Information Gathering - By using DNS Analysis Kali Linux

Updated: May 23

Threat Intelligence Information Gathering - By using DNS Analysis Kali Linux


In this blog, we will cover below tools of Kali Linux. Ethical Hacking is cool but only if you know what to do.

  1. dnsdict6

  2. dnsenum

  3. dnsmap

  4. dnsrecon

  5. dnsrevenum6

  6. dnstracer

  7. dnswalk

  8. fierce

  9. maltego

  10. nmap

  11. urlcrazy



1) DNSDICT6


DNSDICT6 is a powerful information-gathering tool. This tool is basically used to find all the sub-domains of a website or web server. The most advanced use of DSNDICT6 is to enumerate all IPv4 and IPv6 addresses and extract the dumps like sub-domains and IP information. This is done on purpose to make rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g. therefore also answering to icmp6 neighbour solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code



dnsdict6 <url>
dnsdict6 [-d46] [-s|-m|-l|-x] [-t THREADS] [-D] domain [dictionary-file]
EXAMPLE dnsdict6 google.com


2) dnsenum


The purpose of dnsenum is help to gather information as much as possible about a domain. This tool is useful for pen-testers, ethical hackers, and forensics experts. It also can be used for security tests.


  1. Get the host’s addresses (A record).

  2. Get the namservers (threaded).

  3. Get the MX record (threaded).

  4. Perform axfr queries on nameservers and get BIND versions(threaded).

  5. Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).

  6. Brute force subdomains from file can also perform recursion on subdomains that have NS records (all threaded).

  7. Calculate C class domain network ranges and perform whois queries on them (threaded).

  8. Perform reverse lookups on netranges (C class or/and whois netranges) (threaded).

  9. Write to domain_ips.txt file IP-blocks


How to install: sudo apt install dnsenum

dnsenum.pl [options] <domain>
EXAMPLE ./dnsenum.pl -p 1 -s 1 google.com


3) dnsmap

The tool enables scanning a domain for common subdomains using a built-in or an external wordlist.



How to install: sudo apt install dnsmap
./dnsmap  [options] 
EXAMPLE ./dnsmap google.com

4) dnsrecon


DNSRecon is a Python bae script that provides the ability to perform:


  1. Check all NS Records for Zone Transfers.

  2. Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT).

  3. Perform common SRV Record Enumeration.

  4. Top Level Domain (TLD) Expansion.

  5. Check for Wildcard Resolution.

  6. Brute Force subdomain and host A and AAAA records given a domain and a wordlist.

  7. Perform a PTR Record lookup for a given IP Range or CIDR.

  8. Check a DNS Server Cached records for A, AAAA and CNAME

  9. Records provided a list of host records in a text file to check.

  10. Enumerate Hosts and Subdomains using Google


How to install: sudo apt install dnsrecon

 a) ./dnsrecon.rb -t std -d google.com (Standard (-t std)) 
b)  ./dnsrecon.rb -t tld -d aldeid (Top Level Domain (-t tld)) 
c)  ./dnsrecon.rb -t axfr -d ??????club.net (Zone transfer (-t axfr)) 
d)  ./dnsrecon.rb -t rvs -i 66.249.92.100,66.249.92.150 (Reverse Record Enumeration (-t rvs))

5) dnsrevenum6

Performs a fast reverse DNS enumeration and is able to cope with slow servers. Option -t enables TCP instead of UDP (use this if you get many timeouts)

Simple and fast Reverse DNS Enumerator for IPv6

• detects wildcard DNS servers

• adapts to lossy/slow DNS server

• fast but non-flooding

• specify the reverse domain as 2001:db8::/56 or 0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa



dnsrevenum6  (url)
dnsrevenum6 google.com


6) dnstracer


dnstracer enables tracing of a chain of DNS servers to the source. It determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data.




How to install: sudo apt install dnstracer




USAGE dnstracer [options] name

EXAMPLE dnstracer www.test.com (Search for the A record of www.mavetju.org on your local nameserver)

EXAMPLE dnstracer "-s" . "-q" mx test.in (Search for the MX record of test.inon the root-nameservers)

EXAMPLE dnstracer "-q" ptr 141.230.224.202.in-addr.arpa (Search for the PTR record (hostname) of 212.204.220.131)

EXAMPLE dnstracer "-q" ptr "-s" . "-o“ 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.4.0.2.0.0.0.0.8.b.0.e.f.f.3.ip6.int (for IPv6 addresses)

7) dnswalk

Dnswalk is a DNS database debugger. It performs zone transfers of specified domains and checks the database in numerous ways for internal consistency, as well as for correctness according to accepted practices with the Domain Name System.



How to install: sudo apt install dnswalk
 
EXAMPLE dnswalk google.com

8) fierce

fierce is a semi-lightweight enumeration scanner that helps penetration testers locate noncontiguous IP space and hostnames for specified domains using things like DNS, Whois, and ARIN. It's really meant as a pre-cursor to active testing tools via something like Nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for. Fierce does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network.


Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That’s especially useful in targeted malware. Originally written by RSnake along with others at http://ha.ckers.org/. This is simply a conversion to Python 3 to simplify and modernize the codebase.



How to install: sudo apt install fierce


Eg: fierce -dns company.com (Standard Fierce scan) 

Eg: fierce -dns company.com –wide (Standard Fierce scan and search all class c ranges found for PTR names that match the domain)

Eg:fierce -dns company.com -only zt (Fierce scan that only checks for zone transfer) EXAMPLE fierce -dns company.com –ztstop (Fierce scan that does not perform bruteforcing if a zone transfer is found)

Eg:fierce -dns company.com –wildcstop (Fierce scan that does not perform bruteforcing if a wildcard is found)


9) maltego

Maltego is an open-source intelligence and forensics application. Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates It will offer you timous mining and gathering of information as well as the representation of this information in an easy to understanding format.



How to install: sudo apt install maltego
maltego -h


10)nmap

Nmap stands for "Network Mapper". In Kali Linux, Nmap means a utility that is widely used by penetration testers for network discovery and system IT security audits. Nmap is able to determine which hosts are up, many port scanning techniques, and version detection is also able to determine the service protocols and application version listing behind the port and TCP/IP fingerprinting (remote host OS or device identification).Namp is also able to run on target and port specification decoy/stealth scanning, sunRPC scanning, and more



How to install: sudo apt install nmap

EG: ./nmap -sP 192.168.100.1/24 (Lists hosts on a network) 
EG:./nmap -sS -sV 192.168.100.19 (Scans a host. This example uses a TCP/SYN scan and tries to identify installed services)


11) urlcrazy


Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.

• Detect typo squatters profiting from typos on your domain name

• Protect your brand by registering popular typos

• Identify typo domain names that will receive traffic intended for another domain

• Conduct phishing attacks during a penetration test

How to install: sudo apt install urlcrazy



96 views0 comments

Recent Posts

See All