BackTrack - DNS

BackTrack  - DNS 

Fierce

I was glad to see that Fierce is still in BT. Fierce is one of my favorite DNS tools and I have blogged about it ion the past. It always gets the job done and underneath it's simple exterior it's doing quite alot (maybe RSnake worked for Apple once).

Fierce starts off by using your DNS to get the targets DNS and then hops on over to that DNS to do it's work. All pretty cool stuff eh. Fierce will try to dump the DNS (although unlikely this will work) and then it will start to use it's name list (hosts.txt) to guess the name of hosts out there. Although not a bad wordlist I suggest you add to it as you come across anything in your travels. Anything Fierce guesses correctly it will perform reverse look ups of a few of the addresses around the correctly guessed one (also configurable) or with -wide it will scan the whole class C subnet of any host it finds. Noisy but effective.

The command I used to scan insecure.org with 10 threads and scanning the class C of any found IPs was:

./fierce.pl -wide -threads 10 insecure.org




DNSRecon

Although this found me some good results what I also wanted to do was look in between those IP's in the reverse lookup. Because if the target has a block of IP's and nested somewhere in the middle of them is host on another domain then that's interesting. For this task I Dark Operators DNSRecon ruby script.

An example of running the script against on of the subnets that Fierce located gave up some interesting (but very obvious) results:

ruby dnsrecon.rb -r 64.13.134.1 64.13.134.254



Surprise surprise nmap.org!


Happy hunting!