DNSMap

DNSMAP is a simple tool used to brute force subdomains for a target host. It was developed in 2006, and looks like the last updates done were in 2010. There are 2 tools included with this package – dnsmap, and dnsmap-bulk.sh. DNSMap is used to scan single domains, and DNSMap-Bulk.sh will scan multiple domains by reading from a provided text file. The tool is written in C, so if you’re curious, you can download the package from the code page on Google, and examine the source file to see how it works.

https://code.google.com/p/dnsmap/

Before using the tool, let’s take a quick look at the available options. Opening the program without supplying any data, will cause it to display the Help file.

Options/Switches
To launch DNSMap, and see the options available, go to Applications –> Information Gathering –> DNS Analysis –> DNSMAP.

Running the tool without any command line parameters will give you the Help file, which shows the available options.

dnsmap-help

As you can see, there are only a few options to use when running the tool.

HOW TO USE
If you just run dnsmap without supplying any options, it will use its default wordlist to brute-force the target’s subdomains. Here, I’m using the zonetransfer.me site again as the target:

dnsmap-zonetransferme

The results are displayed to the screen, and you can see it found additional subdomains that could be used for testing.

Rather than just viewing the results on the screen, you will probably want to save them for later use during your pen-test. DNSMap provides a couple of options for doing this. The first is to use the “-r” switch, which will save the results to a regular file, such as a text file. The second is with the “-c” switch, which will save the results to CSV format. In the example below, I just used the “-r” switch, and saved a text file with the results.

dnsmap-ztm-savefile

Once the scan is finished, open the text file, and you’ll see the same results that were displayed to the screen:

dnsmap-ztm-txtfile

CONCLUSION
As noted earlier, DNSMap uses a default wordlist, but you can specify your own list by using the “-w” switch, and pointing it to the file. I’ll list here a couple of sites from where you can get additional wordlists. Just beware though, some of them can be quite large, and the large lists will increase the run time of DNSMap.

G0tMi1k’s Blog
http://blog.g0tmi1k.com/2011/06/dictionaries-wordlists/

MD5This
http://www.md5this.com/tools/wordlists.html

I hope you enjoyed! Please keep checking back, as I will continue to add new tutorials for the tools in Kali, as well as various topics around performing pen-tests.

Be awesome!