DNS Recon Tool written in Ruby

I wrote this tool back in late 2006 and it has been my favorite tool for enumeration thru DNS, in great part because I wrote it and it gives the output in a way that I can manipulate it in my own style.  One of the features that I used the most and gave me excellent results is the SRV record enumeration. The script will perform the following:

  • Standard Record Enumeration for a given domain (A, NS, SOA and MX).
  • Top Leven Domain Expansion for a given domain.
  • Zone Transfer against all NS records of a given domain.
  • Reverse Lookup against a given IP Range given a start and end IP.
  • SRV Record enumeration, enumerating:
    • _gc._tcp.
    • _kerberos._tcp.
    • _kerberos._udp.
    • _ldap._tcp.
    • _test._tcp.
    • _sips._tcp.
    • _sip._udp.
    • _sip._tcp.
    • _aix._tcp.
    • _aix._tcp.
    • _finger._tcp.
    • _ftp._tcp.
    • _http._tcp.
    • _nntp._tcp.
    • _telnet._tcp.
    • _whois._tcp.
    • _h323cs._tcp.
    • _h323cs._udp.
    • _h323be._tcp.
    • _h323be._udp.
    • _h323ls._tcp.
    • _h323ls._udp.
  • Brute force hostnames and subdomains of a given target domain using a wordlist.

To install the necessary ruby dependencies using ruby gems, run the following commands as root:

gem install pNet-DNS
gem install ip


The script can be downloaded from dnsrecon.rb

I do hope that others find it as useful as I have, this tool will be included in BT4 among others of the tools that I have discussed in this blog.

Help Screen of the script:

root@bt:~# ./dnsrecon.rb

Dnsrecon 1.6
By Carlos Perez
Email: carlos_perez[at]darkoperator.com

This is a simple tool written for target enumeration during authorized penetration test
engagements. This tool provides different methods for enumerating targets thru DNS service.

-t, --type
                Select the type of enumeration to be done.
                std     Query for SOA, NS and MX Record of a target domain.
                tld     Top Level Domain enumeration of a target domain.
                axf     Perform a Zone transfer against all NS server Records
                        of a target domain.
                rvs     Reverse Record Lookup enumeration against a targeted
                        IP range.
                srv     Service Record Enumeration of VOIP, Active Directory and
                        Network Services service records.
                brt     Bruteforce subdomain and host records using a wordlist.

-d, --target
                Domain to be targeted for enumeration.

-i, --ip
                Starting IP and end IP for a range to be used for reverse lookup
                enumeration of a targeted domain. Exmpl.,

-w, --wordlist
                Wordlist to be use for brutforce enumeration of host names and subdomains.

-s, --dns
                Alternate DNS server to use.
-h, --help
                This help message.


Here is an Example of the tool enumerating SRV Record and Standard Record.

root@bt:~# ./dnsrecon.rb -t srv -d avaya.com

root@bt:~# ./dnsrecon.rb -t std -d google.com