DNSenum是一款非常强大的域名信息收集工具。它能够通过谷歌或者字典文件猜测可能存在的域名,并对一个网段进行反向查询。它不仅可以查询网站的主机地址信息、域名服务器和邮件交换记录,还可以在域名服务器上执行axfr请求,然后通过谷歌脚本得到扩展域名信息,提取子域名并查询,最后计算C类地址并执行whois查询,执行反向查询,把地址段写入文件。本文章将介绍使用DNSenum工具检查DNS枚举。在终端执行如下所示的命令:
先查看下help
┌──(liang㉿DESKTOP-K7T738K)-[~]
└─$ dnsenum -h
dnsenum VERSION:1.2.6
Usage: dnsenum [Options] <domain>
[Options]:
Note: If no -f tag supplied will default to /usr/share/dnsenum/dns.txt or
the dns.txt file in the same directory as dnsenum.pl
GENERAL OPTIONS:
--dnsserver <server>
Use this DNS server for A, NS and MX queries.-将此DNS服务器用于A、NS和MX查询
--enum Shortcut option equivalent to --threads 5 -s 15 -w.
-h, --help Print this help message.-打印此帮助信息
--noreverse Skip the reverse lookup operations.-跳过反向查找操作
--nocolor Disable ANSIColor output.
--private Show and save private ips at the end of the file domain_ips.txt.-在“domain_ips.txt”文件的末尾显示并保存“私有ip”
--subfile <file> Write all valid subdomains to this file.-将所有有效的子域写入此文件。
-t, --timeout <value> The tcp and udp timeout values in seconds (default: 10s).-tcp和udp超时值(以秒为单位)(默认为10s)
--threads <value> The number of threads that will perform different queries.-执行不同查询的线程数
-v, --verbose Be verbose: show all the progress and all the error messages.-显示所有进度和所有错误消息
GOOGLE SCRAPING OPTIONS:
-p, --pages <value> The number of google search pages to process when scraping names,
the default is 5 pages, the -s switch must be specified.-
-s, --scrap <value> The maximum number of subdomains that will be scraped from Google (default 15).
BRUTE FORCE OPTIONS:
-f, --file <file> Read subdomains from this file to perform brute force. (Takes priority over default dns.txt)
-u, --update <a|g|r|z>
Update the file specified with the -f switch with valid subdomains.
a (all) Update using all results.
g Update using only google scraping results.
r Update using only reverse lookup results.
z Update using only zonetransfer results.
-r, --recursion Recursion on subdomains, brute force all discovered subdomains that have an NS record.
WHOIS NETRANGE OPTIONS:
-d, --delay <value> The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
-w, --whois Perform the whois queries on c class network ranges.
**Warning**: this can generate very large netranges and it will take lot of time to perform reverse lookups.
REVERSE LOOKUP OPTIONS:
-e, --exclude <regexp>
Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
OUTPUT OPTIONS:
-o --output <file> Output in XML format. Can be imported in MagicTree (www.gremwell.com)
┌──(liang㉿DESKTOP-K7T738K)-[~]
└─$ dnsenum --enum baidu.com
dnsenum VERSION:1.2.6
----- baidu.com -----
Host's addresses:
__________________
baidu.com. 422 IN A 39.156.69.79
baidu.com. 422 IN A 220.181.38.148
Name Servers:
______________
ns2.baidu.com. 808 IN A 220.181.33.31
dns.baidu.com. 207 IN A 110.242.68.134
ns3.baidu.com. 2234 IN A 112.80.248.64
ns7.baidu.com. 1881 IN A 180.76.76.92
ns4.baidu.com. 1889 IN A 14.215.178.80
Mail (MX) Servers:
___________________
jpmx.baidu.com. 3289 IN A 12.0.243.41
mx1.baidu.com. 30 IN A 220.181.3.85
mx1.baidu.com. 30 IN A 111.202.115.85
mx50.baidu.com. 30 IN A 12.0.243.41
mx.maillb.baidu.com. 30 IN A 111.202.115.85
mx.n.shifen.com. 89 IN A 111.202.115.85
mx.n.shifen.com. 89 IN A 111.206.215.185
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
Trying Zone Transfer for baidu.com on ns2.baidu.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for baidu.com on dns.baidu.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for baidu.com on ns7.baidu.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for baidu.com on ns4.baidu.com ...
AXFR record query failed: REFUSED
Trying Zone Transfer for baidu.com on ns3.baidu.com ...
AXFR record query failed: REFUSED
Scraping baidu.com subdomains from Google:
___________________________________________
Error GETing http://www.google.com/ncr: read timeout at /usr/bin/dnsenum line 971.
输出的信息显示了DNS服务的详细信息。其中,包括主机地址、域名服务地址和邮件服务地址。如果幸运的话,还可以看到一个区域传输。
使用DNSenum工具检查DNS枚举时,可以使用dnsenum的一些附加选项,如下所示。
–threads [number]:设置用户同时运行多个进程数。
-r:允许用户启用递归查询。
-d:允许用户设置WHOIS请求之间时间延迟数(单位为秒)。
-o:允许用户指定输出位置。
-w:允许用户启用WHOIS请求。