dnsenum包装说明

多线程perl脚本来枚举域的DNS信息,并发现不连续的IP模块。

操作:

  • 获取主机的addresse(A记录)。
  • 获取namservers(螺纹)。
  • 获取MX记录(螺纹)。
  • 执行AXFR查询的域名服务器,并获得BIND版本(螺纹)。
  • 获得通过谷歌刮(谷歌查询=“的allinurl:-www网站域名”)额外的名称和子域。
  • 从文件中强力子域,还可以在子域有NS记录(所有线程)执行递归。
  • 计算C级域网络范围,并对其执行的whois查询(线程)。
  • 执行对netranges反向查找(C类或/和WHOIS netranges)(螺纹)。
  • 写domain_ips.txt文件中的IP块。

资料来源:https://github.com/fwaeytens/dnsenum
dnsenum首页 | 卡利dnsenum回购

  • 作者:菲利普Waeytens,TIX tixxDZ
  • 许可:GPL第二版

包含在dnsenum包工具

dnsenum
root@kali:~# dnsenum -h
dnsenum.pl VERSION:1.2.3
Usage: dnsenum.pl [Options] <domain>
[Options]:
Note: the brute force -f switch is obligatory.
GENERAL OPTIONS:
  --dnsserver   <server>
            Use this DNS server for A, NS and MX queries.
  --enum        Shortcut option equivalent to --threads 5 -s 15 -w.
  -h, --help        Print this help message.
  --noreverse       Skip the reverse lookup operations.
  --private     Show and save private ips at the end of the file domain_ips.txt.
  --subfile <file>  Write all valid subdomains to this file.
  -t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).
  --threads <value> The number of threads that will perform different queries.
  -v, --verbose     Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
  -p, --pages <value>   The number of google search pages to process when scraping names,
            the default is 5 pages, the -s switch must be specified.
  -s, --scrap <value>   The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
  -f, --file <file> Read subdomains from this file to perform brute force.
  -u, --update  <a|g|r|z>
            Update the file specified with the -f switch with valid subdomains.
    a (all)     Update using all results.
    g       Update using only google scraping results.
    r       Update using only reverse lookup results.
    z       Update using only zonetransfer results.
  -r, --recursion   Recursion on subdomains, brute force all discovred subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
  -d, --delay <value>   The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
  -w, --whois       Perform the whois queries on c class network ranges.
             **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
REVERSE LOOKUP OPTIONS:
  -e, --exclude <regexp>
            Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
  -o --output <file>    Output in XML format. Can be imported in MagicTree (www.gremwell.com)

dnsenum用法示例

不要做一个反向查找(-noreverse)和输出保存到文件(-o mydomain.xml) example.com:

root@kali:~# dnsenum --noreverse -o mydomain.xml example.com
dnsenum.pl VERSION:1.2.3

-----   example.com   -----


Host's addresses:
__________________

example.com.                             392      IN    A        93.184.216.119


Name Servers:
______________

b.iana-servers.net.                      122      IN    A        199.43.133.53
a.iana-servers.net.                      122      IN    A        199.43.132.53


Mail (MX) Servers:
___________________