Rappel :
Attention dans cet article l’outils est utilisé pour la recherche et l’apprentissage.
Ce type d’outils ne doit pas être utilisé vers un serveur qui ne vous appartient pas, ceci peut être puni par la loi (voir les articles 323-XX).
Environnement de test :
Pour cela nous allons utiliser une VM tournant sur la distribution Kali .
DNSRecon est installé de base sur Kali.
Utilisation :
La commande et ses options
root @kali :~ # dnsrecon
Version : 0.8 . 8
Usage : dnsrecon . py < options >
Options :
- h , -- help Show this help message and exit
- d , -- domain < domain > Domain to Target for enumeration .
- r , -- range < range > IP Range for reverse look - up brute force in formats ( first - last )
or in ( range / bitmask ).
- n , -- name_server < name > Domain server to use , if none is given the SOA of the
target will be used
- D , -- dictionary < file > Dictionary file of sub - domain and hostnames to use for
brute force .
- f Filter out of Brute Force Domain lookup records that resolve to
the wildcard defined IP Address when saving records .
- t , -- type < types > Specify the type of enumeration to perform:
std To Enumerate general record types , enumerates .
SOA , NS , A , AAAA , MX and SRV if AXRF on the
NS Servers fail .
rvl To Reverse Look Up a given CIDR IP range .
brt To Brute force Domains and Hosts using a given
dictionary .
srv To Enumerate common SRV Records for a given
domain .
axfr Test all NS Servers in a domain for misconfigured
zone transfers .
goo Perform Google search for sub - domains and hosts .
snoop To Perform a Cache Snooping against all NS
servers for a given domain , testing all with
file containing the domains , file given with - D
option .
tld Will remove the TLD of given domain and test against
all TLD ' s registered in IANA
zonewalk Will perform a DNSSEC Zone Walk using NSEC Records .
- a Perform AXFR with the standard enumeration .
- s Perform Reverse Look - up of ipv4 ranges in the SPF Record of the
targeted domain with the standard enumeration .
- g Perform Google enumeration with the standard enumeration .
- w Do deep whois record analysis and reverse look - up of IP
ranges found thru whois when doing standard query .
- z Performs a DNSSEC Zone Walk with the standard enumeration .
- - threads < number > Number of threads to use in Range Reverse Look - up , Forward
Look - up Brute force and SRV Record Enumeration
-- lifetime < number > Time to wait for a server to response to a query .
- - db < file > SQLite 3 file to save found records .
- - xml < file > XML File to save found records .
- - iw Continua bruteforcing a domain even if a wildcard record resolution is
discovered .
- c , -- csv < file > Comma separated value file .
- j , -- json < file > JSON file .
- v Show attempts in the bruteforce modes .
La commande par l’exemple
root @kali :~ # dnsrecon -t std -d example.com
[ * ] Performing General Enumeration of Domain :
[ * ] DNSSEC is configured for example . com
[ * ] DNSKEYs :
[ * ] NSEC ZSK RSASHA256 03010001 963 ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7 d459751c6683d972979f67a718d7fa1
[ * ] NSEC KSk RSASHA256 03010001 b38503197e2e4b7450c82566 2 cca102d40c54bbcce58fae4a61ab51e 7005632 b875f136332bf8a0e98d6de58 4 d608eebc6f29e8ae9
[ * ] SOA sns . dns . icann . org 199.4 . 28.26
[ * ] NS b . iana - servers . net 199.43 . 133.53
[ * ] Bind Version for 199.43 . 133.53 9.9 . 7 - P2
[ * ] NS b . iana - servers . net 2001 : 500 : 8 d :: 53
[ * ] Bind Version for 2001 : 500 : 8 d :: 53 9.9 . 7 - P2
[ * ] NS a . iana - servers . net 199.43 . 132.53
[ * ] Bind Version for 199.43 . 132.53 host
[ * ] NS a . iana - servers . net 2001 : 500 : 8 c :: 53
[ * ] Bind Version for 2001 : 500 : 8 c :: 53 host
[ - ] Could not Resolve MX Records for example . com
[ * ] A example . com 93.184 . 216.34
[ * ] AAAA example . com 2606 : 2800 : 220 : 1 : 248 : 1893 : 25 c8 : 1946
[ * ] TXT example . com $Id : example . com 4415 2015 - 08 - 24 20 : 12 : 23 Z davids $
[ * ] TXT example . com v = spf1 - all
[ * ] Enumerating SRV Records
[ - ] No SRV Records Found for example . com
[ * ] 0 Records Found
On demande à DNSRecon de rechercher les enregistrements de type standard (SOA, A, NS, AAA, MX, SRV) pour le domaine example.com.
