dnsminer
Info
A console application to perform DNS scanning for contiguous and non-contiguous IP address ranges. The application uses various techniques to identify applicable IP ranges such as WHOIS network range checks, DNS dictionary searches and IP address range traversal. It is based heavily on the Fierce Domain Scanner by Rsnake...
if you use the --http option it will perform various HTTP(S) requests to retrieve the server banner, so it should be ideal for locating web servers/application to attack. Example output for when it locates a web server is shown below:
Domain: apps.acme.com
Port: 80
SSL: false
Response: 200 OK
Banner: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-2 mod_ssl/2.8.22 OpenSSL/0.9.7d
Features
- Console
- Performs WHOIS network address range checks
- Performs DNS dictionary searches
- Permits multiple search strings, so you can perform tests against a primary domain and if any of the search values appear whilst the queries are performed then they will be noted as well
- IP address range traversal
- Reverse lookups
- DNS wild card false positive prevention (Basic)
- Nice progress spinny thing
- Can perform multiple HTTP requests against each domain identified, the HTTP request is configured via Http.xml. This functionality can be used to identify hosts running web servers
- HTTP requests can support multiple ports and can use SSL
- Output sorting by IP Address or Domain
Command Line
Usage: dnsminer.exe --domain=<Domain> --dnsserver=<DNS Server>
Optional Params:
--wordlist= : User supplied list of domain keywords
--traverse= : No. of IP addresses to traverse when a domain is located (1-255)
--search= : Comma seperated list of extra domain search values
--sort= : Use i for IP address or d for Domain
--http : Perform HTTP request against discovered domains
--timeout= : Timeout value (1-1000)
--help : Display usage
Usage
Basic
-----
To perform a basic scan for a particular domain:
dnsminer.exe --domain=acme.com --dnsserver=192.168.0.254
---------------------------------------------------------------------------
Search
---------
To perform a scan for a company and also for unrelated domains you can use the --search option. So if you know that the acme.com company also has email addresses like someone@anothercomp.com you can add search queries. This won't scan for those domains, but if those names are identified whilst performing the scan, then those results will be included:
dnsminer.exe --domain=acme.com --dnsserver=192.168.0.254 --search=anothercomp
---------------------------------------------------------------------------
User Word List
------------------
To perform a scan using your own word list rather than those contained in "cnames.txt":
dnsminer.exe --domain=acme.com --dnsserver=192.168.0.254 --wordlist=mynames.txt
---------------------------------------------------------------------------
HTTP Check
---------------
To perform a HTTP(S) connect against each located domain, simply edit the "Http.xml" to include each of the ports you want to check against, the headers to send in the request and the url.
The original file setup will perform a request to both port 80 & 443, with 443 using SSL, the requests will included two headers e.g. "User-Agent" and "Accept" and the request will be to the index page.
dnsminer.exe --domain=acme.com --dnsserver=192.168.0.254 --http
---------------------------------------------------------------------------
Brute Force Range Check
-------------------------------
dnsminer can perform a WHOIS lookup on the domain, retrieve the DNS range and brute force each host looking either for the domain or for the domain and keywords if any search criteria are specified:
dnsminer.exe --domain=acme.com --dnsserver=192.168.0.254 --bruteforce
Requirements
- Windows 2000, Windows XP, Windows 2003 Server (Might work on others?)
- Microsoft .NET Framework v2