DNSmap obteniendo subdominios

DNSmap obteniendo subdominios, ya hemos hablado aquí en DragonJAR varias  veces de la etapa de fingerprinting que forma parte de un pentest y de como se ha de realizar correctamente para que la auditoría vaya rodada. Cuantos más información podamos obtener en esta etapa, será mucho más sencillo el trabajo posterior.

Otra de las herramientas que podemos añadir a nuestro arsenal de fingerprinting es DNSmap, esta herramienta hará una faena muy importante y es encontrar los subdominios relacionados con un dominio en concreto.

DNSmap obteniendo subdominios

Índice

    DNSmap obteniendo subdominios ¿Esto en que nos puede ayudar?

    Pues lo mas probable es que distintos subdominios estén dando distintos servicios que igual no han surgido una fortificación tan robusta como el dominio principal.

    La herramienta tiene unos parámetros muy sencillos, vamos a ver algunos de los casos que podemos encontrar en Internet.

    Uso de DNSmap

    darkmac:Desktop marc$ dnsmap
    dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
    
    usage: dnsmap <target-domain> [options]
    options:
    -w <wordlist-file>
    -r <regular-results-file>
    -c <csv-results-file>
    -d <delay-millisecs>
    -i <ips-to-ignore> (useful if you're obtaining false positives)
    
    e.g.:
    dnsmap target-domain.foo
    dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
    dnsmap target-fomain.foo -r /tmp/ -d 3000
    dnsmap target-fomain.foo -r ./domainbf_results.txt

    Wikileaks 

    darkmac:Desktop marc$ dnsmap wikileaks.org -r wikileaks_dnmap.txt
    dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
    
    [+] searching (sub)domains for wikileaks.org using built-in wordlist
    [+] using maximum random delay of 10 millisecond(s) between requests
    
    chat.wikileaks.org
    IP address #1: 141.101.123.19
    IP address #2: 141.101.112.19
    IP address #3: 141.101.113.19
    IP address #4: 190.93.240.19
    IP address #5: 190.93.241.19
    
    mail.wikileaks.org
    IP address #1: 94.23.165.55
    
    mx.wikileaks.org
    IP address #1: 94.23.165.55
    
    search.wikileaks.org
    IP address #1: 190.93.241.19
    IP address #2: 190.93.240.19
    IP address #3: 141.101.113.19
    IP address #4: 141.101.112.19
    IP address #5: 141.101.123.19
    
    shop.wikileaks.org
    IP address #1: 190.93.241.19
    IP address #2: 190.93.240.19
    IP address #3: 141.101.113.19
    IP address #4: 141.101.112.19
    IP address #5: 141.101.123.19
    
    www.wikileaks.org
    IP address #1: 190.93.241.19
    IP address #2: 190.93.240.19
    IP address #3: 141.101.113.19
    IP address #4: 141.101.112.19
    IP address #5: 141.101.123.19
    
    [+] 6 (sub)domains and 22 IP address(es) found
    [+] regular-format results can be found on wikileaks_dnmap.txt
    [+] completion time: 506 second(s)

    Twitter en DNSmap obteniendo subdominios

    darkmac:Desktop marc$ dnsmap twitter.com -r dnsmap_twitter.txt
    dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)
    
    [+] searching (sub)domains for twitter.com using built-in wordlist
    [+] using maximum random delay of 10 millisecond(s) between requests
    
    0.twitter.com
    IP address #1: 199.16.156.47
    
    blog.twitter.com
    IP address #1: 199.16.156.41
    IP address #2: 199.16.156.9
    IP address #3: 199.16.156.73
    
    de.twitter.com
    IP address #1: 199.16.156.41
    IP address #2: 199.16.156.9
    IP address #3: 199.16.156.73
    
    download.twitter.com
    IP address #1: 199.16.156.18
    
    en.twitter.com
    IP address #1: 199.16.156.9
    IP address #2: 199.16.156.73
    IP address #3: 199.16.156.41
    
    es.twitter.com
    IP address #1: 199.16.156.9
    IP address #2: 199.16.156.73
    IP address #3: 199.16.156.41
    
    fr.twitter.com
    IP address #1: 199.16.156.9
    IP address #2: 199.16.156.73
    IP address #3: 199.16.156.41
    
    groups.twitter.com
    IP address #1: 199.16.156.47
    
    help.twitter.com
    IP address #1: 199.16.156.47
    
    it.twitter.com
    IP address #1: 199.16.156.105
    IP address #2: 199.16.156.73
    IP address #3: 199.16.156.41
    
    ja.twitter.com
    IP address #1: 199.16.156.105
    IP address #2: 199.16.156.73
    IP address #3: 199.16.156.41
    
    jp.twitter.com
    IP address #1: 199.16.156.105
    IP address #2: 199.16.156.73
    IP address #3: 199.16.156.41
    
    m.twitter.com
    IP address #1: 199.16.156.47
    
    mail.twitter.com
    IP address #1: 199.16.156.47
    
    media.twitter.com
    IP address #1: 199.16.156.47
    
    mobile.twitter.com
    IP address #1: 199.16.156.107
    IP address #2: 199.16.156.43
    
    mx.twitter.com
    IP address #1: 199.59.148.219
    IP address #2: 199.59.149.107
    
    mx1.twitter.com
    IP address #1: 199.59.148.144
    
    mx2.twitter.com
    IP address #1: 199.59.148.205
    
    mx3.twitter.com
    IP address #1: 199.59.148.207
    
    p.twitter.com
    IP address #1: 23.51.65.224
    
    partners.twitter.com
    IP address #1: 199.59.148.243
    
    postmaster.twitter.com
    IP address #1: 199.59.148.144
    
    s.twitter.com
    IP address #1: 199.16.156.105
    IP address #2: 199.16.156.41
    IP address #3: 199.16.156.73
    
    sa.twitter.com
    IP address #1: 199.16.156.9
    IP address #2: 199.16.156.105
    IP address #3: 199.16.156.41
    IP address #4: 199.16.156.73
    
    search.twitter.com
    IP address #1: 199.16.156.105
    IP address #2: 199.16.156.41
    IP address #3: 199.16.156.73
    
    sms.twitter.com
    IP address #1: 199.59.148.95
    
    ss.twitter.com
    IP address #1: 199.59.148.84
    IP address #2: 199.59.149.243
    IP address #3: 199.59.150.42
    IP address #4: 199.59.150.10
    IP address #5: 199.59.148.11
    
    support.twitter.com
    IP address #1: 199.16.156.12
    
    td.twitter.com
    IP address #1: 199.59.148.21
    
    upload.twitter.com
    IP address #1: 199.59.148.213
    IP address #2: 199.59.148.148
    
    www.twitter.com
    IP address #1: 199.59.150.39
    IP address #2: 199.59.149.230
    IP address #3: 199.59.150.7
    
    www2.twitter.com
    IP address #1: 199.59.149.198
    
    [+] 33 (sub)domains and 65 IP address(es) found
    [+] regular-format results can be found on dnsmap_twitter.txt
    [+] completion time: 514 second(s)

    Existen diferentes herramientas para realizar este proceso, como dnsrecon, fierce, y hasta auxiliares en metasploit que nos facilitan la tarea, DNSmap es una herramienta más que puedes usar en este proceso y como pudiste apreciar en  este texto su uso es muy sencillo, y poder obtener mucha información sobre un dominio en concreto. El correcto uso de una buena wordlist o diccionario de subdoinios nos ayudará en el proceso.

    También te puede interesar - https://www.dragonjar.org/curso-gratuito-introduccion-al-pentesting-2.xhtml

    Subir