LightBlog

Tuesday, 8 December 2020

Kali Linux Tutorials: Information Gathering Tools - DNS Analysis Tools

kali-linux-tutorials-information-gathering


Kali Linux Tutorials: Information Gathering - DNS Analysis Tools

 

This Kali Linux Tutorials guide describes every tool one by one and is aimed at anyone who wants to get familiar with digital forensics and Penetration Testing or refresh their knowledge in these areas with Tools available in Kali Linux 


  • Note! I’ve tried to gather as much information as possible, however, even despite that, some entries don’t have information, which I might update if I get more information. Also, mistakes are inevitable 
  • The purpose was to create the most detailed source of every tool in Kali Linux for quick reference and better understanding 
  • The information about every tool usually consists of DESCRIPTION, USAGE, EXAMPLE and sometimes OPTIONS and TIPs 
  • Kali Linux tools are not limited to Kali Linux / Backtrack (most can be installed on other Linux distributions taking into consideration all the necessary dependencies. Additionally, some tools are also available on other types of operating systems such as Windows and Mac OS) 
  • Kali Linux is a new and developing OS – some tools may be added, some - updated, some – removed over time 
  • It is assumed that all tools are run as root (or as administrator) (in Kali Linux you are root by default) 
  • All the information gathered about each tool has been found freely on the Internet and is publicly available • Sources of information are referenced at the end 
  • Most command-line tools include options, however, due to space considerations, only some tools have options listed (search the internet for options, read documentation/manual, use –h or --help) 
  • For more information on each tool - search the internet, click on links, or check the references at the end 

PLEASE DO NOT USE KALI LINUX AND THE TOOLS LISTED HERE FOR ANY ILLEGAL OPERATION! 

  • Tools which are specifically aimed at DOS, DDOS, or anonymity are rarely used in legitimate engagements and are therefore not installed by default in Kali Linux

KALI LINUX TUTORIALS: INFORMATION GATHERING - DNS ANALYSIS

  • dnsdict6
  • dnsenum
  • dnsmap
  • dnsrecon
  • dnsrevenum6
  • dnstracer
  • dnswalk
  • fierce
  • maltego
  • nmap

dnsdict6

DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help and show the command-line options.

The tool is used to enumerate the domain to get the IPv6 address if it exists. It is a paralyzed DNS IPv6 dictionary
bruteforcer.

TIP DETECTION

Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make rogue usage detection easier. 

The tools either specify a fixed packet signature, or generically sniff for packets (e.g. therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code.

USAGE dnsdict6 <url>

USAGE dnsdict6 [-d46] [-s|-m|-l|-x] [-t THREADS] [-D] domain [dictionary-file]

EXAMPLE dnsdict6 google.com

dnsenum

DESCRIPTION - The purpose of dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:
  • Get the host's address (A record) / get name servers (threaded) / get the MX record (threaded).
  • Perform axfr queries on name servers and get BIND versions(threaded).
  • Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain").
  • Brute force subdomains from the file can also perform recursion on a subdomain that has NS records (all threaded).
  • Calculate C class domain network ranges and perform whois queries on them (threaded).
  • Perform reverse lookups on-network ranges ( C class or/and whois netranges) (threaded).
  • Write to domain_ips.txt file IP-blocks.

USAGE dnsenum.pl [options] <domain>

EXAMPLE ./dnsenum.pl -p 1 -s 1 google.com

dnsmap

DESCRIPTION - The tool enables to discover all subdomains associated with a given domain (e.g. from google.com, it is possible to discover mail.google.com, earth.google.com, sketchup.google.com, desktop.google.com, ...).

USAGE ./dnsmap <target-domain> [options]

EXAMPLE ./dnsmap google.com

dnsrecon

DESCRIPTION - dnsrecon enables to gather DNS-oriented information on a given target.
At the time of this writing (version 1.6), the tool supports the following types:
  • Brute force hostnames and subdomains of a given target domain using a wordlist.
  • Standard Record Enumeration for a given domain (A, NS, SOA and MX).
  • Top Leven Domain Expansion for a given domain.
  • Zone Transfer against all NS records of a given domain.
  • Reverse Lookup against a given IP Range given a start and end IP.
  • SRV Record enumeration

USAGE ./dnsrecon.rb -t <type> -d <target> [options]

EXAMPLE ./dnsrecon.rb -t std -d google.com (Standard (-t std))

EXAMPLE ./dnsrecon.rb -t tld -d aldeid (Top Level Domain (-t tld))

EXAMPLE ./dnsrecon.rb -t axfr -d ??????club.net (Zone transfer (-t axfr))

EXAMPLE ./dnsrecon.rb -t rvs -i 66.249.92.100,66.249.92.150 (Reverse Record Enumeration (-t rvs))

dnsrevenum6

DESCRIPTION - thc-ipv6 - THC-IPV6-ATTACK-TOOLKIT - just run the tools without options and they will give you help and show the command-line options.