Par brute force
Le brute force fonctionne avec un fichier contenant les hostnames.
root @kali :~ # echo "www" > enreg.txt
root @kali :~ # dnsrecon -d example.com -t brt -D enreg.txt
[ * ] Performing host and subdomain brute force against example . com
[ * ] A www . example . com 93.184 . 216.34
[ * ] AAAA www . example . com 2606 : 2800 : 220 : 1 : 248 : 1893 : 25 c8 : 1946
[ * ] 2 Records Found
Sortie de commande dans une base SQL3
root @kali :~ # dnsrecon -d example.com -t brt -D enreg.txt --db sql3
[ * ] Performing host and subdomain brute force against example . com
[ * ] A www . example . com 93.184 . 216.34
[ * ] AAAA www . example . com 2606 : 2800 : 220 : 1 : 248 : 1893 : 25 c8 : 1946
[ * ] 2 Records Found
[ * ] Saving records to SQLite3 file: sql3
root @kali :~ # sqlite3 sql3
SQLite version 3.7 . 16.2 2013 - 04 - 12 11 : 52 : 43
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite > . tables
data
sqlite > SELECT * FROM data ;
1 | A | www . example . com | 93.184 . 216.34 ||||
2 | AAAA | www . example . com | 2606 : 2800 : 220 : 1 : 248 : 1893 : 25 c8 : 1946 ||||
sqlite >
Test les transferts de zone
root @kali :~ # dnsrecon -d example.com -a
[ * ] Performing General Enumeration of Domain : example . com
[ * ] Checking for Zone Transfer for example . com name servers
[ * ] Resolving SOA Record
[ * ] SOA sns . dns . icann . org 199.4 . 28.26
[ * ] Resolving NS Records
[ * ] NS Servers found:
[ * ] NS a . iana - servers . net 199.43 . 132.53
[ * ] NS a . iana - servers . net 2001 : 500 : 8 c :: 53
[ * ] NS b . iana - servers . net 199.43 . 133.53
[ * ] NS b . iana - servers . net 2001 : 500 : 8 d :: 53
[ * ] Removing any duplicate NS server IP Addresses ...
[ * ]
[ * ] Trying NS server 199.4 . 28.26
[ * ] 199.4 . 28.26 Has port 53 TCP Open
[ - ] Zone Transfer Failed !
[ - ]
[ * ]
[ * ] Trying NS server 199.43 . 133.53
[ * ] 199.43 . 133.53 Has port 53 TCP Open
[ - ] Zone Transfer Failed !
[ - ]
[ * ]
[ * ] Trying NS server 199.43 . 132.53
[ * ] 199.43 . 132.53 Has port 53 TCP Open
[ - ] Zone Transfer Failed !
[ - ]
[ * ]
[ * ] Trying NS server 2001 : 500 : 8 d :: 53
[ - ] Zone Transfer Failed for 2001 : 500 : 8 d :: 53 !
[ - ] Port 53 TCP is being filtered
[ * ]
[ * ] Trying NS server 2001 : 500 : 8 c :: 53
[ - ] Zone Transfer Failed for 2001 : 500 : 8 c :: 53 !
[ - ] Port 53 TCP is being filtered
[ * ] Checking for Zone Transfer for example . com name servers
[ * ] Resolving SOA Record
[ * ] SOA sns . dns . icann . org 199.4 . 28.26
[ * ] Resolving NS Records
[ * ] NS Servers found:
[ * ] NS a . iana - servers . net 199.43 . 132.53
[ * ] NS a . iana - servers . net 2001 : 500 : 8 c :: 53
[ * ] NS b . iana - servers . net 199.43 . 133.53
[ * ] NS b . iana - servers . net 2001 : 500 : 8 d :: 53
[ * ] Removing any duplicate NS server IP Addresses ...
[ * ]
[ * ] Trying NS server 199.4 . 28.26
[ * ] 199.4 . 28.26 Has port 53 TCP Open
[ - ] Zone Transfer Failed !
[ - ]
[ * ]
[ * ] Trying NS server 199.43 . 133.53
[ * ] 199.43 . 133.53 Has port 53 TCP Open
[ - ] Zone Transfer Failed !
[ - ]
[ * ]
[ * ] Trying NS server 199.43 . 132.53
[ * ] 199.43 . 132.53 Has port 53 TCP Open
[ - ] Zone Transfer Failed !
[ - ]
[ * ]
[ * ] Trying NS server 2001 : 500 : 8 d :: 53
[ - ] Zone Transfer Failed for 2001 : 500 : 8 d :: 53 !
[ - ] Port 53 TCP is being filtered
[ * ]
[ * ] Trying NS server 2001 : 500 : 8 c :: 53
[ - ] Zone Transfer Failed for 2001 : 500 : 8 c :: 53 !
