DNSRECON

Hey guys! In this tutorial, we’ll take a look at DNSRecon. This tool was written by Carlos Perez back in 2006. It was originally written in Ruby, but now has a Python port, which is what is running in Kali. You can find out more about it on Carlos’s website, as well as check out some of the other projects he has worked on. http://www.darkoperator.com

How To Use
To launch DNSRecon, go to “Applications –> Information Gathering –> DNS Analysis”, and click on DNSRecon.

Launching it without specifying any parameters will simply list the available options. We’ll go over a few of the more commonly used options, and later show how to work with the results.

dnsrecon-help1

Here are the ones we’ll be looking at:
-d: Target domain
-D: Dictionary file to use for brute forcing subdomains
-t: Type of enumeration to perform
-a: Perform AXFR with standard enumeration
–xml: Save results to XML file
–db: Save results to SQLite database file

Now let’s get into the nitty gritty, and see dnsrecon in action.

Work It!
We’ll again use Robin Wood’s zonetransfer.me site to enumerate. To run a simple scan, type the following at the prompt:

dnsrecon -d zonetransfer.me

and the results:

dnsrecon-simplescan1

As you can see, it returns some default DNS records such as the name servers for the target, mail servers, and a lone service record. Pretty typical stuff.

Brute Force
We see from the first scan that the SOA record shows “nsztm1.digi.ninja” as the name server for the target. By default, dnsrecon will use this server for its scans, unless you specify another server to use, and you would do that with the “-n” option. For now, we’ll leave it as default.

Let’s run a brute force scan, and specify the dictionary file to use with the  “-D” option.  The location of the dictionary file is at “/usr/share/dnsrecon/namelist.txt“. If you have another wordlist you want to use, just point to its location here. We’ll also specify the type of scan using the “-t brt” option.

dnsrecon -d zonetransfer.me -D /usr/share/dnsrecon/namelist.txt -t brt

dnsrecon-scan-brtforce

So, it came back with 10 records, mostly A records, and a couple of CNAME records. If you’re unsure what these DNS record types are, A records show the domain/IP mappings, and CNAME’s are alias records. You can try one of the CNAME records in your browser to see how they work. For example, if you go to “staging.zonetransfer.me”, you will actually load up the Sydney Opera House’s website.

Zone Transfer
Next, we’ll attempt a zone transfer. Change the command line like so…

dnsrecon -d zonetransfer.me -a

dnsrecon-zonetransfer1

dnsrecon-zonetransfer2

dnsrecon-zonetransfer3

Quite a lot of information returned here from a zone transfer! This is information that should not be available to just anybody on the internet, as it exposes the network layout of your target, and provides additional information that can be used in social engineering attacks, etc. Administrators, secure your servers!

Saving Results
With the scans we’ve done, you probably noticed the results were just displayed to the screen. While this may be fine if you’re just having a quick glance at your target’s DNS info, you will want to save these results so you can come back to them later. I’ve created a folder on my desktop to save the different file formats to so we can easily find them.

SQLite
DNSRecon gives us a few options for saving results. The first one we’ll look at is the SQLite database file. We’ll run dnsrecon like this:

dnsrecon -d zonetransfer.me -a –db ~/Desktop/dnsrecon/dnsrecon-db

dnsrecon-sqlite1

Once you hit enter, it will run through the normal scanning process, and perform the zone transfer. When it’s finished, you should have a SQLite file created in your folder:

dnsrecon-sqlite2

Kali has a SQL browser that will allow us to look at this database file, including its structure, and we can perform queries against it.

Go to Applications –> Database Assessment –> SQLite Database Browser

Once this program has opened, you’ll want to open the database file you created with dnsrecon. Go to the top menu, and click on File –> Open Database, then point it to your file. You should then see something like this:

dnsrecon-sqlite3

The “data” table is where all your info is stored. You can click on the “Browse Data” tab to see your scan results, separated out into different columns.

Now, suppose you wanted to just see all the “A” records? You can run SQL queries against the database by clicking on the “Execute SQL” tab. From there, type your query into the top box, then click the “Execute SQL” button (right arrow). Your results should show up at the bottom.

select * from data where type=’A’

dnsrecon-sqlite4

From there, you can choose to export these results to a CSV file, or manipulate the data however you need.

XML
Now we’ll look at saving the results in XML format. You only need to make a couple of changes to the previous command.

dnsrecon -d zonetransfer.me -a –xml ~/Desktop/dnsrecon/dnsrecon-xml

dnsrecon-xml1

Again, you’ll see a new file called “dnsrecon-xml” in your folder. If you look at the contents of this file, you’ll see the results of the scan format in XML.

dnsrecon-xml2

The dnsrecon software package includes a tool called “parser.py“, which allows you to extract XML data from your file. The tool is located under “/usr/share/dnsrecon/tools/“. If you run it without any options, it shows the “help” file, and how to use the tool.

dnsrecon-xml-parser1

Say you wanted to just see a list of the unique hostnames. You would first specify your file using the “-f” option, then use the “-n” option. In this example, I’m using these options, then sending those results to a text file.

dnsrecon-xml-parser2

Conclusion
As you can see, DNSRecon is a pretty powerful tool for performing DNS enumeration against a target host. The output options also give you the ability to further manipulate the data however you need.

I hope this overview was helpful. Check out the other tutorials for more information on DNS enumeration using the tools provided in Kali Linux.

Be awesome!