Rappel :

Attention dans cet article l’outils est utilisé pour la recherche et l’apprentissage. Ce type d’outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).

Environnement de test :

Pour cela nous allons utiliser une VM tournant sur la distribution Kali. DNSRecon est installé de base sur Kali.

Utilisation :

La commande et ses options

root@kali:~# dnsrecon 
Version: 0.8.8
Usage: dnsrecon.py <options>

Options:
   -h, --help                  Show this help message and exit
   -d, --domain      <domain>  Domain to Target for enumeration.
   -r, --range       <range>   IP Range for reverse look-up brute force in formats (first-last)
                               or in (range/bitmask).
   -n, --name_server <name>    Domain server to use, if none is given the SOA of the
                               target will be used
   -D, --dictionary  <file>    Dictionary file of sub-domain and hostnames to use for
                               brute force.
   -f                          Filter out of Brute Force Domain lookup records that resolve to
                               the wildcard defined IP Address when saving records.
   -t, --type        <types>   Specify the type of enumeration to perform:
                               std      To Enumerate general record types, enumerates.
                                        SOA, NS, A, AAAA, MX and SRV if AXRF on the
                                        NS Servers fail.

                               rvl      To Reverse Look Up a given CIDR IP range.

                               brt      To Brute force Domains and Hosts using a given
                                        dictionary.

                               srv      To Enumerate common SRV Records for a given 

                                        domain.

                               axfr     Test all NS Servers in a domain for misconfigured
                                        zone transfers.

                               goo      Perform Google search for sub-domains and hosts.

                               snoop    To Perform a Cache Snooping against all NS 
                                        servers for a given domain, testing all with
                                        file containing the domains, file given with -D
                                        option.

                               tld      Will remove the TLD of given domain and test against
                                        all TLD's registered in IANA

                               zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.

   -a                          Perform AXFR with the standard enumeration.
   -s                          Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
                               targeted domain with the standard enumeration.
   -g                          Perform Google enumeration with the standard enumeration.
   -w                          Do deep whois record analysis and reverse look-up of IP
                               ranges found thru whois when doing standard query.
   -z                          Performs a DNSSEC Zone Walk with the standard enumeration.
   --threads          <number> Number of threads to use in Range Reverse Look-up, Forward
                               Look-up Brute force and SRV Record Enumeration
   --lifetime         <number> Time to wait for a server to response to a query.
   --db               <file>   SQLite 3 file to save found records.
   --xml              <file>   XML File to save found records.
   --iw                        Continua bruteforcing a domain even if a wildcard record resolution is 
                               discovered.
   -c, --csv          <file>   Comma separated value file.
   -j, --json         <file>   JSON file.
   -v                          Show attempts in the bruteforce modes.

La commande par l’exemple

root@kali:~# dnsrecon -t std -d example.com
[*] Performing General Enumeration of Domain:
[*] DNSSEC is configured for example.com
[*] DNSKEYs:
[*] 	NSEC ZSK RSASHA256 03010001963ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7d459751c6683d972979f67a718d7fa1 
[*] 	NSEC KSk RSASHA256 03010001b38503197e2e4b7450c82566 2cca102d40c54bbcce58fae4a61ab51e 7005632b875f136332bf8a0e98d6de58 4d608eebc6f29e8ae9
[*] 	 SOA sns.dns.icann.org 199.4.28.26
[*] 	 NS b.iana-servers.net 199.43.133.53
[*] 	 Bind Version for 199.43.133.53 9.9.7-P2
[*] 	 NS b.iana-servers.net 2001:500:8d::53
[*] 	 Bind Version for 2001:500:8d::53 9.9.7-P2
[*] 	 NS a.iana-servers.net 199.43.132.53
[*] 	 Bind Version for 199.43.132.53 host
[*] 	 NS a.iana-servers.net 2001:500:8c::53
[*] 	 Bind Version for 2001:500:8c::53 host
[-] Could not Resolve MX Records for example.com
[*] 	 A example.com 93.184.216.34
[*] 	 AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
[*] 	 TXT example.com $Id: example.com 4415 2015-08-24 20:12:23Z davids $
[*] 	 TXT example.com v=spf1 -all
[*] Enumerating SRV Records
[-] No SRV Records Found for example.com
[*] 0 Records Found

On demande à DNSRecon de rechercher les enregistrements de type standard (SOA, A, NS, AAA, MX, SRV) pour le domaine example.com.

