简介
dnsenum的目的是尽可能收集一个域的信息,它能够通过谷歌或者字典文件猜测可能存在的域名,以及对一个网段进行反向查询。它可以查询网站的主机地址信息、域名服务器、mx record(函件交换记录),在域名服务器上执行axfr请求,通过谷歌脚本得到扩展域名信息(google hacking),提取自域名并查询,计算C类地址并执行whois查询,执行反向查询,把地址段写入文件。
常用命令
dnsenum --enum xxx.xxx
#例子
dnsenum --enum us.cnn.com
----- sc.com -----
Host's addresses:
__________________
sc.com. 5 IN A 23.199.80.209
Name Servers:
______________
a3-67.akam.net. 5 IN A 96.7.49.67
a1-244.akam.net. 5 IN A 193.108.91.244
a8-66.akam.net. 5 IN A 2.16.40.66
a4-64.akam.net. 5 IN A 72.246.46.64
a6-65.akam.net. 5 IN A 23.211.133.65
a9-67.akam.net. 5 IN A 184.85.248.67
Mail (MX) Servers:
___________________
cluster4a.us.messagelabs.com. 5 IN A 3.222.201.247
cluster4a.us.messagelabs.com. 5 IN A 52.73.243.182
cluster4a.us.messagelabs.com. 5 IN A 34.237.164.170
cluster4.us.messagelabs.com. 5 IN A 67.219.246.203
cluster4.us.messagelabs.com. 5 IN A 67.219.250.107
cluster4.us.messagelabs.com. 5 IN A 67.219.250.203
cluster4.us.messagelabs.com. 5 IN A 67.219.246.193
cluster4.us.messagelabs.com. 5 IN A 67.219.251.49
cluster4.us.messagelabs.com. 5 IN A 67.219.250.193
cluster4.us.messagelabs.com. 5 IN A 67.219.250.97
cluster4.us.messagelabs.com. 5 IN A 67.219.251.59
cluster4.us.messagelabs.com. 5 IN A 67.219.246.107
cluster4.us.messagelabs.com. 5 IN A 67.219.246.97
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for sc.com on a1-244.akam.net ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sc.com on a3-67.akam.net ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sc.com on a4-64.akam.net ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sc.com on a8-66.akam.net ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sc.com on a6-65.akam.net ...
AXFR record query failed: REFUSED
Trying Zone Transfer for sc.com on a9-67.akam.net ...
AXFR record query failed: REFUSED
Scraping sc.com subdomains from Google:
________________________________________
Error GETing http://www.google.com/ncr: Can't connect to www.google.com:80 (Connection timed out) at /usr/bin/dnsenum line 971.
命令参数
Usage: dnsenum [Options] <domain>
[Options]:
Note: If no -f tag supplied will default to /usr/share/dnsenum/dns.txt or
the dns.txt file in the same directory as dnsenum.pl
GENERAL OPTIONS:
--dnsserver <server>
Use this DNS server for A, NS and MX queries.
--enum Shortcut option equivalent to --threads 5 -s 15 -w.
-h, --help Print this help message.
--noreverse Skip the reverse lookup operations.
--nocolor Disable ANSIColor output.
--private Show and save private ips at the end of the file domain_ips.txt.
--subfile <file> Write all valid subdomains to this file.
-t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).
--threads <value> The number of threads that will perform different queries.
-v, --verbose Be verbose: show all the progress and all the error messages.
GOOGLE SCRAPING OPTIONS:
-p, --pages <value> The number of google search pages to process when scraping names,
the default is 5 pages, the -s switch must be specified.
-s, --scrap <value> The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
-f, --file <file> Read subdomains from this file to perform brute force. (Takes priority over default dns.txt)
-u, --update <a|g|r|z>
Update the file specified with the -f switch with valid subdomains.
a (all) Update using all results.
g Update using only google scraping results.
r Update using only reverse lookup results.
z Update using only zonetransfer results.
-r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
-d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
-w, --whois Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
REVERSE LOOKUP OPTIONS:
-e, --exclude <regexp>
Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
-o --output <file> Output in XML format. Can be imported in MagicTree (www.gremwell.com)