How to Brute Force Subdomains with dnsmap

[dataspy]

Post on my blog @ www.data-spy.net

I know this is a simple tutorial, don't make fun of me

This tutorial will cover how to use dnsmap to brute force subdomains of a specific domain.  dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments.

First things first, you're going to want to download dnsmap which is at http://code.google.com/p/dnsmap/.

After you've downloaded the source code now would be the time to add any extra subdomains you'd like to search for, you can do that by editing the dnsmap.h file, you'd want to add the subdomains after // buil-in list of subdomains comment, it's a long list you can't miss it !

If you're done editing the dnsmap.h file or don't want to add any extra subdomains the next step would be to compile the source, you can do this by opening your terminal, changing to the directory of the source, and compiling it.

Example:

Code: [Select]

cd dnsmap-0.30/

Code: [Select]

gcc dnsmap.c -o dnsmap
Once you've compiled the source you can run dnsmap by typing ./dnsmap and then the domain you want to scan into your terminal, make sure to exclude the www.

Example:

Code: [Select]

./dnsmap domain.com
This was tested on Ubuntu 10.04

[Infinityexists]

whatever it is , +1 for that
could you please explain me what does it do ?

[dataspy]

Thanks

dnsmap is a subdomain bruteforcer, it does a dictionary attack of subdomains against a domain and reports the subdomains found. 

Say the domain is evilzone.org

example of subdomains found (this isn't real just an example)
admin.evilzone.org
private.evilzone.org
ftp.evilzone.org
localhost.evilzone.org

[Kulverstukas]

it's very unreliable and probably slow... it's like guessing the password, only slower because you have to send requests to the server?

[Z3R0]

I take it this is just a standard forward dns lookup tool? I like it, but far simpler bash scripts can do the exact same thing. Also (no offense), but I don't think there are many people here that will appreciate the value of this tool.

This is one of those tools where, if you're not a penetration tester, or a hardcore grayhat/blackhat, you probably won't understand it's purpose, and value as it relates to the enumeration phase of an attack.

[CautiousOne3x3]

Is brute forcing domains really necessary? With tools like theHarvester.py you can crawl through Google or Bing and use their resources to find the subdomains.  For example, the example that was used was for this domain, theHarvester would produce:
173.246.100.57:forum.evilzone.org
173.246.100.57:www.evilzone.org
173.246.101.14:irc.evilzone.org
173.246.100.57:vuln.evilzone.org
173.246.100.57:23irc.evilzone.org
173.246.100.57:2523irc.evilzone.org
173.246.100.57:Forum.evilzone.org
173.246.100.57:upload.evilzone.org
173.246.100.57:Vuln.evilzone.org
173.246.100.57:ns1.evilzone.org
173.246.100.57:www.forum.evilzone.org
173.246.100.57:Upload.evilzone.org
173.246.101.14:Irc.evilzone.org
173.246.100.57:www.upload.evilzone.org
173.246.100.57:archives.evilzone.org
173.246.100.57:Archives.evilzone.org

It also gave known emails. It spiders linkedin, pgp server listings, ect. TheHarvester also gives a bruteforce option as well.

A side note is that it is a violation of Google's terms of use to electronically scan their stuff.... And they will let you know

Kudos for the tutorial. No sarcasm, I love to see people taking the time to share their knowledge!!

[ca0s]

173.246.100.57:vuln.evilzone.org

I remember this one