Enumerate DNS info about domains

DNSenum is a pentesting cool created to enumerate DNS info about domains.

The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:

1) Get the host’s addresses (A record).
2) Get the namservers (threaded).
3) Get the MX record (threaded).
4) Perform axfr queries on nameservers and get BIND versions(threaded).
5) Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain“).
6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
7) Calculate C class domain network ranges and perform whois queries on them (threaded).
8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
9) Write to domain_ips.txt file ip-blocks.


./dnsenum.pl -t 30s --threads 5 -v -d 30s <domain>
Usage: dnsenum.pl [Options]  
Note: the brute force -f switch is obligatory.
			Use this DNS server for A, NS and MX queries.
  --enum		Shortcut option equivalent to --threads 5 -s 20 -w.
  -h, --help		Print this help message.
  --noreverse		Skip the reverse lookup operations.
  --private		Show and save private ips at the end of the file 
  --subfile 	Write all valid subdomains to this file.
  -t, --timeout 	The tcp and udp timeout values in seconds (default: 10s).
  --threads 	The number of threads that will perform different queries.
  -v, --verbose		Be verbose: show all the progress and all the error messages.
  -p, --pages 	The number of google search pages to process when scraping names, 
			the default is 20 pages, the -s switch must be specified.
  -s, --scrap 	The maximum number of subdomains that will be scraped from Google.
  -f, --file 	Read subdomains from this file to perform brute force.
  -u, --update	<a|g|r|z>
			Update the file specified with the -f switch with 
valid subdomains.
	a (all)		Update using all results.
	g		Update using only google scraping results.
	r		Update using only reverse lookup results.
	z		Update using only zonetransfer results.
  -r, --recursion	Recursion on subdomains, brute force all discovred subdomains 
that have an NS record.
  -d, --delay 	The maximum value of seconds to wait between whois queries, 
the value is defined randomly, default: 3s.
  -w, --whois		Perform the whois queries on c class network ranges.
			 **Warning**: this can generate very large netranges and it 
will take lot of time to performe reverse lookups.
  -e, --exclude	
			Exclude PTR records that match the regexp expression from 
reverse lookup results, useful on invalid hostnames.
  -o --output 	Output in XML format. Can be imported in MagicTree 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s