DNSEnum

December 26, 2020
DNSENUM-domain name server enumeration tool


(Who@What):~$ DNSEnum is an enumeration and scanning tool designed to gather dns related information for a given target.


(When@Where):~$ DNSEnum is a reconnaissance tool that is best used in the initial information gathering phase of a penetration test. DNSEnum is commonly found in penetration testing distros such as Kali Linux and Parrot. You can also download DNSRecon from https://github.com/fwaeytens/dnsenum.


(Why@How):~$ You would use DNSEnum to help gather name server information related to your target. This information would come in the form of IP addresses, domain name servers, mail exchange servers, and host names. This information is collected by way of enumeration from google or by brute force from dictionary files.

In this demonstration, I will be using the version of DNSEnum that is provided in the Kali Linux distro.


Step 1: Open the DNSEnum. You have two main options for accomplishing this.

  1. Use the GUI. Click on the Kali icon in the upper right corner. Navigate to Information gathering > DNS Analysis. Click on DNSEnum. 

A terminal window should appear listing the help information for DNSEnum. 

 

  1. Open the terminal and type “dnsenum”. 

Step 2: To start a scan you will need to type in “dnsrecon” followed by the target’s hostname or ip address. 


Step 3: Pressing enter will run the scan. Depending on your target and the success of the scan, your results will be listed below. 

  



Additional Features and Functions:

Saving: Oftentimes after performing a scan you will want to save your results. DNSEnum provides you the options of saving your results in XML format. To do this type “-o” followed by a location to save the file. The following command will save my scan results into a json file in my Desktop folder. 





Skip Reverse Lookup: Reverse lookups can provide additional information on the target, however it lengthens the time for scans. Typing the “--noreverse” option allow you to skip reverse lookups in your scan. 


Dictionary file: DNSEnum includes a default wordlist that can be used during brute force scans. This text file is located at /usr/share/dnsenum/dns.txt. Additionally, DNSRecon will allow you to use custom wordlists as dictionary files to assist in brute force scanning of subdomains and hostnames. This can be done by using the “-f” option. You can also update your custom list with subdomains found during the scan by adding the “-u” option. 


Leave a Comment

No comments

Subscribe to: Post Comments ( Atom )
Powered by Blogger.