Home / Hack Tools / DNSMAP Tutorial | DNS Network Mapper Information Gathering | KYB Tutorial 3

DNSMAP Tutorial | DNS Network Mapper Information Gathering | KYB Tutorial 3

Hey friends, Hackingloops is back with another Know Your Backtrack Tutorial. In this tutorial we will be learning DNSMAP Tool for DNS information gathering. DNSMAP as the name suggest is DNS Network Mapper which is used for multiple purposes. Basically DNSMAP is an passive Network Mapper and often called as Sub domain brute force tool. This tool is mainly used by penetration testers and Hackers for DNS and sub domain information gathering. This is like most other DNS information gathering tools except one unique feature and that itself a worth to appreciate. Unlike other tools, where we use brute force technology to gather all sub domains we don’t have a feature to abort the brute forcing if domain uses wildcards technically you can say it producing false positives while enumerating sub domain data. So friends lets first discuss the key features of DNSMAP and what all we can gather using it.

DNSMAP Tool Backtrack Tutorial
DNSMAP Tutorial KYB 3 Hackingloops

Key features of DNSMAP Tool on Backtrack:
  • Obtain all A records (i.e. IP addresses) associated to each successfully brute forced sub domain, rather than just one IP address per sub domain.
  • Abort the brute forcing process in case the target domain uses wildcards.
  • Ability to be able to run the tool without providing a word list by using a built-in list of keywords.
  • Brute forcing by using a user-supplied word list (as opposed to the built-in word list).
  • Saving the results in human-readable and CSV format for easy processing.
  • Improved built-in subdomains wordlist.
  • New bash script (dnsmap-bulk.sh) included which allows running Dnsmap against a list of domains from a user-supplied file. i.e.: brute forcing several domains in a bulk fashion.
  • Bypassing of signature-based Dnsmap detection by generating a proper pseudo-random sub domain when checking for wildcards (Unique Feature).
Why to use DNSMAP Tool ?
1. Finding interesting remote access servers.
2. Finding badly configured and/or unpatched servers.
3. Finding new domain names which will allow you to map non-obvious/hard-to-find net blocks.
4. Sometimes you find that some brute forced sub domains resolve to internal IP addresses (RFC 1918). This is great as sometimes they are real up-to-date “A” records which means that it *is* possible to enumerate internal servers of a target organization from the Internet by only using standard DNS resolving (as opposed to zone transfers for instance).
5. Discover embedded devices configured using Dynamic DNS services.
How to use DNSMAP tool on Backtrack Linux ?
Step 1 : Open the DNSMAP Tool on Backtrack
There are multiple ways to open the DNSMAP tool over the Backtrack:
a. Using GUI Menu:  Go to Menu Bar and Click on Applications –> Backtrack –> Information Gathering –> Network Analysis –> DNS Analysis –> DNSMAP
b. Using Terminal : Run the below command in terminal

cd /pentest/enumeration/dns/dnsmap/ 

Step 2 : Select the Target and Start the Scan
Say we want to gather information regarding Google. Then in order to run the DNSMAP we have to run below command @ DNSMAP:

./dnsmap google.com

When you press enter button you will see the results like below :
DNSMAP Tutorial Image 1
DNSMAP Tutorial  – 1
DNSMAP Tutorial Image 2
DNSMAP Tutorial – 2
DNSMAP Tutorial Image 3
DNSMAP Tutorial – 3
As you all can see above that DNSMAP has scanned all the sub domains of Google along with all A records i.e. IP address of Google sub domains.
Now the above was a simplest way of using DNSMAP. In order to perform more deep search there are several Advanced options available in DNSMAP tool which are listed below :

-w <wordlist-file>
Input file to use for brute force

-r <regular-results-file>
Export results as text format

-c <csv-results-file>
Save files as csv format

-d <delay-millisecs>
Maximum delay (in ms) between 2 DNS lookups(default: 10 ms)

-i <ips-to-ignore>
Useful if you’re obtaining false positives

Examples for using advanced options :
If you have a custom wordlist of subdomains you can use that as well simply by specifying the -w argument and then the path to the wordlist.

./dnsmap google.com -w yourwordlist.txt -r /tmp/domainbf_results.txt

./dnsmap google.com -r /tmp/ -d 3000

./dnsmap google.com -r ./subdomainbruteforce_results.txt

That’s all friends. If you have any queries ask us in form of comments. Feel free to contact us and Happy Learning.


About Lokesh Singh

Hello Friends, i am Lokesh Singh, certified Ethical hacker ( CEH, SSA, CSIF , CISSP). Have 8+ years of extensive experience in Ethical Hacking, Cyber Security and Penetration Testing domain.

Have any Suggestions? Compliments? Why not comment then?