Author Topic: How to Brute Force Subdomains with dnsmap  (Read 6018 times)

0 Members and 1 Guest are viewing this topic.

Offline dataspy

  • Peasant
  • *
  • Posts: 99
  • Cookies: 16
    • View Profile
How to Brute Force Subdomains with dnsmap
« on: April 18, 2012, 09:04:54 pm »
Post on my blog @ www.data-spy.net

I know this is a simple tutorial, don't make fun of me :P

This tutorial will cover how to use dnsmap to brute force subdomains of a specific domain.  dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration phase of infrastructure security assessments.

First things first, you're going to want to download dnsmap which is at http://code.google.com/p/dnsmap/.

After you've downloaded the source code now would be the time to add any extra subdomains you'd like to search for, you can do that by editing the dnsmap.h file, you'd want to add the subdomains after // buil-in list of subdomains comment, it's a long list you can't miss it :) !

If you're done editing the dnsmap.h file or don't want to add any extra subdomains the next step would be to compile the source, you can do this by opening your terminal, changing to the directory of the source, and compiling it.

Example:
Code: [Select]
cd dnsmap-0.30/
Code: [Select]
gcc dnsmap.c -o dnsmap
Once you've compiled the source you can run dnsmap by typing ./dnsmap and then the domain you want to scan into your terminal, make sure to exclude the www.

Example:
Code: [Select]
./dnsmap domain.com
This was tested on Ubuntu 10.04
« Last Edit: April 18, 2012, 09:10:46 pm by dataspy »
The only people for me are the mad ones, the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn, like fabulous yellow roman candles exploding like spiders across the stars.
-Kerouac

Offline Infinityexists

  • Peasant
  • *
  • Posts: 74
  • Cookies: 1
    • View Profile
Re: How to Brute Force Subdomains with dnsmap
« Reply #1 on: April 19, 2012, 11:49:25 pm »
whatever it is , +1 for that :)
could you please explain me what does it do ?

Offline dataspy

  • Peasant
  • *
  • Posts: 99
  • Cookies: 16
    • View Profile
Re: How to Brute Force Subdomains with dnsmap
« Reply #2 on: April 20, 2012, 01:44:49 am »
Thanks :)

dnsmap is a subdomain bruteforcer, it does a dictionary attack of subdomains against a domain and reports the subdomains found. 

Say the domain is evilzone.org

example of subdomains found (this isn't real just an example)
admin.evilzone.org
private.evilzone.org
ftp.evilzone.org
localhost.evilzone.org
The only people for me are the mad ones, the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn, like fabulous yellow roman candles exploding like spiders across the stars.
-Kerouac

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: How to Brute Force Subdomains with dnsmap
« Reply #3 on: April 20, 2012, 09:17:35 am »
it's very unreliable and probably slow... it's like guessing the password, only slower because you have to send requests to the server?

Z3R0

  • Guest
Re: How to Brute Force Subdomains with dnsmap
« Reply #4 on: April 20, 2012, 10:08:38 am »
I take it this is just a standard forward dns lookup tool? I like it, but far simpler bash scripts can do the exact same thing. Also (no offense), but I don't think there are many people here that will appreciate the value of this tool.

This is one of those tools where, if you're not a penetration tester, or a hardcore grayhat/blackhat, you probably won't understand it's purpose, and value as it relates to the enumeration phase of an attack.
« Last Edit: April 20, 2012, 10:10:16 am by m0rph »

Offline CautiousOne3x3

  • NULL
  • Posts: 1
  • Cookies: 0
    • View Profile
Re: How to Brute Force Subdomains with dnsmap
« Reply #5 on: May 22, 2012, 05:44:51 pm »
Is brute forcing domains really necessary? With tools like theHarvester.py you can crawl through Google or Bing and use their resources to find the subdomains.  For example, the example that was used was for this domain, theHarvester would produce:
173.246.100.57:forum.evilzone.org
173.246.100.57:www.evilzone.org
173.246.101.14:irc.evilzone.org
173.246.100.57:vuln.evilzone.org
173.246.100.57:23irc.evilzone.org
173.246.100.57:2523irc.evilzone.org
173.246.100.57:Forum.evilzone.org
173.246.100.57:upload.evilzone.org
173.246.100.57:Vuln.evilzone.org
173.246.100.57:ns1.evilzone.org
173.246.100.57:www.forum.evilzone.org
173.246.100.57:Upload.evilzone.org
173.246.101.14:Irc.evilzone.org
173.246.100.57:www.upload.evilzone.org
173.246.100.57:archives.evilzone.org
173.246.100.57:Archives.evilzone.org

It also gave known emails. It spiders linkedin, pgp server listings, ect. TheHarvester also gives a bruteforce option as well.

A side note is that it is a violation of Google's terms of use to electronically scan their stuff.... And they will let you know :)

Kudos for the tutorial. No sarcasm, I love to see people taking the time to share their knowledge!!
« Last Edit: May 22, 2012, 05:48:03 pm by CautiousOne3x3 »

Offline ca0s

  • VIP
  • Sir
  • *
  • Posts: 432
  • Cookies: 53
    • View Profile
    • ka0labs #
Re: How to Brute Force Subdomains with dnsmap
« Reply #6 on: May 22, 2012, 06:04:59 pm »
Quote
173.246.100.57:vuln.evilzone.org

I remember this one :P