New Version Of Dnsmap Out

Sun, 22 Feb 2009 16:42:19 GMT

by pagvac

We just released a new version of dnsmap. dnsmap is a subdomain bruteforcer for stealth enumeration.

Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company's IP netblocks, domain names, phone numbers, etc. dnsmap was included in Backtrack 2 and 3, although the version included is the now dated version 0.1.

Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it's especially useful when other domain enumeration techniques such as zone transfers don't work (I rarely see zone transfers being publicly allowed these days by the way).

Original Features of Version 0.1

obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
abort the bruteforcing process in case the target domain uses wildcards
ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)

New Improvements in Version 0.22

saving the results in human-readable and CSV format for easy processing
fixed bug that disallowed reading wordlists with DOS CRLF format
improved built-in subdomains wordlist
new bash script (dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion
bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards

Usage

usage: dnsmap <target-domain> [options]
options:
-w <wordlist-file>
-r <results-path>

Example on Live Domain

The following is just an example so you get an idea of how dnsmap works. Very simple to use as you can see. If you want to save the results or use your own wordlist, checkout the usage syntax. Question for those who pay attention to detail: can you spot the potential leaks of internal IP addresses?

$ dnsmap baidu.com
dnsmap 0.22 - DNS Network Mapper by pagvac (gnucitizen.org)

[+] searching (sub)domains for baidu.com using built-in wordlist

accounts.baidu.com
IP address #1: 10.11.252.74

events.baidu.com
IP address #1: 202.108.23.40

finance.baidu.com
IP address #1: 60.28.250.196
IP address #2: 60.28.251.79
IP address #3: 60.28.251.206
IP address #4: 123.129.240.28
IP address #5: 123.129.240.29
IP address #6: 60.28.250.102
IP address #7: 60.28.250.111

forum.baidu.com
IP address #1: 202.108.250.212

images.baidu.com
IP address #1: 61.135.163.93

mail.baidu.com
IP address #1: 10.23.3.137

mobile.baidu.com
IP address #1: 202.108.23.125

mx.baidu.com
IP address #1: 61.135.163.61

mx1.baidu.com
IP address #1: 61.135.163.61

mx2.baidu.com
IP address #1: 61.135.163.62

mx3.baidu.com
IP address #1: 61.135.162.61

news.baidu.com
IP address #1: 61.135.163.87

ns1.baidu.com
IP address #1: 202.108.22.220

ns2.baidu.com
IP address #1: 61.135.165.235

ns3.baidu.com
IP address #1: 220.181.37.10

oracle.baidu.com
IP address #1: 172.18.0.50

photo.baidu.com
IP address #1: 61.135.163.93

photos.baidu.com
IP address #1: 61.135.163.93

pop.baidu.com
IP address #1: 61.135.166.249

proxy.baidu.com
IP address #1: 202.108.11.30

smtp.baidu.com
IP address #1: 61.135.163.61

vpn.baidu.com
IP address #1: 202.108.250.231

wap.baidu.com
IP address #1: 61.135.163.237

webmail.baidu.com
IP address #1: 61.135.166.249

win.baidu.com
IP address #1: 10.65.19.212

www.baidu.com
IP address #1: 220.181.5.222

www1.baidu.com
IP address #1: 220.181.5.222

www2.baidu.com
IP address #1: 202.108.22.136

www3.baidu.com
IP address #1: 202.108.22.188

[+] 29 (sub)domains and 35 IP address(es) found

Archived Comments

pdp

now you need to make it multi-threaded :)

pagvac

yeah, multi-threading among other features are mentioned in the included TODO file. will eventually implement them all hopefully!

kanedaaa

Small patch add -fw option to scan even wildcard is detected.

dnsmap-0.22$ patch < dnsmap.patchwildcard.patch

http://kaneda.bohater.net/files/dnsmap.patchwildcard.diff

meathive

Well done. https://kinqpinz.info/lib/2009/feb/#09c81545

pagvac

@kanedaaa: thanks for the patch, haven't tested it yet, but wanted to let u know that i fixed a few bugs reported by users, so it'd be cool if the patch also worked on version 0.22.1: http://lab.gnucitizen.org/projects/dnsmap (downloads on bottom of page)

Varun

The "dnsmap" link in the first sentence seems to have broken after this post was made. Leads to "http://lab.gnucitizen.org/projects/dnsmap-1" which gives a "Page not found". Thanks!

pdp

should be fixed now!

GNa

kanedaaa's patch is great for opendns users :) for the 0.22.2 there is 1 thing to correct:

-       unsigned short int i=0, j=0, found=0, ipCount=0, wordlist=FALSE, results=FALSE;
+       unsigned short int i=0, j=0, found=0, ipCount=0, wordlist=FALSE, results=FALSE, forcewildcard=FALSE;

notice the unsigned short at the beginning

GNa

i should also note that opendns users get the whole wordlist resolved, so they should filter out the ip 67.215.65.132 , or disable the nxdomain capture in their opendns account :)

David Kierznowski

Yo AP, its not that serious considering its run from the command line, but argv[1] is vulnerable to a buffer overflow. The problem is in: wildcarddetect(char *dom) VULNERABLE LINE: strcat(s, dom); FIXED: strncat(s, dom, sizeof(s));

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info reg
eax            0x0      0
ecx            0xffffffe0       -32
edx            0x3      3
ebx            0x41414141       1094795585
esp            0xbf90c600       0xbf90c600
ebp            0x41414141       0x41414141
esi            0x41414141       1094795585
edi            0x41414141       1094795585
eip            0x41414141       0x41414141
eflags         0x200282 2097794
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51

I can just imagine someone using this tool on a web frontend or something and getting themselves in trouble ;) Cheers for the cool tool. DK

pagvac

lols. thought i fixed most of those! will fix it probably when i update other things in the code i was planning to fix. thanks for that DK. we should post a working PoC, that'd be cool :)

pdp

as far as I know nmap has been (still is) vulnerable to all sorts of attacks for years, and it is more likely to end up with a suid bit than dnsmap. of course, it is always good to fix the bugs, ap :)

pagvac

pdp: the only reason why i haven't cared much about input validation on dnsmap is because it doesn't require the SUID bit to be on, where tools like nmap do require to be run with root privileges. i.e.: for SYN portscans. nevertheless, as DK pointed out, if someone created a web gui for dnsmap, it could lead to remote command exec. i'd hope that if someone did implement a web gui for dnsmap, they filtered malicious input from the server-side script itself, unless they want their site to be owned :)

Zee

My resolver does ~400-600k per minute on core 2 duo, 5 mbit.

meathive

The PHP port for those interested. https://kinqpinz.info/?%C2%B6=cb252860#index