org 199.4.28.26
 6 [*] Resolving NS Records
 7 [*] NS Servers found:
 8 [*]   NS a.iana-servers.net 199.43.132.53
 9 [*]   NS a.iana-servers.net 2001:500:8c::53
10 [*]   NS b.iana-servers.net 199.43.133.53
11 [*]   NS b.iana-servers.net 2001:500:8d::53
12 [*] Removing any duplicate NS server IP Addresses...
13 [*]  
14 [*] Trying NS server 199.4.28.26
15 [*] 199.4.28.26 Has port 53 TCP Open
16 [-] Zone Transfer Failed!
17 [-] 
18 [*]  
19 [*] Trying NS server 199.43.133.53
20 [*] 199.43.133.53 Has port 53 TCP Open
21 [-] Zone Transfer Failed!
22 [-] 
23 [*]  
24 [*] Trying NS server 199.43.132.53
25 [*] 199.43.132.53 Has port 53 TCP Open
26 [-] Zone Transfer Failed!
27 [-] 
28 [*]  
29 [*] Trying NS server 2001:500:8d::53
30 [-] Zone Transfer Failed for 2001:500:8d::53!
31 [-] Port 53 TCP is being filtered
32 [*]  
33 [*] Trying NS server 2001:500:8c::53
34 [-] Zone Transfer Failed for 2001:500:8c::53!
35 [-] Port 53 TCP is being filtered
36 [*] Checking for Zone Transfer for example.com name servers
37 [*] Resolving SOA Record
38 [*]    SOA sns.dns.icann.org 199.4.28.26
39 [*] Resolving NS Records
40 [*] NS Servers found:
41 [*]   NS a.iana-servers.net 199.43.132.53
42 [*]   NS a.iana-servers.net 2001:500:8c::53
43 [*]   NS b.iana-servers.net 199.43.133.53
44 [*]   NS b.iana-servers.net 2001:500:8d::53
45 [*] Removing any duplicate NS server IP Addresses...
46 [*]  
47 [*] Trying NS server 199.4.28.26
48 [*] 199.4.28.26 Has port 53 TCP Open
49 [-] Zone Transfer Failed!
50 [-] 
51 [*]  
52 [*] Trying NS server 199.43.133.53
53 [*] 199.43.133.53 Has port 53 TCP Open
54 [-] Zone Transfer Failed!
55 [-] 
56 [*]  
57 [*] Trying NS server 199.43.132.53
58 [*] 199.43.132.53 Has port 53 TCP Open
59 [-] Zone Transfer Failed!
60 [-] 
61 [*]  
62 [*] Trying NS server 2001:500:8d::53
63 [-] Zone Transfer Failed for 2001:500:8d::53!
64 [-] Port 53 TCP is being filtered
65 [*]  
66 [*] Trying NS server 2001:500:8c::53
67 [-] Zone Transfer Failed for 2001:500:8c::53!
68 [-] Port 53 TCP is being filtered
69 [*] DNSSEC is configured for example.com
70 [*] DNSKEYs:
71 [*]   NSEC KSk RSASHA256 03010001b38503197e2e4b7450c82566 2cca102d40c54bbcce58fae4a61ab51e 7005632b875f136332bf8a0e98d6de58 4d608eebc6f29e8ae936ef5fa8d1402d 7edb565f7f8326c0d2fd04845f9d8179 a851f457ee4b0c1a006fb5f6b6fd8f5a de495734baa44eccc84383c43150a3b6 bca5d7d05ef7f3e415e0bd2138e03114 2c421981dfd7b23189da97e7f76d4c4a 9387eaedcb8453475b469b9ee07fcdea 33ee71758ec22300913261821aa0cbea 3d15f229fad47f7a629aa3de3fc29557 0dc3dfe41d7c8fbc73d92bd34f18aea8 2cc232db319e29191dca21d63e20f98d 41f3320c22fac433ea591a187f62e7f8 47008181a6028bd86988c595bd2e1607 3c74fe55
72 [*]   NSEC ZSK RSASHA256 03010001963ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7d459751c6683d972979f67a718d7fa1 c76fbf349cae43d265c9558dd5792c3c 0fbd213af4b99fb7face8491e2e80f06 2b374506aba404fb2be5c01d2a5518b1 0a615f734b363b3128263d01919e20fc fdc9cf7f1badd7
73 [*]    SOA sns.dns.icann.org 199.4.28.26
74 [*]    NS b.iana-servers.net 199.43.133.53
75 [*]    Bind Version for 199.43.133.53 9.9.7-P2
76 [*]    NS b.iana-servers.net 2001:500:8d::53
77 [*]    Bind Version for 2001:500:8d::53 9.9.7-P2
78 [*]    NS a.iana-servers.net 199.43.132.53
79 [*]    Bind Version for 199.43.132.53 host
80 [*]    NS a.iana-servers.net 2001:500:8c::53
81 [*]    Bind Version for 2001:500:8c::53 host
82 [-] Could not Resolve MX Records for example.com
83 [*]    A example.com 93.184.216.34
84 [*]    AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
85 [*]    TXT example.com v=spf1 -all
86 [*]    TXT example.com $Id: example.com 4415 2015-08-24 20:12:23Z davids $
87 [*] Enumerating SRV Records
88 [-] No SRV Records Found for example.com
89 [*] 0 Records Found

Note:
Cela ne ressort pas dans mes sorties d'écran, mais les débuts de lignes entre crochets ont un code couleurs :
[*] : c'est un texte standard de l'outils.
[*] : Check OK.
[-] : Check KO.

Reverse lookup

Fait des requêtes de type PTR sur un range d'adresses IP.

1 root@kali:~# dnsrecon -r 212.27.32.5-212.27.32.10
2 [*] Reverse Look-up of a Range
3 [*] Performing Reverse Lookup from 212.27.32.5 to 212.27.32.10
4 [*]     PTR pchd1-g14.proxad.net 212.27.32.7
5 [*]     PTR dnscache-1.proxad.net 212.27.32.5
6 [*]     PTR cdr7-g15.proxad.net 212.27.32.8
7 [*]     PTR dnscache-1.proxad.net 212.27.32.6
8 [*] 4 Records Found

Zonewalk

Essaie de faire une énumération des enregistrements du domaine si celui-ci est mal configuré.

1 root@kali:~# dnsrecon -d example.com -t zonewalk
2 [*] Performing NSEC Zone Walk for example.com
3 [*] Getting SOA record for example.com
4 [*] Name Server 199.4.28.26 will be used
5 [*]     A example.com 93.184.216.34
6 [*]     AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
7 [*] 2 records found

Check les TLD

 1 root@kali:~# dnsrecon -d example.com -t tld
 2 [*] Performing TLD Brute force Enumeration against example.com
 3 [*] The operation could take up to: 00:01:06
 4 [*]    A example.biz.af 103.56.100.33
 5 [*]    A example.am 50.87.153.245
 6 [*]    A example.com.ar 200.58.122.126
 7 [*]    A example.as 199.73.55.35
 8 [*]    A example.co.at 78.142.141.40
 9 [*]    A example.biz.at 78.46.90.98
10 [*]    A example.com.au 98.124.245.24
11 [*]    A example.net.au 192.185.159.145
12 [*]    A example.co.ba 176.9.45.78
13 --SNiP--

C'est ni plus ni moins qu'une recherche de disponibilité de domaine.