Par brute force

Le brute force fonctionne avec un fichier contenant les hostnames.

root@kali:~# echo "www" > enreg.txt
root@kali:~# dnsrecon -d example.com -t brt -D enreg.txt                                                                
[*] Performing host and subdomain brute force against example.com
[*]      A www.example.com 93.184.216.34
[*]      AAAA www.example.com 2606:2800:220:1:248:1893:25c8:1946
[*] 2 Records Found

Sortie de commande dans une base SQL3

root@kali:~# dnsrecon -d example.com -t brt -D enreg.txt --db sql3
[*] Performing host and subdomain brute force against example.com
[*]      A www.example.com 93.184.216.34
[*]      AAAA www.example.com 2606:2800:220:1:248:1893:25c8:1946
[*] 2 Records Found
[*] Saving records to SQLite3 file: sql3

root@kali:~# sqlite3 sql3
SQLite version 3.7.16.2 2013-04-12 11:52:43
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
data
sqlite> SELECT * FROM data;
1|A|www.example.com|93.184.216.34||||
2|AAAA|www.example.com|2606:2800:220:1:248:1893:25c8:1946||||
sqlite>

Test les transferts de zone

root@kali:~# dnsrecon -d example.com -a
[*] Performing General Enumeration of Domain: example.com
[*] Checking for Zone Transfer for example.com name servers
[*] Resolving SOA Record
[*] 	 SOA sns.dns.icann.org 199.4.28.26
[*] Resolving NS Records
[*] NS Servers found:
[*] 	NS a.iana-servers.net 199.43.132.53
[*] 	NS a.iana-servers.net 2001:500:8c::53
[*] 	NS b.iana-servers.net 199.43.133.53
[*] 	NS b.iana-servers.net 2001:500:8d::53
[*] Removing any duplicate NS server IP Addresses...
[*]  
[*] Trying NS server 199.4.28.26
[*] 199.4.28.26 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] 
[*]  
[*] Trying NS server 199.43.133.53
[*] 199.43.133.53 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] 
[*]  
[*] Trying NS server 199.43.132.53
[*] 199.43.132.53 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] 
[*]  
[*] Trying NS server 2001:500:8d::53
[-] Zone Transfer Failed for 2001:500:8d::53!
[-] Port 53 TCP is being filtered
[*]  
[*] Trying NS server 2001:500:8c::53
[-] Zone Transfer Failed for 2001:500:8c::53!
[-] Port 53 TCP is being filtered
[*] Checking for Zone Transfer for example.com name servers
[*] Resolving SOA Record
[*] 	 SOA sns.dns.icann.org 199.4.28.26
[*] Resolving NS Records
[*] NS Servers found:
[*] 	NS a.iana-servers.net 199.43.132.53
[*] 	NS a.iana-servers.net 2001:500:8c::53
[*] 	NS b.iana-servers.net 199.43.133.53
[*] 	NS b.iana-servers.net 2001:500:8d::53
[*] Removing any duplicate NS server IP Addresses...
[*]  
[*] Trying NS server 199.4.28.26
[*] 199.4.28.26 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] 
[*]  
[*] Trying NS server 199.43.133.53
[*] 199.43.133.53 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] 
[*]  
[*] Trying NS server 199.43.132.53
[*] 199.43.132.53 Has port 53 TCP Open
[-] Zone Transfer Failed!
[-] 
[*]  
[*] Trying NS server 2001:500:8d::53
[-] Zone Transfer Failed for 2001:500:8d::53!
[-] Port 53 TCP is being filtered
[*]  
[*] Trying NS server 2001:500:8c::53
[-] Zone Transfer Failed for 2001:500:8c::53!
[-] Port 53 TCP is being filtered
[*] DNSSEC is configured for example.com
[*] DNSKEYs:
[*] 	NSEC KSk RSASHA256 03010001b38503197e2e4b7450c82566 2cca102d40c54bbcce58fae4a61ab51e 7005632b875f136332bf8a0e98d6de58 4d608eebc6f29e8ae936ef5fa8d1402d 7edb565f7f8326c0d2fd04845f9d8179 a851f457ee4b0c1a006fb5f6b6fd8f5a de495734baa44eccc84383c43150a3b6 bca5d7d05ef7f3e415e0bd2138e03114 2c421981dfd7b23189da97e7f76d4c4a 9387eaedcb8453475b469b9ee07fcdea 33ee71758ec22300913261821aa0cbea 3d15f229fad47f7a629aa3de3fc29557 0dc3dfe41d7c8fbc73d92bd34f18aea8 2cc232db319e29191dca21d63e20f98d 41f3320c22fac433ea591a187f62e7f8 47008181a6028bd86988c595bd2e1607 3c74fe55
[*] 	NSEC ZSK RSASHA256 03010001963ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7d459751c6683d972979f67a718d7fa1 c76fbf349cae43d265c9558dd5792c3c 0fbd213af4b99fb7face8491e2e80f06 2b374506aba404fb2be5c01d2a5518b1 0a615f734b363b3128263d01919e20fc fdc9cf7f1badd7
[*] 	 SOA sns.dns.icann.org 199.4.28.26
[*] 	 NS b.iana-servers.net 199.43.133.53
[*] 	 Bind Version for 199.43.133.53 9.9.7-P2
[*] 	 NS b.iana-servers.net 2001:500:8d::53
[*] 	 Bind Version for 2001:500:8d::53 9.9.7-P2
[*] 	 NS a.iana-servers.net 199.43.132.53
[*] 	 Bind Version for 199.43.132.53 host
[*] 	 NS a.iana-servers.net 2001:500:8c::53
[*] 	 Bind Version for 2001:500:8c::53 host
[-] Could not Resolve MX Records for example.com
[*] 	 A example.com 93.184.216.34
[*] 	 AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
[*] 	 TXT example.com v=spf1 -all
[*] 	 TXT example.com $Id: example.com 4415 2015-08-24 20:12:23Z davids $
[*] Enumerating SRV Records
[-] No SRV Records Found for example.com
[*] 0 Records Found