Simple and fast Reverse DNS Enumerator for IPv6
  • detects wildcard DNS servers
  • adapts to lossy/slow DNS server
  • fast but non-flooding
  • specify the reverse domain as 2001:db8::/56 or 0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa
TIP DETECTION

Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make rogue usage detection easier. 

The tools either specify a fixed packet signature or generically sniff for packets (e.g. therefore also answering to icmp6 neighbor solicitations which are sent to a non-existing mac, and are therefore very easy to detect). If you don't want this, change the code.

USAGE dnsrevenum6 <url>

EXAMPLE dnsrevenum6 google.com

dnstracer


DESCRIPTION - dnstracer enables to trace a chain of DNS servers to the source. It determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data.

USAGE dnstracer [options] name

EXAMPLE dnstracer www.mavetju.org (Search for the A record of www.mavetju.org on your local nameserver)

EXAMPLE dnstracer "-s" . "-q" mx mavetju.or (Search for the MX record of mavetju.org on the root-nameservers)

EXAMPLE dnstracer "-q" ptr 141.230.204.212.in-addr.arpa (Search for the PTR record (hostname) of 212.204.230.141)

EXAMPLE dnstracer "-q" ptr "-s" . "-o“ 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.6.4.0.2.0.0.0.0.8.b.0.e.f.f.3.ip6.int (for IPv6 addresses)

dnswalk

DESCRIPTION - Dnswalk is a DNS database debugger. It performs zone transfers of specified domains and checks the database in numerous ways for internal consistency, as well as for correctness according to accepted practices with the Domain Name System.

The domain name specified on the command line MUST end with a '.'. You can specify a forward domain, such as dnswalk podunk.edu. or a reverse domain, such as dnswalk 3.2.1.in-addr.arpa.

USAGE dnswalk [ -adilrfFm ] <domain>.

EXAMPLE dnswalk google.com

fierce


DESCRIPTION - fierce is a semi-lightweight enumeration scanner that helps penetration testers locate non-contiguous IP space and hostnames for a specified domain using things like DNS, Whois, and ARIN. 

It's really meant as a pre-cursor to active testing tools via something like nmap, unicornscan, nessus, nikto, etc since all of those require that you already know what IP space you are looking for. 

Fierce does not perform exploitation and does not scan the whole internet indiscriminately. It is meant specifically to locate likely targets both inside and outside a corporate network.

Since it uses DNS primarily you will often find mis-configured networks that leak internal address space.

USAGE fierce {target options} [OPTIONS]

EXAMPLE fierce -dns company.com (Standard Fierce scan)

EXAMPLE fierce -dns company.com –wide (Standard Fierce scan and search all class c ranges found for PTR names that match the domain)

EXAMPLE fierce -dns company.com -only zt (Fierce scan that only checks for zone transfer)

EXAMPLE fierce -dns company.com –ztstop (Fierce scan that does not perform brute-forcing if a zone transfer is found)

EXAMPLE fierce -dns company.com –wildcstop (Fierce scan that does not perform brute-forcing if a wildcard is found)


maltego


DESCRIPTION - Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego can locate, aggregate, and visualize this information. 

Maltego is a program that can be used to determine the relationships and real-world links between people, groups of people (social networks), companies, organizations, web sites, phrases, affiliations, documents and files, internet infrastructure (domains, DNS names, netblocks, IP addresses).

USAGE n/a, GUI tool

EXAMPLE n/a, GUI tool

NMAP

Description - Nmap is certainly The Scanner to know. Thanks to its numerous parameters, it is a swiss army knife to all situations where network identification is needed. It enables among other things to list network hosts and scan their ports.

USAGE ./nmap [Scann Types] [Options] [target specification]

EXAMPLE ./nmap -sP 192.168.100.0/24 (Lists hosts on a network)

EXAMPLE ./nmap -sS -sV 192.168.100.0 (Scans a host. This example uses  TCP/SYN scan and tries to identify installed services)

urlcrazy

Description - Generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage.
  • Detect typo squatters profiting from typos on your domain name 
  • Protect your brand by registering popular typos
  • Identify typo domain names that will receive traffic intended for another domain
  • Conduct phishing attacks during a penetration test

USAGE ./urlcrazy [options] [domain]

EXAMPLE ./urlcrazy example.com

2 comments:

  1. This is my first visit to your web journal! We are a group of volunteers and new activities in the same specialty. Website gave us helpful data to work.

    ReplyDelete