At Hack3rCon today I had a chance to sit in on Carlos “@carlos_perez” Perez’s DNSRecon talk. This awesome tool brings together all the tips and tricks that Carlos has learned and used over the years into one easy-to-use package. Yeah, there are already scripts like Fierce that goes out and dumps almost everything imaginable however Carlos, like many of us, wanted something a little more strategic. He wrote the original DNSRecon script in Ruby several years back however recently ported it to Python due to limited DNS-related libraries in Ruby at the time. And good news is that most of us already have this tool available to us if you have an up to date version of Backtrack. You’ll find it in the /pentest/enumeration/dns/dnsrecon directory.
The core option/parameter set that must be included is -d followed by the domain as shown in the example below. By default this query returns information such as the SOA, NS, A, AAAA, MX, and SRV records. Optionally, you can use –domain in place of -d. For most users this standard query is where we’ll probably start.
./dnsrecon.py -d <domain>
Carlos has also added a number of options to augment this standard query to quickly return additional information embedded deeper within DNS. Here’s a quick printout of the relevant options from DNSRecon’s help output.
- -a: Perform AXFR with the standard enumeration.
- -s: Perform Reverse Look-up of ipv4 ranges in the SPF Record of the targeted domain with the standard enumeration.
- -g: Perform Google enumeration with the standard enumeration.
- -w: Do deep whois record analysis and reverse look-up of IP ranges found thru whois when doing standard query.
- -z: Performs a DNSSEC Zone Walk with the standard enumeration.
There is another whole set of parameters you can use with the -t or –type option to skip the standard query and perform more strategic reconnaissance. At this time these parameters include:
- rvl: To Reverse Look Up a given CIDR IP range.
- brt: To Brute force Domains and Hosts using a given dictionary.
- srv: To Enumerate common SRV Records for a given domain.
- axfr: Test all NS Servers in a domain for misconfigured zone transfers.
- goo: Perform Google search for sub-domains and hosts.
- snoop: To Perform a Cache Snooping against all NS servers for a given domain, testing all with file containing the domains, file given with -D option.
- tld: Will remove the TLD of given domain and test against all TLD’s registered in IANA
- zonewalk: Will perform a DNSSEC Zone Walk using NSEC Records.
DNSRecon also includes several output options to simplify later analysis. Currently, the supported formats include sqlite (–db <file>), xml (–xml ), and csv (–csv ). Finally, under the main DNSRecon directory are two useful scripts for parsing through the results (./tools/parser.py) and importing the results into Metasploit (./msf_plugin/dnsr_import.rb).
What have your experiences been with DNSRcon? Let us know in the comments below. Today’s post pic is from Google.com. See ya!