Note:
Cela ne ressort pas dans mes sorties d’écran, mais les débuts de lignes entre crochets ont un code couleurs :

[\*]

: c’est un texte standard de l’outils.

[\*]

: Check OK.

[-]

: Check KO.

Reverse lookup

Fait des requêtes de type PTR sur un range d’adresses IP.

root@kali:~# dnsrecon -r 212.27.32.5-212.27.32.10
[*] Reverse Look-up of a Range
[*] Performing Reverse Lookup from 212.27.32.5 to 212.27.32.10
[*] 	 PTR pchd1-g14.proxad.net 212.27.32.7
[*] 	 PTR dnscache-1.proxad.net 212.27.32.5
[*] 	 PTR cdr7-g15.proxad.net 212.27.32.8
[*] 	 PTR dnscache-1.proxad.net 212.27.32.6
[*] 4 Records Found

Zonewalk

Essaie de faire une énumération des enregistrements du domaine si celui-ci est mal configuré.

root@kali:~# dnsrecon -d example.com -t zonewalk
[*] Performing NSEC Zone Walk for example.com
[*] Getting SOA record for example.com
[*] Name Server 199.4.28.26 will be used
[*] 	 A example.com 93.184.216.34
[*] 	 AAAA example.com 2606:2800:220:1:248:1893:25c8:1946
[*] 2 records found

Check les TLD

root@kali:~# dnsrecon -d example.com -t tld
[*] Performing TLD Brute force Enumeration against example.com
[*] The operation could take up to: 00:01:06
[*] 	 A example.biz.af 103.56.100.33
[*] 	 A example.am 50.87.153.245
[*] 	 A example.com.ar 200.58.122.126
[*] 	 A example.as 199.73.55.35
[*] 	 A example.co.at 78.142.141.40
[*] 	 A example.biz.at 78.46.90.98
[*] 	 A example.com.au 98.124.245.24
[*] 	 A example.net.au 192.185.159.145
[*] 	 A example.co.ba 176.9.45.78
--SNiP--

C’est ni plus ni moins qu’une recherche de disponibilité de domaine.