Hey guys! In this tutorial, we’ll take a look at DNSRecon. This tool was written by Carlos Perez back in 2006. It was originally written in Ruby, but now has a Python port, which is what is running in Kali. You can find out more about it on Carlos’s website, as well as check out some of the other projects he has worked on. http://www.darkoperator.com
How To Use
To launch DNSRecon, go to “Applications –> Information Gathering –> DNS Analysis”, and click on DNSRecon.
Launching it without specifying any parameters will simply list the available options. We’ll go over a few of the more commonly used options, and later show how to work with the results.
Here are the ones we’ll be looking at:
-d: Target domain
-D: Dictionary file to use for brute forcing subdomains
-t: Type of enumeration to perform
-a: Perform AXFR with standard enumeration
–xml: Save results to XML file
–db: Save results to SQLite database file
Now let’s get into the nitty gritty, and see dnsrecon in action.
We’ll again use Robin Wood’s zonetransfer.me site to enumerate. To run a simple scan, type the following at the prompt:
dnsrecon -d zonetransfer.me
and the results:
As you can see, it returns some default DNS records such as the name servers for the target, mail servers, and a lone service record. Pretty typical stuff.
We see from the first scan that the SOA record shows “nsztm1.digi.ninja” as the name server for the target. By default, dnsrecon will use this server for its scans, unless you specify another server to use, and you would do that with the “-n” option. For now, we’ll leave it as default.
Let’s run a brute force scan, and specify the dictionary file to use with the “-D” option. The location of the dictionary file is at “/usr/share/dnsrecon/namelist.txt“. If you have another wordlist you want to use, just point to its location here. We’ll also specify the type of scan using the “-t brt” option.
dnsrecon -d zonetransfer.me -D /usr/share/dnsrecon/namelist.txt -t brt
So, it came back with 10 records, mostly A records, and a couple of CNAME records. If you’re unsure what these DNS record types are, A records show the domain/IP mappings, and CNAME’s are alias records. You can try one of the CNAME records in your browser to see how they work. For example, if you go to “staging.zonetransfer.me”, you will actually load up the Sydney Opera House’s website.
Next, we’ll attempt a zone transfer. Change the command line like so…
dnsrecon -d zonetransfer.me -a
Quite a lot of information returned here from a zone transfer! This is information that should not be available to just anybody on the internet, as it exposes the network layout of your target, and provides additional information that can be used in social engineering attacks, etc. Administrators, secure your servers!
With the scans we’ve done, you probably noticed the results were just displayed to the screen. While this may be fine if you’re just having a quick glance at your target’s DNS info, you will want to save these results so you can come back to them later. I’ve created a folder on my desktop to save the different file formats to so we can easily find them.
DNSRecon gives us a few options for saving results. The first one we’ll look at is the SQLite database file. We’ll run dnsrecon like this:
dnsrecon -d zonetransfer.me -a –db ~/Desktop/dnsrecon/dnsrecon-db
Once you hit enter, it will run through the normal scanning process, and perform the zone transfer. When it’s finished, you should have a SQLite file created in your folder:
Kali has a SQL browser that will allow us to look at this database file, including its structure, and we can perform queries against it.
Go to Applications –> Database Assessment –> SQLite Database Browser
Once this program has opened, you’ll want to open the database file you created with dnsrecon. Go to the top menu, and click on File –> Open Database, then point it to your file. You should then see something like this:
The “data” table is where all your info is stored. You can click on the “Browse Data” tab to see your scan results, separated out into different columns.
Now, suppose you wanted to just see all the “A” records? You can run SQL queries against the database by clicking on the “Execute SQL” tab. From there, type your query into the top box, then click the “Execute SQL” button (right arrow). Your results should show up at the bottom.
select * from data where type=’A’
From there, you can choose to export these results to a CSV file, or manipulate the data however you need.
Now we’ll look at saving the results in XML format. You only need to make a couple of changes to the previous command.
dnsrecon -d zonetransfer.me -a –xml ~/Desktop/dnsrecon/dnsrecon-xml
Again, you’ll see a new file called “dnsrecon-xml” in your folder. If you look at the contents of this file, you’ll see the results of the scan format in XML.
The dnsrecon software package includes a tool called “parser.py“, which allows you to extract XML data from your file. The tool is located under “/usr/share/dnsrecon/tools/“. If you run it without any options, it shows the “help” file, and how to use the tool.
Say you wanted to just see a list of the unique hostnames. You would first specify your file using the “-f” option, then use the “-n” option. In this example, I’m using these options, then sending those results to a text file.
As you can see, DNSRecon is a pretty powerful tool for performing DNS enumeration against a target host. The output options also give you the ability to further manipulate the data however you need.
I hope this overview was helpful. Check out the other tutorials for more information on DNS enumeration using the tools provided in Kali Linux.