DNSRecon چیست؟

این ابزار تمامی رکورد های DNS را برای یافتن Zone Transfers تحت بررسی قرار می دهد، تمامی رکورد های DNS مربوط به یک دامنه خاص را یافته و با استفاده از روش Brute Force اقدام به یافتن ساب دامنه های آن می نماید. از دیگر قابلیت های ابزار DNSRecon می توان به موارد زیر اشاره نمود.

    Check all NS Records for Zone Transfers
    Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
    Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
    Check for Wildcard Resolution
    Brute Force subdomain and host A and AAAA records given a domain and a wordlist
    Perform a PTR Record lookup for a given IP Range or CIDR
    Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
    Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google
لینک منبع: https://github.com/darkoperator/dnsrecon
لایسنس: GPLv2
سازنده: Carlos Perez

نمونه دستور:
[email protected]:~# dnsrecon -h
Version: 0.8.7
Usage: dnsrecon.py

-h, --help Show this help message and exit
-d, --domain Domain to Target for enumeration.
-r, --range IP Range for reverse look-up brute force in formats (first-last)
or in (range/bitmask).
-n, --name_server Domain server to use, if none is given the SOA of the
target will be used
-D, --dictionary Dictionary file of sub-domain and hostnames to use for
brute force.
-f Filter out of Brute Force Domain lookup records that resolve to
the wildcard defined IP Address when saving records.
-t, --type Specify the type of enumeration to perform:
std To Enumerate general record types, enumerates.
SOA, NS, A, AAAA, MX and SRV if AXRF on the
NS Servers fail.

rvl To Reverse Look Up a given CIDR IP range.

brt To Brute force Domains and Hosts using a given

srv To Enumerate common SRV Records for a given


axfr Test all NS Servers in a domain for misconfigured
zone transfers.

goo Perform Google search for sub-domains and hosts.

snoop To Perform a Cache Snooping against all NS
servers for a given domain, testing all with
file containing the domains, file given with -D

tld Will remove the TLD of given domain and test against
all TLD's registered in IANA

zonewalk Will perform a DNSSEC Zone Walk using NSEC Records.

-a Perform AXFR with the standard enumeration.
-s Perform Reverse Look-up of ipv4 ranges in the SPF Record of the
targeted domain with the standard enumeration.
-g Perform Google enumeration with the standard enumeration.
-w Do deep whois record analysis and reverse look-up of IP
ranges found thru whois when doing standard query.
-z Performs a DNSSEC Zone Walk with the standard enumeration.
--threads Number of threads to use in Range Reverse Look-up, Forward
Look-up Brute force and SRV Record Enumeration
--lifetime Time to wait for a server to response to a query.
--db SQLite 3 file to save found records.
--xml XML File to save found records.
--iw Continua bruteforcing a domain even if a wildcard record resolution is discovered.
-c, --csv Comma separated value file.
-v Show attempts in the bruteforce modes.
طریقه استفاده:
[email protected]:~# dnsrecon -d example.com -D /usr/share/wordlists/dnsmap.txt -t std --xml dnsrecon.xml
[*] Performing General Enumeration of Domain:
[*] DNSSEC is configured for example.com
[*] DNSKEYs:
نکته: با استفاده از فلگ d نام دامنه و با استفاده از فلگ t حالت اسکن به صورت استاندارد انتخاب شده است. همچنین خروجی با استفاده از فلگ xml ذخیره می گردد.