Key features of DNSMAP Tool on Backtrack:
- Obtain all A records (i.e. IP addresses) associated to each successfully brute forced sub domain, rather than just one IP address per sub domain.
- Abort the brute forcing process in case the target domain uses wildcards.
- Ability to be able to run the tool without providing a word list by using a built-in list of keywords.
- Brute forcing by using a user-supplied word list (as opposed to the built-in word list).
- Saving the results in human-readable and CSV format for easy processing.
- Improved built-in subdomains wordlist.
- New bash script (dnsmap-bulk.sh) included which allows running Dnsmap against a list of domains from a user-supplied file. i.e.: brute forcing several domains in a bulk fashion.
- Bypassing of signature-based Dnsmap detection by generating a proper pseudo-random sub domain when checking for wildcards (Unique Feature).
Why to use DNSMAP Tool ?
1. Finding interesting remote access servers.
2. Finding badly configured and/or unpatched servers.
3. Finding new domain names which will allow you to map non-obvious/hard-to-find net blocks.
4. Sometimes you find that some brute forced sub domains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that it *is* possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving (as opposed to zone transfers for instance).
5. Discover embedded devices configured using Dynamic DNS services.
How to use DNSMAP tool on Backtrack Linux ?
Step 1 : Open the DNSMAP Tool on Backtrack
There are multiple ways to open the DNSMAP tool over the Backtrack:
a. Using GUI Menu: Go to Menu Bar and Click on Applications –> Backtrack –> Information Gathering –> Network Analysis –> DNS Analysis –> DNSMAP
b. Using Terminal : Run the below command in terminal
Step 2 : Select the Target and Start the Scan
Say we want to gather information regarding Google. Then in order to run the DNSMAP we have to run below command @ DNSMAP:
When you press enter button you will see the results like below :
|DNSMAP Tutorial – 1
|DNSMAP Tutorial – 2
|DNSMAP Tutorial – 3
As you all can see above that DNSMAP has scanned all the sub domains of Google along with all A records i.e. IP address of Google sub domains.
Now the above was a simplest way of using DNSMAP. In order to perform more deep search there are several Advanced options available in DNSMAP tool which are listed below :
Input file to use for brute force
Export results as text format
Save files as csv format
Maximum delay (in ms) between 2 DNS lookups(default: 10 ms)
Useful if you’re obtaining false positives
Examples for using advanced options :
If you have a custom wordlist of subdomains you can use that as well simply by specifying the -w argument and then the path to the wordlist.
./dnsmap google.com -w yourwordlist.txt -r /tmp/domainbf_results.txt
./dnsmap google.com -r /tmp/ -d 3000
./dnsmap google.com -r ./subdomainbruteforce_results.txt
That’s all friends. If you have any queries ask us in form of comments. Feel free to contact us and Happy Learning.