dnsenum的简单使用

简介

dnsenum的目的是尽可能收集一个域的信息，它能够通过谷歌或者字典文件猜测可能存在的域名，以及对一个网段进行反向查询。它可以查询网站的主机地址信息、域名服务器、mx record（函件交换记录），在域名服务器上执行axfr请求，通过谷歌脚本得到扩展域名信息（google hacking），提取自域名并查询，计算C类地址并执行whois查询，执行反向查询，把地址段写入文件。

常用命令

dnsenum --enum xxx.xxx

#例子
dnsenum --enum us.cnn.com

-----   sc.com   -----


Host's addresses:
__________________

sc.com.                                  5        IN    A        23.199.80.209


Name Servers:
______________

a3-67.akam.net.                          5        IN    A        96.7.49.67
a1-244.akam.net.                         5        IN    A        193.108.91.244
a8-66.akam.net.                          5        IN    A        2.16.40.66
a4-64.akam.net.                          5        IN    A        72.246.46.64
a6-65.akam.net.                          5        IN    A        23.211.133.65
a9-67.akam.net.                          5        IN    A        184.85.248.67


Mail (MX) Servers:
___________________

cluster4a.us.messagelabs.com.            5        IN    A        3.222.201.247
cluster4a.us.messagelabs.com.            5        IN    A        52.73.243.182
cluster4a.us.messagelabs.com.            5        IN    A        34.237.164.170
cluster4.us.messagelabs.com.             5        IN    A        67.219.246.203
cluster4.us.messagelabs.com.             5        IN    A        67.219.250.107
cluster4.us.messagelabs.com.             5        IN    A        67.219.250.203
cluster4.us.messagelabs.com.             5        IN    A        67.219.246.193
cluster4.us.messagelabs.com.             5        IN    A        67.219.251.49
cluster4.us.messagelabs.com.             5        IN    A        67.219.250.193
cluster4.us.messagelabs.com.             5        IN    A        67.219.250.97
cluster4.us.messagelabs.com.             5        IN    A        67.219.251.59
cluster4.us.messagelabs.com.             5        IN    A        67.219.246.107
cluster4.us.messagelabs.com.             5        IN    A        67.219.246.97


Trying Zone Transfers and getting Bind Versions:
_________________________________________________


Trying Zone Transfer for sc.com on a1-244.akam.net ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sc.com on a3-67.akam.net ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sc.com on a4-64.akam.net ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sc.com on a8-66.akam.net ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sc.com on a6-65.akam.net ... 
AXFR record query failed: REFUSED

Trying Zone Transfer for sc.com on a9-67.akam.net ... 
AXFR record query failed: REFUSED


Scraping sc.com subdomains from Google:
________________________________________

Error GETing http://www.google.com/ncr: Can't connect to www.google.com:80 (Connection timed out) at /usr/bin/dnsenum line 971.

命令参数

Usage: dnsenum [Options] <domain>
[Options]:
Note: If no -f tag supplied will default to /usr/share/dnsenum/dns.txt or
the dns.txt file in the same directory as dnsenum.pl
GENERAL OPTIONS:
  --dnsserver 	<server>
			Use this DNS server for A, NS and MX queries.
  --enum		Shortcut option equivalent to --threads 5 -s 15 -w.
  -h, --help		Print this help message.
  --noreverse		Skip the reverse lookup operations.
  --nocolor		Disable ANSIColor output.
  --private		Show and save private ips at the end of the file domain_ips.txt.
  --subfile <file>	Write all valid subdomains to this file.
  -t, --timeout <value>	The tcp and udp timeout values in seconds (default: 10s).
  --threads <value>	The number of threads that will perform different queries.
  -v, --verbose		Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
  -p, --pages <value>	The number of google search pages to process when scraping names,
			the default is 5 pages, the -s switch must be specified.
  -s, --scrap <value>	The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
  -f, --file <file>	Read subdomains from this file to perform brute force. (Takes priority over default dns.txt)
  -u, --update	<a|g|r|z>
			Update the file specified with the -f switch with valid subdomains.
	a (all)		Update using all results.
	g		Update using only google scraping results.
	r		Update using only reverse lookup results.
	z		Update using only zonetransfer results.
  -r, --recursion	Recursion on subdomains, brute force all discovred subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
  -d, --delay <value>	The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
  -w, --whois		Perform the whois queries on c class network ranges.
			 **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
REVERSE LOOKUP OPTIONS:
  -e, --exclude	<regexp>
			Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
  -o --output <file>	Output in XML format. Can be imported in MagicTree (www.gremwell.com)