[ - ] Port 53 TCP is being filtered
[ * ] DNSSEC is configured for example . com
[ * ] DNSKEYs :
[ * ] NSEC KSk RSASHA256 03010001 b38503197e2e4b7450c82566 2 cca102d40c54bbcce58fae4a61ab51e 7005632 b875f136332bf8a0e98d6de58 4 d608eebc6f29e8ae936ef5fa8d1402d 7 edb565f7f8326c0d2fd04845f9d8179 a851f457ee4b0c1a006fb5f6b6fd8f5a de495734baa44eccc84383c43150a3b6 bca5d7d05ef7f3e415e0bd2138e03114 2 c421981dfd7b23189da97e7f76d4c4a 9387 eaedcb8453475b469b9ee07fcdea 33 ee71758ec22300913261821aa0cbea 3 d15f229fad47f7a629aa3de3fc29557 0 dc3dfe41d7c8fbc73d92bd34f18aea8 2 cc232db319e29191dca21d63e20f98d 41 f3320c22fac433ea591a187f62e7f8 47008181 a6028bd86988c595bd2e1607 3 c74fe55
[ * ] NSEC ZSK RSASHA256 03010001 963 ba957655b761dac86aebe ee9bc4f388a7a6bbbfcaaebc103083aa f345ab8585031b5f2a32c8551267b95a 7 d459751c6683d972979f67a718d7fa1 c76fbf349cae43d265c9558dd5792c3c 0 fbd213af4b99fb7face8491e2e80f06 2 b374506aba404fb2be5c01d2a5518b1 0 a615f734b363b3128263d01919e20fc fdc9cf7f1badd7
[ * ] SOA sns . dns . icann . org 199.4 . 28.26
[ * ] NS b . iana - servers . net 199.43 . 133.53
[ * ] Bind Version for 199.43 . 133.53 9.9 . 7 - P2
[ * ] NS b . iana - servers . net 2001 : 500 : 8 d :: 53
[ * ] Bind Version for 2001 : 500 : 8 d :: 53 9.9 . 7 - P2
[ * ] NS a . iana - servers . net 199.43 . 132.53
[ * ] Bind Version for 199.43 . 132.53 host
[ * ] NS a . iana - servers . net 2001 : 500 : 8 c :: 53
[ * ] Bind Version for 2001 : 500 : 8 c :: 53 host
[ - ] Could not Resolve MX Records for example . com
[ * ] A example . com 93.184 . 216.34
[ * ] AAAA example . com 2606 : 2800 : 220 : 1 : 248 : 1893 : 25 c8 : 1946
[ * ] TXT example . com v = spf1 - all
[ * ] TXT example . com $Id : example . com 4415 2015 - 08 - 24 20 : 12 : 23 Z davids $
[ * ] Enumerating SRV Records
[ - ] No SRV Records Found for example . com
[ * ] 0 Records Found
Note:
Cela ne ressort pas dans mes sorties d’écran, mais les débuts de lignes entre crochets ont un code couleurs :
[\*]
: c’est un texte standard de l’outils.
[\*]
: Check OK.
[-]
: Check KO.
Reverse lookup
Fait des requêtes de type PTR sur un range d’adresses IP.
root @kali :~ # dnsrecon -r 212.27.32.5-212.27.32.10
[ * ] Reverse Look - up of a Range
[ * ] Performing Reverse Lookup from 212.27 . 32.5 to 212.27 . 32.10
[ * ] PTR pchd1 - g14 . proxad . net 212.27 . 32.7
[ * ] PTR dnscache - 1 . proxad . net 212.27 . 32.5
[ * ] PTR cdr7 - g15 . proxad . net 212.27 . 32.8
[ * ] PTR dnscache - 1 . proxad . net 212.27 . 32.6
[ * ] 4 Records Found
Zonewalk
Essaie de faire une énumération des enregistrements du domaine si celui-ci est mal configuré.
root @kali :~ # dnsrecon -d example.com -t zonewalk
[ * ] Performing NSEC Zone Walk for example . com
[ * ] Getting SOA record for example . com
[ * ] Name Server 199.4 . 28.26 will be used
[ * ] A example . com 93.184 . 216.34
[ * ] AAAA example . com 2606 : 2800 : 220 : 1 : 248 : 1893 : 25 c8 : 1946
[ * ] 2 records found
Check les TLD
root @kali :~ # dnsrecon -d example.com -t tld
[ * ] Performing TLD Brute force Enumeration against example . com
[ * ] The operation could take up to: 00 : 01 : 06
[ * ] A example . biz . af 103.56 . 100.33
[ * ] A example . am 50.87 . 153.245
[ * ] A example . com . ar 200.58 . 122.126
[ * ] A example . as 199.73 . 55.35
[ * ] A example . co . at 78.142 . 141.40
[ * ] A example . biz . at 78.46 . 90.98
[ * ] A example . com . au 98.124 . 245.24
[ * ] A example . net . au 192.185 . 159.145
[ * ] A example . co . ba 176.9 . 45.78
-- SNiP --
C’est ni plus ni moins qu’une recherche de disponibilité de domaine.