New Version Of Dnsmap Out
We just released a new version of dnsmap. dnsmap is a subdomain bruteforcer for stealth enumeration.
Originally released in 2006, dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. During the enumeration stage, the security consultant would typically discover the target company's IP netblocks, domain names, phone numbers, etc. dnsmap was included in Backtrack 2 and 3, although the version included is the now dated version 0.1.
Subdomain brute-forcing is another technique that should be used in the enumeration stage, as it's especially useful when other domain enumeration techniques such as zone transfers don't work (I rarely see zone transfers being publicly allowed these days by the way).
Original Features of Version 0.1
- obtain all IP addresses (A records) associated to each successfully bruteforced subdomain, rather than just one IP address per subdomain
- abort the bruteforcing process in case the target domain uses wildcards
- ability to be able to run the tool without providing a wordlist by using a built-in list of keywords
- bruteforcing by using a user-supplied wordlist (as opposed to the built-in wordlist)
New Improvements in Version 0.22
- saving the results in human-readable and CSV format for easy processing
- fixed bug that disallowed reading wordlists with DOS CRLF format
- improved built-in subdomains wordlist
- new bash script (
dnsmap-bulk.sh) included which allows running dnsmap against a list of domains from a user-supplied file. i.e.: bruteforcing several domains in a bulk fashion
- bypassing of signature-based dnsmap detection by generating a proper pseudo-random subdomain when checking for wildcards
usage: dnsmap <target-domain> [options] options: -w <wordlist-file> -r <results-path>
Example on Live Domain
The following is just an example so you get an idea of how dnsmap works. Very simple to use as you can see. If you want to save the results or use your own wordlist, checkout the usage syntax. Question for those who pay attention to detail: can you spot the potential leaks of internal IP addresses?
$ dnsmap baidu.com dnsmap 0.22 - DNS Network Mapper by pagvac (gnucitizen.org) [+] searching (sub)domains for baidu.com using built-in wordlist accounts.baidu.com IP address #1: 10.11.252.74 events.baidu.com IP address #1: 22.214.171.124 finance.baidu.com IP address #1: 126.96.36.199 IP address #2: 188.8.131.52 IP address #3: 184.108.40.206 IP address #4: 220.127.116.11 IP address #5: 18.104.22.168 IP address #6: 22.214.171.124 IP address #7: 126.96.36.199 forum.baidu.com IP address #1: 188.8.131.52 images.baidu.com IP address #1: 184.108.40.206 mail.baidu.com IP address #1: 10.23.3.137 mobile.baidu.com IP address #1: 220.127.116.11 mx.baidu.com IP address #1: 18.104.22.168 mx1.baidu.com IP address #1: 22.214.171.124 mx2.baidu.com IP address #1: 126.96.36.199 mx3.baidu.com IP address #1: 188.8.131.52 news.baidu.com IP address #1: 184.108.40.206 ns1.baidu.com IP address #1: 220.127.116.11 ns2.baidu.com IP address #1: 18.104.22.168 ns3.baidu.com IP address #1: 22.214.171.124 oracle.baidu.com IP address #1: 172.18.0.50 photo.baidu.com IP address #1: 126.96.36.199 photos.baidu.com IP address #1: 188.8.131.52 pop.baidu.com IP address #1: 184.108.40.206 proxy.baidu.com IP address #1: 220.127.116.11 smtp.baidu.com IP address #1: 18.104.22.168 vpn.baidu.com IP address #1: 22.214.171.124 wap.baidu.com IP address #1: 126.96.36.199 webmail.baidu.com IP address #1: 188.8.131.52 win.baidu.com IP address #1: 10.65.19.212 www.baidu.com IP address #1: 184.108.40.206 www1.baidu.com IP address #1: 220.127.116.11 www2.baidu.com IP address #1: 18.104.22.168 www3.baidu.com IP address #1: 22.214.171.124 [+] 29 (sub)domains and 35 IP address(es) found
dnsmap-0.22$ patch < dnsmap.patchwildcard.patch
notice the unsigned short at the beginning
- unsigned short int i=0, j=0, found=0, ipCount=0, wordlist=FALSE, results=FALSE; + unsigned short int i=0, j=0, found=0, ipCount=0, wordlist=FALSE, results=FALSE, forcewildcard=FALSE;
wildcarddetect(char *dom)VULNERABLE LINE:
strncat(s, dom, sizeof(s));
I can just imagine someone using this tool on a web frontend or something and getting themselves in trouble ;) Cheers for the cool tool. DK
Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info reg eax 0x0 0 ecx 0xffffffe0 -32 edx 0x3 3 ebx 0x41414141 1094795585 esp 0xbf90c600 0xbf90c600 ebp 0x41414141 0x41414141 esi 0x41414141 1094795585 edi 0x41414141 1094795585 eip 0x41414141 0x41414141 eflags 0x200282 2097794 cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51