dnsenum - Multithreaded perl script to enumerate DNS information

Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.

  • Get the host’s addresse (A record).
  • Get the namservers (threaded).
  • Get the MX record (threaded).
  • Perform axfr queries on nameservers and get BIND VERSION (threaded).
  • Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
  • Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
  • Calculate C class domain network ranges and perform whois queries on them (threaded).
  • Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
  • Write to domain_ips.txt file ip-blocks.


    Modules that are included in perl 5.10.0: Getopt::Long IO::File Thread::Queue
    Other Necessary modules: Must have: Net::IP Net::DNS Net::Netmask Optional: Net::Whois::IP HTML::Parser WWW::Mechanize XML::Writer
    To install a module, simply run (as root):
    sudo apt-get install perl-doc
    sudo perl -MCPAN -e shell
    cpan[1]> install XML::Writer
    cpan[2]> install Net::Netmask
    cpan[3]> install String::Random

    Perl ithreads support: perl version must be compliled with ithreads support. threads threads::shared
    OPTIONS: run "perldoc dnsenum.pl".

    root@r00t:~# perl dnsenum.pl -h
    dnsenum.pl VERSION:1.2.4
    Usage: dnsenum.pl [Options] [domain]
    Note: the brute force -f switch is obligatory.
    --dnsserver [server]
    Use this DNS server for A, NS and MX queries.
    --enum Shortcut option equivalent to --threads 5 -s 15 -w.
    -h, --help Print this help message.
    --noreverse Skip the reverse lookup operations.
    --private Show and save private ips at the end of the file domain_ips.txt.
    --subfile [file] Write all valid subdomains to this file.
    -t, --timeout [value] The tcp and udp timeout values in seconds (default: 10s).
    --threads [value] The number of threads that will perform different queries.
    -v, --verbose Be verbose: show all the progress and all the error messages.
    -p, --pages [value] The number of google search pages to process when scraping names,
    the default is 5 pages, the -s switch must be specified.
    -s, --scrap [value] The maximum number of subdomains that will be scraped from Google (default 15).
    -f, --file [file] Read subdomains from this file to perform brute force.
    -u, --update
    Update the file specified with the -f switch with valid subdomains.
    a (all) Update using all results.
    g Update using only google scraping results.
    r Update using only reverse lookup results.
    z Update using only zonetransfer results.
    -r, --recursion Recursion on subdomains, brute force all discovred subdomains that have an NS record.
    -d, --delay [value] The maximum value of seconds to wait between whois queries, the value is defined randomly, default: 3s.
    -w, --whois Perform the whois queries on c class network ranges.
    **Warning**: this can generate very large netranges and it will take lot of time to performe reverse lookups.
    -e, --exclude [regexp]
    Exclude PTR records that match the regexp expression from reverse lookup results, useful on invalid hostnames.
    -o --output [file] Output in XML format. Can be imported in MagicTree (www.gremwell.com)

    Disqus Comments